https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-do-i-properly-secure-calls-layers-in-the/m-p/718827#M66748 <HTML><HEAD></HEAD><BODY><P>If you want to use the Esri way then you can look at using the <A href="https://developers.arcgis.com/javascript/jsapi/identitymanager-amd.html">IdentityManager </A>which will manage the token for you.</P><P></P><P>If you want to do it yourself and keep the token off the client then you can use the proxy page to generate and add tokens to the requests as needed. To be more secure you should also restrict unauthenticated or unauthorized access to the proxy.</P><P></P><P>I've got a sample app for routing all secure requests through the server proxy at <A href="http://arcmap.azurewebsites.net/">http://arcmap.azurewebsites.net/</A> and the code is on GitHub <A href="https://github.com/davetimmins/Joosh">https://github.com/davetimmins/Joosh</A> if you want to take a look.</P></BODY></HTML> Wed, 09 Jul 2014 00:20:55 GMT DaveTimmins 2014-07-09T00:20:55Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-do-i-properly-secure-calls-layers-in-the/m-p/718826#M66747 <HTML><HEAD></HEAD><BODY><P>Currently I'm working on an implementation where my web application (asp.net stack) communicates with an internal C# asmx web service which acts as a proxy to retrieve the key from the token service, store it in session, and pass it back as a cookie/json to the requesting client.&nbsp; There is also logic in there to ensure they get back a token with integrity. </P><P></P><P>My problem is I am looking for a way to ensure that the cookie is safe.&nbsp; I have the cookie set to HttpOnly and Secure.&nbsp; The problem is of course I can't access the cookie via the javascript api.&nbsp; Also due to security requirements appending the token to the url is not an option.&nbsp; So I removed that and then just did the standard:</P><P></P><PRE __default_attr="javascript" __jive_macro_name="code" class="jive_macro_code jive_text_macro _jivemacro_uid_14048234319178843" jivemacro_uid="_14048234319178843" modifiedtitle="true"> <P>var token = {</P> <P>&nbsp; "server": "&lt;internal domain hosting arcgis server&gt;/arcgis/rest",</P> <P>&nbsp; "userId": "&lt;username&gt;",</P> <P>&nbsp; "token": result.d.Token,</P> <P>&nbsp; "ssl": false,</P> <P>&nbsp; "expires": result.d.Expires</P> <P>};&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> <P>kernel.id.registerToken(token);</P> </PRE><P></P><P>But when after I add the layers and initialize everything, the map is blank and when I try to forward or reverse geocode I get the error "<SPAN style="color: #ff0000; font-family: Consolas, 'Lucida Console', monospace; font-size: 12px;">Uncaught TypeError: Cannot read property 'wkid' of undefined"</SPAN></P><P></P><P>Is there a better way of using the token to secure calls and layers made in javascript.</P></BODY></HTML> Tue, 08 Jul 2014 12:50:23 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-do-i-properly-secure-calls-layers-in-the/m-p/718826#M66747 DanielPritchett 2014-07-08T12:50:23Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-do-i-properly-secure-calls-layers-in-the/m-p/718827#M66748 <HTML><HEAD></HEAD><BODY><P>If you want to use the Esri way then you can look at using the <A href="https://developers.arcgis.com/javascript/jsapi/identitymanager-amd.html">IdentityManager </A>which will manage the token for you.</P><P></P><P>If you want to do it yourself and keep the token off the client then you can use the proxy page to generate and add tokens to the requests as needed. To be more secure you should also restrict unauthenticated or unauthorized access to the proxy.</P><P></P><P>I've got a sample app for routing all secure requests through the server proxy at <A href="http://arcmap.azurewebsites.net/">http://arcmap.azurewebsites.net/</A> and the code is on GitHub <A href="https://github.com/davetimmins/Joosh">https://github.com/davetimmins/Joosh</A> if you want to take a look.</P></BODY></HTML> Wed, 09 Jul 2014 00:20:55 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/how-do-i-properly-secure-calls-layers-in-the/m-p/718827#M66748 DaveTimmins 2014-07-09T00:20:55Z