Community

Application-level Authentication - Proxy is being used for an unsupported service

5237
10
Jump to solution
01-11-2016 10:21 AM
ChrisSmith7
by
Frequent Contributor
‎01-11-2016 10:21 AM

This is the companion thread to Application-level token authentication

In short, I was successful in creating secured services and authenticating at the application level - somewhat! There's a peculiar behavior I haven't quite nailed-down - maybe someone has experienced this before and has an answer...

When I use a cold session, e.g. after clearing cache and restarting the browser, and then load the secured service through the mapping app, I receive an authentication pop-up (which I am trying to avoid). If I enter the correct credentials, I receive the message:

Unable to access the authentication service.

In the console, the error is reported as a 403:

code: Forbidden,message:"Proxy is being used for an unsupported service: https://mygisserver/arcgis/tokens/"}}"

If I navigate to the REST service in the browser, I am prompted to enter credentials, which authenticates successfully. In the same browser, once the session is established, I can then refresh (ctrl-F5) and see the secured layer without receiving an authentication window. This is the behavior I'm seeking - any user can see the secured service in context of the mapping app, without having to manually enter credentials.

Any ideas as to what would cause this? I am using the proxy from the Esri GitHub. I am also keeping the referrer open-ended for now, until I resolve this issue. I don't believe I'm doing anything crazy - right now, I'm just undergoing some POC testing. Here's the pertinent info on how the proxy config looks:

<ProxyConfig allowedReferers="*"
             mustMatch="true">
   <serverUrls>
      <serverUrl url="https://mygisserver/arcgis/rest/services"
                 matchAll="true"
                 username="user"
                 password="password"/>
  </serverUrls>

Here's how the quick test js looks:

var flTest = new FeatureLayer("https://mygisserver/arcgis/rest/services/base_services/test/MapServer/0", {
  id: "points",
  mode: FeatureLayer.MODE_ONDEMAND
});


var simpleJson = {
  "type": "simple",
  "label": "",
  "description": "",
  "symbol": {
  "color": [0, 0, 255, 191],
  "size": 6,
  "angle": 0,
  "xoffset": 0,
  "yoffset": 0,
  "type": "esriSMS",
  "style": "esriSMSCircle",
  "outline": {
  "color": [0, 0, 128, 255],
  "width": 0,
  "type": "esriSLS",
  "style": "esriSLSSolid"
  }
  }
}
var rend = new SimpleRenderer(simpleJson);


flTest.setRenderer(rend);
map.addLayer(flTest);

I have confirmed SSL is set-up correctly on the dev server where the mapping app is hosted, as well as on the GIS server. The map service is an xy feature event from an MS SQL Server db slice, if that matters at all.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
GirishYadav
by
Occasional Contributor
‎01-11-2016 01:56 PM

If alwaysUseProxy is set to false then set the proxyRules. Add your secured service url to the proxy rules:

esri.urlUtils.addProxyRule({

     proxyUrl : "https://mygisserver/arcgis/rest/services",

     urlPrefix : "https://appserver/proxy/proxy.ashx"

})

-Girish

View solution in original post

10 Replies
GirishYadav
by
Occasional Contributor
‎01-11-2016 10:50 AM

Chris,

In the chrome's Developer Tools go to Network tab and check if the call to feature layer is going through proxy or not? something lilke this:

https://appserver/proxy/proxy.ashx?https://mygisserver/arcgis/rest/services/base_services/test/MapSe...

Also, are you setting the proxy url in esriConfig

esriConfig.defaults.io.proxyUrl = "https://appserver/proxy/proxy.ashx "

-Girish

0 Kudos
ChrisSmith7
by
Frequent Contributor
‎01-11-2016 12:50 PM

Girish,

According to Fiddler, it's not going through the proxy, which would explain why credentials aren't supplied. I have confirmed, though, the proxy does work, e.g. print. I can see the requests in fiddler through the proxy. I have the proxy URL set as a relative path in the app:

            esri.config.defaults.io.proxyUrl = "../MapApp/Proxy/proxy.ashx";
            esri.config.defaults.io.alwaysUseProxy = false;
            esri.config.defaults.io.useCors = true;

The other config values should already default to the values set - I set them this way for clarity.

0 Kudos
GirishYadav
by
Occasional Contributor
‎01-11-2016 01:06 PM

Chris,

esri.config.defaults.io.useCors should be false or the default value "with-credentials" . if its true it will prevent the AJAX calls through proxy.

-Girish

0 Kudos
ChrisSmith7
by
Frequent Contributor
‎01-11-2016 01:20 PM

Girish,

I tried commenting-out those lines with no luck. I also tried setting it to false and to "with-credentials" - it's still not going through the proxy (I confirmed the JS cache was flushed, so it's using the updated file). Hrmmm...

0 Kudos
ChrisSmith7
by
Frequent Contributor
‎01-11-2016 01:36 PM

Some more information...

I tried setting alwaysUseProxy to true - I see the requests come through in Fiddler with 200s for all map services, including the secured service; however, the map crashes due to the "Proxy is being used for an unsupported service" error on the base map/canvas. By virtue of this, it seems that the proxy is working, but for whatever reason (maybe config?), it's not properly proxying the secured service when alwaysUseProxy is set to default/false.

Regardless in either case, I can see console messages for

dojo.io.script error Error: Token Required

These go away when I comment-out the logic creating and adding the secured service.

UPDATE:

I tried creating a proxy rule - I see it now being proxied, but the authentication log-in still shows.

0 Kudos
GirishYadav
by
Occasional Contributor
‎01-11-2016 01:56 PM

If alwaysUseProxy is set to false then set the proxyRules. Add your secured service url to the proxy rules:

esri.urlUtils.addProxyRule({

     proxyUrl : "https://mygisserver/arcgis/rest/services",

     urlPrefix : "https://appserver/proxy/proxy.ashx"

})

-Girish

ChrisSmith7
by
Frequent Contributor
‎01-11-2016 02:03 PM

Girish,

That's what I tried, and I can see the service going through the proxy in Fiddler, but the log-in pop-up still shows. This is true whether or not I have credentials in the proxy config.

0 Kudos
ChrisSmith7
by
Frequent Contributor
‎01-11-2016 02:30 PM

I thought I had the latest proxy, but it's using 1.0. I'm going to upgrade the proxy and give it a go.If that doesn't work, I'll start debugging the proxy in VS to see if I can find anything and report my findings.

Thanks for helping me!

0 Kudos
GirishYadav
by
Occasional Contributor
‎01-11-2016 02:31 PM

Oh, Is there any useful message in the proxy log file?

If you haven't yet enabled it do it as follows:

<ProxyConfig allowedReferers="*"

             mustMatch="true"

logFile="proxylog.txt">

0 Kudos