HTTP Referer Site for Quick Report App?

1332
5
Jump to solution
02-23-2017 01:58 PM
KE
by
Occasional Contributor

I need the service for my Quick Report app to be available to the public through my app, but not visible to the public through my organization's rest endpoint. I am planning on putting security on the layer through ArcGIS Server Manager, and then using token authentication within the code for the app.

Is there an HTTP Referer Site for a native mobile app? If so how do I find out what it is?

Is it better to hard code the username and password into the app and use get token method? If so, should I create a JavaScript file within my project to accomplish this?

Or is it better to generate a token manually and embed that into the app? Is that dangerous to do because if you do not remember to update it, the app will suddenly stop working when the token expires?

The feature service lives on my organization's ArcGIS Server. We are using ArcGIS Web Adaptor. We do not have Portal.

I am testing the app now in AppStudio Player. I have not built the app yet.

ArcGIS 10.3

AppStudio for ArcGIS (Desktop Edition) 1.3.46

Qt Creator 4.1.0 Based on Qt 5.7.0 (MSVC 2013, 32 bit)

0 Kudos
1 Solution

Accepted Solutions
SathyaPrasad
Esri Contributor

Good question. A couple of options:

- A good solution to your problem is to create a new user with limited privileges and access to only this feature service. Use these credentials in the app. This was you can secure the service and still open up the Quick report app for public use case. use the Quick report can be easily modified to accommodate this. This will also work in the offline case since the credentials will only be used when you are submitting report (which is online).

- Quick report uses its own FeatureServieManager to handle all the things related to feature service. It also uses Network request which can take a referer. The only challenge for you on the server side is to allow only this custom referrer through when you secure the service, not something available out of the box.

Just an FYI: We are releasing some amazing features in the upcoming 1.4 release (DevSummit), do check it out. Few highlights: support for secured feature services, support for collecting lines and polygons, more UI refinements, photo editing and better data entry.

View solution in original post

5 Replies
RebeccaStrauch__GISP
MVP Esteemed Contributor

I have no definitive answer for the AppStudio side of it, but if it is going thru ArcGIS Online, from what I understand (from tech support) there is no way to use ArcGIS Online as a "referer" in the proxy.  My experience is with trying to do this with our ArcGIS Server (AGS) secure services.  We are on AGS 10.2.1, but would be the same with any version.

We are looking into upgrading to AGS 10.5.x and using Portal for this type of use.  Although I haven't tested this yet, I believe since the Portal is on-site, and thru our IIS web-adaptor, we should be able to use the "Referer". 

SathyaPrasad
Esri Contributor

Good question. A couple of options:

- A good solution to your problem is to create a new user with limited privileges and access to only this feature service. Use these credentials in the app. This was you can secure the service and still open up the Quick report app for public use case. use the Quick report can be easily modified to accommodate this. This will also work in the offline case since the credentials will only be used when you are submitting report (which is online).

- Quick report uses its own FeatureServieManager to handle all the things related to feature service. It also uses Network request which can take a referer. The only challenge for you on the server side is to allow only this custom referrer through when you secure the service, not something available out of the box.

Just an FYI: We are releasing some amazing features in the upcoming 1.4 release (DevSummit), do check it out. Few highlights: support for secured feature services, support for collecting lines and polygons, more UI refinements, photo editing and better data entry.

View solution in original post

KE
by
Occasional Contributor

Thank you that was very helpful. I did go into ArcGIS Server Manager and create a new role and new user, then I secured the feature service so only that user could access it. I do not see a way to prevent that user from seeing our other services that are not secured. I should mention the feature service is on our server, not ArcGIS Online.


I did not see anything in the code for my app called featureServiceManager, but I downloaded the new Quick Report app and saw it contains featureServiceManager.qml under the controls folder. I will have to think about updating my app, even though my customers are used to the old layout.


Where can I read more about the 1.4 release? Is it a new version of AppStudio, Quick Report, or both? When will that be available for download?

0 Kudos
SathyaPrasad
Esri Contributor

That's right if your services are not secured than anyone including the new user you created can see them by design. An update to AppStudio (1.4) will be available very soon (target Devsummit i.e. March 7). As a part of this release, all the templates will be updated as well. If you are coming to the Devsummit in Palm Springs then do stop by the AppStudio booth or attend one of our sessions or enroll for the two-day workshop to learn a lot more about using AppStudio to build apps.

KE
by
Occasional Contributor

Hi Sathya,

I was able to upgrade my app and I have a couple more questions. I hard coded the username and password for my secured feature service in the generateToken function in FeatureServiceManager.qml like so:

var obj = {"username":"user", "password":"pwd" "f":"json", referer: "http://www.arcgis.com"/*, expiration:"1"*/};

  1. That works, but I’m wondering is it secure? Do I have to worry about anyone being able to see the underlying code for my app?
  2. Could you elaborate on what you meant by “The only challenge for you on the server side is to allow only this custom referrer through when you secure the service, not something available out of the box.”?

Thanks!

Kristen

0 Kudos