HTTP Referrer Token not working for secured services in Server 10.1SP1

Jay_Gregory · ‎02-08-2013

So I have tried to generate a token at http://<myserver>:6080/arcgis/admin/generateToken, using the HTTP Referrer parameter, passing it the REST endpoint http://<myserver>:6080/arcgis/rest/services/<myfolder>/<myservice>/MapServer and setting the Expiration field to 30. This REST endpoint is only accessible with the same credentials I used when generating the token.

Immediately after getting the token, I tried to test my token by using a web browser and entering
http://<myserver>:6080/arcgis/rest/services/<myfolder>/<myservice>/MapServer?f=json&token=<mytoken>
The response I get back is {"error":{"code":498,"message":"Invalid Token","details":[]}}

However, I was able to get this to work using the Request IP parameter when generating the token. The problem is I would like other folks to access my service with the token.

Any advice?

Thanks, Jay

RichardWatson · ‎02-11-2013

I think that you are trying to use tokens in a manner that they were not designed to accommodate:

http://forums.arcgis.com/threads/33948-Specifying-token-for-map-service-gets-redirected-to-login-pag...
http://forums.arcgis.com/threads/66158-Accessing-a-secured-layer-from-C-a-console-app?highlight=refe...

By that I mean that they are designed to be private and you are trying to use them in a public/protected manner.

The issue is that when someone uses the token the referer must match. It appears that that is not possible for you because you have no control over the software used by others whom you have shared the token with.

An alternative is to develop your own proxy website which issues it own tokens and when a valid request comes it in replaces your token with an ESRI token.

View solution in original post

RichardWatson · ‎02-08-2013

Use the client IP address when generating the token?

I believe that the intent of ESRI was to make using tokens more secure. The issue is that, in general, it isn't possible to get valid client IP addresses. NAT is an issue as well as the fact that any request can put whatever information they want in this. In fact, this is a well known trick. For example, if you want to get answers from Experts Exchange then you say that you are Google searching the site.

What I do is to not expose tokens to clients but rather put all of this behind our own web application. Dave Bouwman gave a great presentation on security at the Developer Summit several years ago where they developed a solution for the Department Of Homeland Security. If you can find that then I suggest to read it.

Good luck!

Jay_Gregory · ‎02-11-2013

Yes, so the method of using the client IP to generate the token and then only the client with that IP can use the token to access secured services worked. However, this isn't an ideal solution if you say want to share the token with others, which is why I'd like to use the HTTP Referrer parameter, but I couldn't get it to work. I was hoping to embed the token in a KML network link (pointing to generateKML on a feature layer) on a Google Earth Enterprise server so people that authenticate to our globe can access the network link (which accesses secure services). Does that make sense? Is there any known problem with the HTTP Referrer parameter for generating tokens?

Thanks, Jay

RichardWatson · ‎02-11-2013

I think that you are trying to use tokens in a manner that they were not designed to accommodate:

http://forums.arcgis.com/threads/33948-Specifying-token-for-map-service-gets-redirected-to-login-pag...
http://forums.arcgis.com/threads/66158-Accessing-a-secured-layer-from-C-a-console-app?highlight=refe...

By that I mean that they are designed to be private and you are trying to use them in a public/protected manner.

The issue is that when someone uses the token the referer must match. It appears that that is not possible for you because you have no control over the software used by others whom you have shared the token with.

An alternative is to develop your own proxy website which issues it own tokens and when a valid request comes it in replaces your token with an ESRI token.