topic Re: Possible to hard code credentials? in ArcGIS JavaScript Maps SDK Questions

Possible to hard code credentials?

JeffPace — Tue, 11 Dec 2012 19:58:30 GMT

I am trying to eliminate duplicate services. Right now we have two server, with identical services. One with security enabled, one without.

The secure server has ssl enabled and has endpoints through a Web App Firewall (proxy)
The insecure server is internal only.

The point of the insecure server is so that employees, on the internal network, do not have to login.

I already sniff the host during access to load a config file. I was hoping that i could hard code credentials (or at least perform the login behind the scenes) so that i can access the secure server without a prompt for a login If i detect the user is on the internal network. Is that possible?

thanks.

Re: Possible to hard code credentials?

GeorgeSimpson — Tue, 11 Dec 2012 20:19:44 GMT

If you are using IIS, you can let Active Directory do the authentication based on the windows credentials. ArcGIS Server can use AD for a user store and your services can be accessed based on the authentication/authorization from the store.

Re: Possible to hard code credentials?

JeffPace — Wed, 12 Dec 2012 12:08:57 GMT

If you are using IIS, you can let Active Directory do the authentication based on the windows credentials. ArcGIS Server can use AD for a user store and your services can be accessed based on the authentication/authorization from the store.

Sorry should have been clear on enivornment

ArcGIS Server 10sp4 for JAVA (Not .net)
Java tomcat container authentication

Cannot use AD/LDAP, many users are public users with VPN access.

Need to find a way to hardcode username/password in application if access meets certain criteria.

Re: Possible to hard code credentials?

JeffPace — Thu, 13 Dec 2012 15:49:11 GMT

any thoughts appreciated.

Re: Possible to hard code credentials?

RahulMetangale1 — Sat, 11 Dec 2021 23:55:05 GMT

Jeff,

Here is the sample code to do log in behind the scene, I have copy pasted the code from my app(written in version 2.8) so you might have to do little modification:

<script type="text/javascript">
        dojo.require("dojo.parser");
        dojo.require("esri.IdentityManager");
  var cred = "esri_jsapi_id_manager_data";
  var shortLivedTokenValidity=60;
        function init() {
            var idBase = new esri.IdentityManagerBase();
            esri.config.defaults.io.proxyUrl = "proxy.ashx";
            var serverInfo = {
                "server": "http://myserver:8399",
                "tokenServiceUrl": "http://myserver/arcgis/tokens",
                "currentVersion": 10.4
            };
            var def = idBase.generateToken(serverInfo, { "username": "rahul", "password": "rahul" });
            def.addCallback(function (tokenInfo) {
    var idBase = new esri.IdentityManagerBase();
    //Short lived token is valid for 60 mins by defult 
                idBase.tokenValidity =shortLivedTokenValidity=60;
                var serverInfo = {
                    "server": "http://myserver:8399",
                    "tokenServiceUrl": "http://csslsystem-254:8399/arcgis/tokens",
                    "currentVersion": 10.04
                };
                esri.id.registerServers([serverInfo]);
    //get token creation time in epoch
                var creationTime = (new Date).getTime();
    //calculate the token expiration based on short lived token validity
                var expirationTime = creationTime + (shortLivedTokenValidity * 60000);
    //create array of secured services 
                var securedServices = [];
                for (var services in this.configData.mapService) {
                    securedServices.push(this.configData.mapService[services]);
                }
                var idString = dojo.toJson({ "serverInfos": [serverInfo],
                    "credentials": [{
                        "userId": rahul,
                        "server": "http://myserver:8399",
                        "token": tokenInfo.token,
                        "expires": expirationTime,
                        "ssl": false,
                        "creationTime": creationTime,
                        "resources": securedServices
                    }]
                });
                // store it client side
                if (_supports_local_storage()) {
                    // use local storage
                    window.localStorage.setItem(this._jsAPIIDManagerData, idString);
                } else {
                    // use a cookie
                    dojo.cookie(this._jsAPIIDManagerData, idString, { expires: 1 });
                }
                this._loadCredentials();
    
   });
   
               
        }
  
   function _supports_local_storage() {
            try {
                return "localStorage" in window && window["localStorage"] !== null;
            } catch (e) {
                return false;
            }
        }

        function _loadCredentials() {
            var idJson, idObject;
            if (this._supports_local_storage()) {
                // read from local storage
                idJson = window.localStorage.getItem(this._jsAPIIDManagerData);
            } else {
                // read from a cookie
                idJson = dojo.cookie(this._jsAPIIDManagerData);
            }
            if (idJson && idJson != "null" && idJson.length > 4) {
                idObject = dojo.fromJson(idJson);
                esri.id.initialize(idObject);
            }
        }
        dojo.addOnLoad(init);
    </script>

I hope this helps you.

Re: Possible to hard code credentials?

SunilPalkar — Fri, 14 Dec 2012 11:44:02 GMT

Nice example Rahul !!

Re: Possible to hard code credentials?

JeffPace — Fri, 14 Dec 2012 13:50:42 GMT

thank you! will try shortly

Re: Possible to hard code credentials?

JeffPace — Fri, 14 Dec 2012 18:40:47 GMT

that worked!! thank you

any hints to obscure the pw in the code?

Re: Possible to hard code credentials?

BillDaigle — Sat, 11 Dec 2021 23:55:08 GMT

Maybe I'm missing something, but I don't see how your going to hide the credentials if you're sending the request from the client.

We use server side page (jsp) to generate a token for a session. We are still on a 9.3.1 server, so I'm not using the identity manager, but I assume the concept will be similar.

Here is the javascript code:

var getToken = function(onComplete){
  dojo.xhrGet({
    url: this.basePath + "code/getFwpTokenNew.jsp?ref=" + document.location.protocol + "%2F%2F" + document.location.hostname,
    handleAs: "text",
    load: function(data){
      var jsonData = dojo.fromJson(data);
      onComplete(jsonData.token);
    },
    error: function(error){
      console.debug(error);
    }
  });
};

And our jsp code. Warning, I'm not a java programmer, so some of what you see is scraped together.

<%@page session="false"%>
<%@page import="java.net.*,java.io.*" %> 
 
<% 
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server

String onErrorText = "";

try {
  
  String reqUrl = request.getQueryString();
  String onProd = request.getParameter("prodServer");
  String refUrl = request.getParameter("ref");
  String agsServerUserName = "username";
  String agsServerPswd = "password";
  String agsServerPath = "http://yourserverpath";

  out.clear();
        
  String getTokenUrl = agsServerPath +"/arcgis/tokens/gettoken?request=getToken&username="+agsServerUserName+"&password="+agsServerPswd+"&clientid=ref."+refUrl+"&expiration=1440";
  URL tokenRequest = new URL(getTokenUrl);

  BufferedReader in1 = new BufferedReader(new InputStreamReader(tokenRequest.openStream()));
  String token = in1.readLine();  
  in1.close();
  out.println("{'token':'"+token+"'}");
  return;
  
} 
catch(Exception e) {
  out.println("{'error':'There was retrieving the token for the map server.'}");
}
%>

Re: Possible to hard code credentials?

DanikBourdeau2 — Fri, 14 Dec 2012 21:47:09 GMT

Thanks for the examples. Does anybody know if these methods would work with secure services hosted on ArcGIS Online?

Re: Possible to hard code credentials?

RahulMetangale1 — Sat, 15 Dec 2012 04:31:50 GMT

@Bill: Correct we are also generating the token from Java business app containing our javascript application. The example I provided is just proof of concept.
@jeff: you can create the token from server side. Bill has already provided the example.

Re: Possible to hard code credentials?

RahulMetangale1 — Sat, 15 Dec 2012 04:33:49 GMT

@Danik: The sample can work with any secured service hosted over ArcGIS Server. So it would also work for ArcGIS Online service but you should have the credentials to access the same.