And if it's OK I'll jump on this bandwagon -- anyone using server-side authentication with ESRI secured REST services, via ASP.NET, and have it up as a site we could check out?
So, instead of a second popup for credentials it just uses the ones you already provide if you log in to the standard Windows Forms ASP.NET site (with the Log In on Site.Master and SQL Server database backend functionality). We have API 3.4 with Arc 10.0 Sp5 secured REST service now. We are testing with Identity Manager but it'd be nice to piggyback on the built-in ASP.NET authentication mechanism. I guess in referring to this http://help.arcgis.com/en/webapi/javascript/arcgis/jshelp/ags_secureservices.html it may (does?) involve a proxy page? Haven't played with those, we've attempted to stay away from it until we really need it. If we figure this out we'll post back here, too.
In a round-about way we're in the process of doing something similar. Rather then a 100% custom solution, we are still using the built-in esri Token security mechanism. This is all for a one-time login. If the user originates from an "already secured site" they have permission to view the js app. But, we dont' have access to the "already secured site's" auth. mechanism. So, here's how we handle it.
external site--> server out of our control
user clicks link to js app--> server out of our control
jquery ajax fires call to .ashx handler--> server out of our control
server side .ashx handler grabs client IP--> server out of our control
.ashx handler sends client IP to ourServer.php script via url post--> our server
-ourServer.php checks ip of incoming call,
-if from accepted IP, requests a token from the GIS Server using hard-coded creds.
-stores token, client IP and random gen. key in sql db
- returns random key to .ashx handler
.ashx handler returns key to ajax success handler-->server out of our control
jquery appends key to js app link href attribute-->server out of our control
js app checks for key when the user arrives at site--> our server
-if a key is found, the proxy.php page query's sql db, and retrieves the previously stored token using the key and client IP
-if key and client IP match, return token to js app
js app loads token using the same method here: http://help.arcgis.com/en/webapi/javascript/arcgis/jssamples/widget_identitymanager_client_side.html
-if the token is valid and not expired, the identityManager will handle the credential and not prompt for login
if for some reason the https://oursite/jsLInk?key=aRandomstring is emailed to a dif. user, and they try the link within 60mins (token expiration) of when the orig. user clicked on js app link, it won't work because the proxy.php script on our server wont' retrieve the token from sql db because client2 has a dif. IP as what's associated with the key that client2 is passing
