Application-level token authentication

ChrisSmith7 · ‎01-07-2016

I'm looking to narrow availability of some map services utilized by my JSAPI application. I am using ArcGIS Server 10.3 on a local Windows/IIS install with proxy availability.

I have several applications on different domains and servers accessing the centrally-located ArcGIS Server resources, which are publicly available... I'd like to have it set-up so that only these applications can access the resources, but users shouldn't need to supply credentials - the idea is to make it difficult for a user to inspect the web requests to acquire the public resources outside of the application and poke around for data harvesting and hot-linking in non-sanctioned applications.

What's the best way to accomplish this? I've found several resources and write-ups on the topic, but I am still unclear as how to do this correctly and securely.

ChrisSmith7 · ‎01-11-2016

So, I pushed it to the dev server, which has a valid ssl for the host app. There should be a complete end-to-end ssl implementation, yet I'm still getting the authentication pop-up (which I don't want). I'm still unable to authenticate through the mapping app, but I can, using the same username/pw, authenticate directly in REST.

I'm getting a console error now:

Proxy is being used for an unsupported service: https://mygisserver/arcgis/tokens/

I'm using the proxy from the Esri github - Esri/resource-proxy · GitHub I looked over tokens, proxy, secure services and the vanishing help, but didn't find an applicable resolution... Any ideas?

UPDATE:

I tried this in Chrome, and it works on the DEV server, but not in IE11

ChrisSmith7 · ‎01-11-2016

Ok, I figured out why it was working in Chrome - I had authenticated manually in REST, which was stuck in cache, I suppose. When I use a cold session, it exhibits the same behavior... I think I'll open another thread just for this issue.