ArcGIS Server 10.1: Get user information from secured MapService

MU · ‎11-21-2013

Hi,

I've secured a MapService for a dedicated user within ArcGIS Server 10.1, so a valid login is needed to access the MapServices' data.

Is it possible to obtain the user's name within the REST API and if yes, how can this be achieved?

Kind regards!

nicogis · ‎11-22-2013

using api administrator rest you can see permissions (roles) of service ( http://resources.arcgis.com/en/help/arcgis-rest-api/02r3/02r3000001tv000000.htm ) and then you see users in roles ...

MU · ‎11-22-2013

Thank you for your fast response!

Is it also possible without the REST Admin API?

My situation is the following: I'm within my business logic (REST operation) and need the current user.

MU · ‎11-25-2013

Any suggestions?

LeoDonahue · ‎11-25-2013

My situation is the following: I'm within my business logic (REST operation) and need the current user.

Wouldn't this be handled by your web server? Getting the current user of the session?

MU · ‎11-25-2013

Well, I'm using the users and roles from ArcGIS Server's built-in store, so the first login-level is already the ArcGIS Server and not any other web server.

LeoDonahue · ‎11-25-2013

Authentication or Authorization... which one are you trying to do with the "current user"?

http://resources.arcgis.com/en/help/main/10.2/0154/0154000004w2000000.htm

Authentication is the process of verifying the identity of a user. In ArcGIS Server, this can be done by using either ArcGIS token-based authentication or web server authentication

http://resources.arcgis.com/en/help/main/10.1/0154/0154000005r6000000.htm

ArcGIS Server provides a proprietary token-based authentication mechanism where users can authenticate themselves by providing a token instead of a user name and password. An ArcGIS token is a string of encrypted information that contains the user's name, the token expiration time, and some proprietary information. To obtain a token, a user provides a valid user name and password. ArcGIS Server verifies the supplied credentials and issues a token. The user presents this token whenever accessing a secured resource.

The user supplies the username/password to ArcGIS Sever to get a token...

Once you get a token, as long as it lives, you supply this to every request you make to the ArcGIS server. If the username is encrypted, I hope we can't get the username from the token.

I believe that you need your web application to track this for you, if you want the current user. How would you otherwise track the tokens that are active in your session?

Plus...

http://support.esri.com/en/knowledgebase/techarticles/detail/41466

For highest security, web-tier authentication is recommended.

LeoDonahue · ‎11-25-2013

Plus...

Let's back up one level. REST is a stateless protocol.

So when you make a request to a REST endpoint, it doesn't remember who you are when you make another request, even a second later, unless you have a valid token for that web service endpoint that is not expired. And you have to supply that token upon every request you make...

If you want your application to remember who is currently using your application, then you have to control that at the web server tier.

MU · ‎11-25-2013

Ah okay, I understand. Thanks a lot for your detailed explanation!