https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-get-a-token-when-cors-and-https-are-in-play/m-p/185344#M17232 <HTML><HEAD></HEAD><BODY><SPAN>I'm writing a mobile web application. The requirements are:</SPAN><BR /><UL> <BR /> <LI>A login screen (view) where username and password are entered. Therefore the IdentityManager singleton is not a valid option.</LI> <BR /> <LI>Username and password are used to create a credential for *everything* in the application. Not just ArcGIS services, but also other services that use the same user store. These services use the token generated by the AGS token server.</LI> <BR /> <LI>Dojo, jQuery and ArcGIS JavaScript API need to be hosted remotely. i.e., making use of content delivery network (CDN).</LI> <BR /> <LI>The token server is, of course, secured: i.e., <STRONG>https</STRONG>://www.MyServer.com/ArcGIS/tokens/</LI> <BR /> <LI>The mobile application is not secured by SSL, i.e., <A href="http://www.MyServer.com/MyApplication/login.html" rel="nofollow">http://www.MyServer.com/MyApplication/login.html</A> and <A href="http://www.MyServer.com/MyApplication/MapApp.html" rel="nofollow">http://www.MyServer.com/MyApplication/MapApp.html</A> (no https).</LI> <BR /> <LI>Exposing the token to the Internet is not an issue. In other words, <A href="http://www.MyServer.com/MyApplication/MapApp.html?token=HugeBigHonkingLongTokenStringblahblahblah" rel="nofollow">http://www.MyServer.com/MyApplication/MapApp.html?token=HugeBigHonkingLongTokenStringblahblahblah</A> is perfectly acceptable.</LI> <BR /> <LI>The map application uses both local token-secured local GIS services and public Esri services. The SOM is on the same hardware as the web server (IIS). ArcGIS Server release is 10.0. No upgrade to 10.1 in the immediate future.</LI> <BR /></UL><BR /><SPAN>I'm really struggling with getting the token string. Under this scenarion, I'm using jQuery to get the token. I'm not familiar enough with Dojo to POST (yet).</SPAN><BR /><SPAN> $.post(</SPAN><BR /><SPAN> url, </SPAN><BR /><SPAN> { request: request, clientid: clientid, expiration: expiration, username: userName, password : password }, </SPAN><BR /><SPAN> function(data) { tokenSuccess(data);}</SPAN><BR /><SPAN> );</SPAN><BR /><SPAN>//(clientid is "requestip"_.</SPAN><BR /><BR /><SPAN>I am having issues with CORS:</SPAN><BR /><STRONG><SPAN style="color:&quot;#FF0000&quot;;">XMLHttpRequest cannot load </SPAN>https://www.MyServer.com/ArcGIS/tokens/. Origin <A href="http://www.MyServer.com" rel="nofollow">http://www.MyServer.com</A> <SPAN style="color:&quot;#FF0000&quot;;">is not allowed by Access-Control-Allow-Origin.</SPAN></STRONG><BR /><BR /><SPAN>In my web.config I have </SPAN><STRONG>Access-Control-Allow-Origin</STRONG><SPAN> wide open ("*") for now, I'll eventually ratchet it down to just the CDN providers.</SPAN><BR /><BR /><SPAN>If there is an easier was to get the token string based on this scenario, I'm all ears. </SPAN><BR /><BR /><SPAN>Am I going to have to set up a proxy? Or can I just use CORS? Is IdentityManageBase an option?</SPAN><BR /><BR /><SPAN>TIA</SPAN></BODY></HTML> Tue, 06 Nov 2012 16:32:58 GMT DirkVandervoort 2012-11-06T16:32:58Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-get-a-token-when-cors-and-https-are-in-play/m-p/185344#M17232 <HTML><HEAD></HEAD><BODY><SPAN>I'm writing a mobile web application. The requirements are:</SPAN><BR /><UL> <BR /> <LI>A login screen (view) where username and password are entered. Therefore the IdentityManager singleton is not a valid option.</LI> <BR /> <LI>Username and password are used to create a credential for *everything* in the application. Not just ArcGIS services, but also other services that use the same user store. These services use the token generated by the AGS token server.</LI> <BR /> <LI>Dojo, jQuery and ArcGIS JavaScript API need to be hosted remotely. i.e., making use of content delivery network (CDN).</LI> <BR /> <LI>The token server is, of course, secured: i.e., <STRONG>https</STRONG>://www.MyServer.com/ArcGIS/tokens/</LI> <BR /> <LI>The mobile application is not secured by SSL, i.e., <A href="http://www.MyServer.com/MyApplication/login.html" rel="nofollow">http://www.MyServer.com/MyApplication/login.html</A> and <A href="http://www.MyServer.com/MyApplication/MapApp.html" rel="nofollow">http://www.MyServer.com/MyApplication/MapApp.html</A> (no https).</LI> <BR /> <LI>Exposing the token to the Internet is not an issue. In other words, <A href="http://www.MyServer.com/MyApplication/MapApp.html?token=HugeBigHonkingLongTokenStringblahblahblah" rel="nofollow">http://www.MyServer.com/MyApplication/MapApp.html?token=HugeBigHonkingLongTokenStringblahblahblah</A> is perfectly acceptable.</LI> <BR /> <LI>The map application uses both local token-secured local GIS services and public Esri services. The SOM is on the same hardware as the web server (IIS). ArcGIS Server release is 10.0. No upgrade to 10.1 in the immediate future.</LI> <BR /></UL><BR /><SPAN>I'm really struggling with getting the token string. Under this scenarion, I'm using jQuery to get the token. I'm not familiar enough with Dojo to POST (yet).</SPAN><BR /><SPAN> $.post(</SPAN><BR /><SPAN> url, </SPAN><BR /><SPAN> { request: request, clientid: clientid, expiration: expiration, username: userName, password : password }, </SPAN><BR /><SPAN> function(data) { tokenSuccess(data);}</SPAN><BR /><SPAN> );</SPAN><BR /><SPAN>//(clientid is "requestip"_.</SPAN><BR /><BR /><SPAN>I am having issues with CORS:</SPAN><BR /><STRONG><SPAN style="color:&quot;#FF0000&quot;;">XMLHttpRequest cannot load </SPAN>https://www.MyServer.com/ArcGIS/tokens/. Origin <A href="http://www.MyServer.com" rel="nofollow">http://www.MyServer.com</A> <SPAN style="color:&quot;#FF0000&quot;;">is not allowed by Access-Control-Allow-Origin.</SPAN></STRONG><BR /><BR /><SPAN>In my web.config I have </SPAN><STRONG>Access-Control-Allow-Origin</STRONG><SPAN> wide open ("*") for now, I'll eventually ratchet it down to just the CDN providers.</SPAN><BR /><BR /><SPAN>If there is an easier was to get the token string based on this scenario, I'm all ears. </SPAN><BR /><BR /><SPAN>Am I going to have to set up a proxy? Or can I just use CORS? Is IdentityManageBase an option?</SPAN><BR /><BR /><SPAN>TIA</SPAN></BODY></HTML> Tue, 06 Nov 2012 16:32:58 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-to-get-a-token-when-cors-and-https-are-in-play/m-p/185344#M17232 DirkVandervoort 2012-11-06T16:32:58Z