Update Token Service Url in Server Info

2478
7
03-26-2018 06:24 AM
DamianoMontrasio
New Contributor III

Hello everyone,

I've upgraded ArcGIS Server 10.5.1 to 10.6 and it appears that token service Url switched from http to https...

I don't find the way to restore to http: I have updatedvia rest admin  the json to Enable Token in http (see link

 Enable token acquisition through an HTTP GET request—ArcGIS Server Administration (Windows) | ArcGIS... ) restarted services and server but with no results.

Every help will be appreciated

Damiano

0 Kudos
7 Replies
JonathanQuinn
Esri Notable Contributor

You really shouldn't be generating tokens over http, as that sends your credentials over plain-text and aren't encrypted. Is there a reason you want that URL to be http?

RandallWilliams
Esri Regular Contributor

To second what Jonathan said, why would you want tokens over http? Plain-text defeats the purpose of securing the service at all.

VinceAngelo
Esri Esteemed Contributor

A plain-text token request is a non sequitor. There was a bug in ArcGIS pre-10.2.2 which enabled it by default, but this has always been inherently insecure.

The documentation indicates that is may be possible, but it's still an awful idea to allow such access:

Caution:

Although using a GET request is a convenient method of acquiring a token, a user's credentials are provided as part of the URL and may be stored in browser history or in network components. It's recommended that you update your applications so that tokens are not acquired through a GET request.

- V

DamianoMontrasio
New Contributor III

Thanks for your answers!

The scenario is that a server application installed on the same machine as the ArcGIS Server and therefore the risks are lower. In any case, waiting to enable the https I would like to understand if the procedure described here  Enable token acquisition through an HTTP GET request—ArcGIS Server Administration (Windows) | ArcGIS... is still valid for 10.6 installation.

I have not found other ways to bring the Token Service URL back into Http.

Thank you very much!

Damiano

0 Kudos
VinceAngelo
Esri Esteemed Contributor

Have you tried the documented procedure? 

Asking folks who are are strongly recommending you don't use this feature to test it for you isn't likely to bear fruit.

- V

0 Kudos
RandallWilliams
Esri Regular Contributor

From:

FAQ: How does ArcGIS Server token authentication work?

https://support.esri.com/en/technical-article/000011851

All Esri clients and APIs send usernames and passwords over https (encrypted) if it is enabled. If it's not enabled, then usernames/passwords may be sent as clear text over the network. To prevent this, it is strongly recommended that https be enabled in ArcGIS Server when using GIS-tier authentication. It is not enabled by default.

Tokens can be acquired through either an HTTP GET or an HTTP POST. Using a POST is always more secure. GET requests may leave usernames/passwords in network equipment history and in the browser history. Esri APIs and products use POST when acquiring tokens. However for the convenience of people writing scripts, tokens can be acquired via GET requests. Esri recommends against obtaining tokens via GET requests in secure environments.

RandallWilliams
Esri Regular Contributor

Note that the above doc is dated - likely for 10.3. At 10.4+, HTTP and HTTPS are enabled by default.

0 Kudos