Hello everyone,
I've upgraded ArcGIS Server 10.5.1 to 10.6 and it appears that token service Url switched from http to https...
I don't find the way to restore to http: I have updatedvia rest admin the json to Enable Token in http (see link
Enable token acquisition through an HTTP GET request—ArcGIS Server Administration (Windows) | ArcGIS... ) restarted services and server but with no results.
Every help will be appreciated
Damiano
You really shouldn't be generating tokens over http, as that sends your credentials over plain-text and aren't encrypted. Is there a reason you want that URL to be http?
To second what Jonathan said, why would you want tokens over http? Plain-text defeats the purpose of securing the service at all.
A plain-text token request is a non sequitor. There was a bug in ArcGIS pre-10.2.2 which enabled it by default, but this has always been inherently insecure.
The documentation indicates that is may be possible, but it's still an awful idea to allow such access:
Caution:
Although using a GET request is a convenient method of acquiring a token, a user's credentials are provided as part of the URL and may be stored in browser history or in network components. It's recommended that you update your applications so that tokens are not acquired through a GET request.
- V
Thanks for your answers!
The scenario is that a server application installed on the same machine as the ArcGIS Server and therefore the risks are lower. In any case, waiting to enable the https I would like to understand if the procedure described here Enable token acquisition through an HTTP GET request—ArcGIS Server Administration (Windows) | ArcGIS... is still valid for 10.6 installation.
I have not found other ways to bring the Token Service URL back into Http.
Thank you very much!
Damiano
Have you tried the documented procedure?
Asking folks who are are strongly recommending you don't use this feature to test it for you isn't likely to bear fruit.
- V
From:
FAQ: How does ArcGIS Server token authentication work?
https://support.esri.com/en/technical-article/000011851
All Esri clients and APIs send usernames and passwords over https (encrypted) if it is enabled. If it's not enabled, then usernames/passwords may be sent as clear text over the network. To prevent this, it is strongly recommended that https be enabled in ArcGIS Server when using GIS-tier authentication. It is not enabled by default.
Tokens can be acquired through either an HTTP GET or an HTTP POST. Using a POST is always more secure. GET requests may leave usernames/passwords in network equipment history and in the browser history. Esri APIs and products use POST when acquiring tokens. However for the convenience of people writing scripts, tokens can be acquired via GET requests. Esri recommends against obtaining tokens via GET requests in secure environments.
Note that the above doc is dated - likely for 10.3. At 10.4+, HTTP and HTTPS are enabled by default.