Looking inside AGS Security Tokens?

Discussion created by s.biickert on Nov 3, 2010
Latest reply on Nov 5, 2010 by jshirota@esricanada.com
This one's for the geeks out there, or those who are interested in using a unified security token scheme for AGS web applications.

ArcGIS Security tokens are strings that look like: "Vh8Ng7bBcpR-F0z-zq7uJF80Mi3OhvkOwIpKTffOgtzKK7-zscpP1Ms_YvyIP9-R". The documentation indicates that they are the result of taking select information (including the user id, referrer and timeout) and encrypting it using the AES standard with a secret key which is part of the ArcGIS Server administration. AES encryption is available for Java or .NET developers.

My question is with regards to the encoding of the encrypted data:

plain text -> encrypted bytes -> encoded token

What encoding scheme is used for the tokens? Without that information, I can't take the token and get the plain text:

encoded token -> encrypted bytes -> plain text

Why would I want to do this? Because basically any web application requires user authentication and that user authentication may extend to functions which are outside the simple questions of whether or not User A has access to Map Service B. It could include an array of tools which are only available to certain roles, etc.

Currently, I set up a SQL Membership database and hook that into AGS. The AGS token service is used to generate tokens for access to ArcGIS services. Then I write a completely redundant app token service which accesses the same membership and creates a token which all custom web services can use to identify who has logged in and what roles they are a part of. So my application has to manage two tokens, one which is passed to AGS web services, and the other to custom web services.

I would like to unify the token system, and be able to use the AGS token to identify the logged in user for application purposes, and I believe that if I knew the encoding mechanism, the encryption algorithm and the encryption key, I could do that. The custom web services would be able to determine if the token was valid and the user for which the token has been generated. The algorithm is in the docs. The encryption key is configured in Server Manager. What is the text encoding for the token?


Sample Java code to print out the token's contents:

String token = "Vh8Ng7bBcpR-F0z-zq7uJF80Mi3OhvkOwIpKTffOgtzKK7-zscpP1Ms_YvyIP9-R";

// If it was Base 64 encoding
byte[] decodedToken = Base64.decodeBase64(token.getBytes());
Key key = new SecretKeySpec(SECRET_KEY.getBytes(), "AES");

Cipher c = Cipher.getInstance("AES");
c.init(Cipher.DECRYPT_MODE, key);

byte[] decryptedToken = c.doFinal(decodedToken);

String plainText = new String(decryptedToken);

System.out.println("The token contained: " + plainText);