security and token authentication

MarcoRosa · ‎02-15-2012

Hi to all,
i'm approaching with enabling security of services with tokens authentication. I was reading the class MapTokenDemo from the blog:

http://blogs.esri.com/Dev/blogs/silverlightwpf/archive/2010/02/15/How-to-use-secure-ArcGIS-Server-se...

I have some trouble to retrieve token, because of this i have the questions :

This user what kind of user is ?

string username = "user";
string password = "pass.word";
string timeout = "60";

used in the sample code below ?

Help say that:

�??The Token Service is not enabled or utilized when you specify that Windows user accounts are used to authenticate users of your GIS services, unless you use SQL Server or a custom provider for roles and you enable tokens for user authentication.�?�

This means that isn�??t possible to setup a user in this way ?

1) define on local server machine a windows user named "test"
2) "add" test to agsadmin and agsusers
3) turn on token autentication on arcgis server
4) define folder service permission to agsadmin and agsusers
5) retrieve token in this way https://myserver.mydomain/arcgis/tokens?request=getToken&username=mymachine\test&password=mypassword...

public partial class MapTokenDemo : UserControl
    {
        string username = "user";
        string password = "pass.word";
        string timeout = "60";

        public MapTokenDemo()
        {
            InitializeComponent();

            ArcGISDynamicMapServiceLayer layer = new ArcGISDynamicMapServiceLayer()
            {
                Url = "http://myserver/arcgis/rest/services/USA_Data/MapServer",
                ID = "USA"
            };

            layer.InitializationFailed += layer_InitializationFailed;
            ConfigureLayerWithToken(layer);
        }

        void layer_InitializationFailed(object sender, EventArgs e)
        {}

        private void ConfigureLayerWithToken(ArcGISDynamicMapServiceLayer layer)
        {
            string tokenurl =
                string.Format("https://myserver/arcgis/tokens?request=getToken&username={0}&password={1}&timeout={2}",
                username, password, timeout);

            WebClient tokenService = new WebClient();
            tokenService.DownloadStringCompleted += (sender, args) =>
            {
                layer.Token = args.Result;
                string originalUrl = layer.Url;
                if (MyMap.Layers.Contains(layer))
                {
                    layer.Url = null;
                    layer.Url = originalUrl;
                }
                else
                    MyMap.Layers.Add(layer);
            };

            tokenService.DownloadStringAsync(new Uri(tokenurl));
        }

Thank you for any suggestion.
GP

nicogis · ‎02-16-2012

Hi George,
for services rest you can use Windows Authenthication so you use local user or domain user or sql server (express) that user Membership asp.net ( http://msdn.microsoft.com/it-it/library/cc185055.aspx) or custom provider.

If you use Windows Authentication you don't use token but in proxy (get proxy_net.zip esri) you set credential in webrequest like:

HttpWebRequest req = (HttpWebRequest)WebRequest.Create("...");        
req.Credentials = new NetworkCredential("myLogin", "myPwd","mydomain");

if you set scheme membership asp.net from Manager arcgis in example sql express (manager creata also db) you can create user and role in sql express. Then you set from manager privileges on service or folder arcgis using roles and then you use token for users.

Info on privileges for service are store in file .sec where you have cfg of services.

if you use Windows Authentication remembers that in iis remove anonymous authentication if you want do access page rest from windows authenthication user that you have set in Manager (using roles: group of windows) and enabled windows authenthication.