SOI - Tapping into Http Headers and Cookies

796
7
09-15-2017 12:04 PM
Highlighted
New Contributor II

Has anyone had any experience reading the Http header and cookies associated with the HTTP requests made to ArcGIS?  We have a custom security model that embeds a user specific token (non ArcGIS token) in each HTTP request made from our web app.

I'd like to see if there something available in the ArcObjects functionality that would allow us to extract this data.

thoughts?

Reply
0 Kudos
7 Replies
Highlighted
MVP Frequent Contributor

Wireshark, although, Fiddler generally will output what you need. You'll need to install your domain root cert in either app in order to see the requests, though

Reply
0 Kudos
Highlighted
New Contributor II

Ah, let me clarify.   I'm trying to do this programmatically within the SOI code.

 I want to accept the incoming request, parse the body (like all the examples show) as well as any http headers/cookies that might be carried along the way.

Reply
0 Kudos
Highlighted
MVP Frequent Contributor

you cannot access httpcontext but peraphs 'requestProperties' should return headers request (I have tried a scratch code but requestProperties always is empty  ... ) similarly responseProperties that it is however in out

Workaround: you pass from a proxy   

Reply
0 Kudos
Highlighted
New Contributor II

Hmm ok, I'm interested in examining headers and cookies that get sent to the handler which would identify sourcing domains and users.

Headers like "X-Forwarded-For" and "X-Forwarded-Host" would be useful when constructing resource urls for clients.

Using a reverse proxy server with ArcGIS Server—ArcGIS Server Administration (Linux) | ArcGIS Enterp... 

Reply
0 Kudos
Highlighted
Occasional Contributor II

We also have this requirement, specifically for http headers and would like to know if it is possible.

Thanks!

Reply
0 Kudos
Highlighted
New Contributor II

Hi Alex,

I had a similar problem.

In a SOI you can't get access to the underlying request, so passing the user per Cookie or something like this will not work.

But i found another way of bypassing my user to my soi.

My Solutions creates the webApp config on the fly which contains the service addresses etc., when the user logs into my Solution.

What I did to identify the user in my SOI is to add the services in the Javascript with an initial parameter, something like this "https://[domain]/arcgis/rest/services/MyService/MapsServer?user=D5FE90AA-2A31-4EF1-9A72-883BD1F21638".

Now when a user makes request to my service, I can read the "user" property in the SOI from the "operationInput" object in the HandleRESTRequest Method.

With this parameter I can then identify the calling user and do my business logic depending on the caller.

I hope this helps.

best regards 

Sebastian

Highlighted
New Contributor II

Great idea!  I can create a new parameter set on the client side that identifies any potential reverse proxy in the request chain.

Thanks!

Reply
0 Kudos