Community

Specifying token for map service gets redirected to login page

8284
9
07-02-2011 07:45 AM
CarolynWhite
by
New Contributor III
‎07-02-2011 07:45 AM
I went to http://myserver/ArcGIS/rest/services
and generated a token.

The token was for userA and so should show the serviceA.

I then used that token
http://myserver/ArcGIS/rest/services/serviceA/Mapserver?token= token value

Then I was sent to the login page.
I enter the login/pw for userA and then was able to open the serviceA metadata and see serviceA in the javascript api.

So while I had to give the login/pw to generate the token  - the user still has to login.

Is that how it is suppose to work? or having passed the token obtained for userA should I be able to see serviceA without another login?

My security store is sqlserver. I have https turned off for now in development.
0 Kudos
9 Replies
RichardWatson
by
Frequent Contributor
‎07-03-2011 04:09 AM
I assume that you are developing an application based on one of the web APIs such as JavaScript, Flex, or Silverlight.  In this case you have to handle security.  There are 2 choices here:

1) Client software gets a token from the server and passes that token to the various client APIs when accessing services.  In this case the "login page" is in the client software.
2) Design a web application, e.g. ASP.NET, which is essentially a proxy.  The proxy authenticates users and has a login page.  When a request comes from an authenticated client, it appends the token to the request and then forwards it.
0 Kudos
CarolynWhite
by
New Contributor III
‎07-03-2011 02:20 PM
I assume that you are developing an application based on one of the web APIs such as JavaScript, Flex, or Silverlight.  In this case you have to handle security.  There are 2 choices here:

1) Client software gets a token from the server and passes that token to the various client APIs when accessing services.  In this case the "login page" is in the client software.
2) Design a web application, e.g. ASP.NET, which is essentially a proxy.  The proxy authenticates users and has a login page.  When a request comes from an authenticated client, it appends the token to the request and then forwards it.


Yes, developing an SL app, but that is unrelated to the problem at hand right now.
0 Kudos
RichardWatson
by
Frequent Contributor
‎07-04-2011 04:40 AM
I think that you are approaching the problem in wrong manner.

http://help.arcgis.com/en/arcgisserver/10.0/apis/rest/index.html

Here is quote from the above link:

"Services Directory allows you to browse the contents of an ArcGIS Server and obtain information that can be useful to you when developing applications."

So, this is not the REST endpoint which your Web API applications will use.

Tokens do work using the REST API and all of the Web APIs supports tokens as well.

If, after reading the above, this is not clear then I suggest to Google on the various security presentations given at past Developer Summits.
0 Kudos
CarolynWhite
by
New Contributor III
‎07-04-2011 08:07 AM
This is what was sent by a medium level technical analyst
===========

Once you got the token key, could you access the map service directly by attaching the token key after map service url? e.g. Http://YourServerName/arcgis/rest/service/MapName/MapServer?token=


=========
The answer is no -- we are redirected to the login page.
0 Kudos
RaviNarayanan
by Esri Contributor
Esri Contributor
‎07-06-2011 02:16 PM
Carolyn,
When generating the token, what was used as input to the clientID parameter (referer or ip address)?

http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/index.html#//0093000000q5...


If a referer was used, the refer header of the requesting application should match the referer used in the token, otherwise, the token will be invalid.

Similarly if an ip address was used, the request using the token should originate from the ip that is tied to the token.

Ravi
0 Kudos
Jay_Gregory
by
Occasional Contributor III
‎03-12-2013 09:45 AM
According to "Testing access to secured services" section on this page, Carolyn's test should work.  I'm however having the same problem and lack of clarification on the issue is frustrating. 
First, all Esri's documentation points to the token page as http://myserver:6080/arcgis/tokens where as the actual url is
http://myserver:6080/arcgis/admin/generateToken.  You need to update this in your documentation, and fix the link in the REST services page.
Secondly, if I put at the HTTP referrer http://myserver:8080/arcgis/services/myfolder/myservice/MapServer, and generate a token for a user that has access to that map server, I should be able to go to
http://myserver:8080/arcgis/services/myfolder/myservice/MapServer?token=mytoken and gain access to the page according to Esri's documentation.  As Carolyn pointed out, this doesn't work.  If it's not supposed to, fix the "Testing access to secured services" section in your documentation.  If I'm not supposed to be using the HTTP Referrer in this way, please let me know and I can use the client IP address instead. 

Thanks!

Jay
0 Kudos
DonaldBrown
by
Occasional Contributor
‎04-01-2015 11:20 AM

I'm using ArcGIS Server 10.2.2. I'm seeing the same thing as Carolyn and Jay. Using .../MapServer?token=mytoken takes me to the login page. I then need to login to see the Service.

Why are there two places to generate a token?:

https://MyDomain/arcgis/admin/generatetoken

https://MyDomain/arcgis/tokens/

I can only get the 'admin' one to work for us when using it through the Internet. Both seem to work locally. Any thoughts, ESRI. How do we 'test'.

0 Kudos
AndrewBrown
by
New Contributor III
‎04-03-2015 12:16 PM

You should be able to generate the token from the Get Token URL on the http://mydomain/arcgis/rest/services/ page.  Upper right corner next to Login.

I normally use Request IP for the Client parameter.  If you have the credentials correct, you should see a long alpha-numeric string of characters, the token.

In your browser, after appending that to your service endpoint url using ?token=, where it used to say Login, you should now see "Logged in " along with the domain\username of the credentials you used to get the token.

If you have any secured services, and the account you used for the token has access to those secured services, you should now be able to see them listed in the folders.

If not, you might have some things left to configure.

Using https can be especially troublesome if you don't have the certificate/domain name configured correctly, or if you are entering them in an manner that is not consistent with your certificate.

0 Kudos
DonaldBrown
by
Occasional Contributor
‎04-03-2015 01:45 PM

Okay, now it's working if I choose 'Request IP' (I was selecting 'HTTP referer' before). Not sure why it doesn't work for 'HTTP referer'. Thanks for the hint, that gets me a little farther.

0 Kudos