Possible to hard code credentials?

JeffPace · ‎12-11-2012

I am trying to eliminate duplicate services. Right now we have two server, with identical services. One with security enabled, one without.

The secure server has ssl enabled and has endpoints through a Web App Firewall (proxy)
The insecure server is internal only.

The point of the insecure server is so that employees, on the internal network, do not have to login.

I already sniff the host during access to load a config file. I was hoping that i could hard code credentials (or at least perform the login behind the scenes) so that i can access the secure server without a prompt for a login If i detect the user is on the internal network. Is that possible?

thanks.

GeorgeSimpson · ‎12-11-2012

If you are using IIS, you can let Active Directory do the authentication based on the windows credentials. ArcGIS Server can use AD for a user store and your services can be accessed based on the authentication/authorization from the store.

JeffPace · ‎12-12-2012

If you are using IIS, you can let Active Directory do the authentication based on the windows credentials. ArcGIS Server can use AD for a user store and your services can be accessed based on the authentication/authorization from the store.

Sorry should have been clear on enivornment

ArcGIS Server 10sp4 for JAVA (Not .net)
Java tomcat container authentication

Cannot use AD/LDAP, many users are public users with VPN access.

Need to find a way to hardcode username/password in application if access meets certain criteria.

JeffPace · ‎12-13-2012

any thoughts appreciated.

RahulMetangale1 · ‎12-13-2012

Jeff,

Here is the sample code to do log in behind the scene, I have copy pasted the code from my app(written in version 2.8) so you might have to do little modification:

<script type="text/javascript">
        dojo.require("dojo.parser");
        dojo.require("esri.IdentityManager");
  var cred = "esri_jsapi_id_manager_data";
  var shortLivedTokenValidity=60;
        function init() {
            var idBase = new esri.IdentityManagerBase();
            esri.config.defaults.io.proxyUrl = "proxy.ashx";
            var serverInfo = {
                "server": "http://myserver:8399",
                "tokenServiceUrl": "http://myserver/arcgis/tokens",
                "currentVersion": 10.4
            };
            var def = idBase.generateToken(serverInfo, { "username": "rahul", "password": "rahul" });
            def.addCallback(function (tokenInfo) {
    var idBase = new esri.IdentityManagerBase();
    //Short lived token is valid for 60 mins by defult 
                idBase.tokenValidity =shortLivedTokenValidity=60;
                var serverInfo = {
                    "server": "http://myserver:8399",
                    "tokenServiceUrl": "http://csslsystem-254:8399/arcgis/tokens",
                    "currentVersion": 10.04
                };
                esri.id.registerServers([serverInfo]);
    //get token creation time in epoch
                var creationTime = (new Date).getTime();
    //calculate the token expiration based on short lived token validity
                var expirationTime = creationTime + (shortLivedTokenValidity * 60000);
    //create array of secured services 
                var securedServices = [];
                for (var services in this.configData.mapService) {
                    securedServices.push(this.configData.mapService[services]);
                }
                var idString = dojo.toJson({ "serverInfos": [serverInfo],
                    "credentials": [{
                        "userId": rahul,
                        "server": "http://myserver:8399",
                        "token": tokenInfo.token,
                        "expires": expirationTime,
                        "ssl": false,
                        "creationTime": creationTime,
                        "resources": securedServices
                    }]
                });
                // store it client side
                if (_supports_local_storage()) {
                    // use local storage
                    window.localStorage.setItem(this._jsAPIIDManagerData, idString);
                } else {
                    // use a cookie
                    dojo.cookie(this._jsAPIIDManagerData, idString, { expires: 1 });
                }
                this._loadCredentials();
    
   });
   
               
        }
  
   function _supports_local_storage() {
            try {
                return "localStorage" in window && window["localStorage"] !== null;
            } catch (e) {
                return false;
            }
        }

        function _loadCredentials() {
            var idJson, idObject;
            if (this._supports_local_storage()) {
                // read from local storage
                idJson = window.localStorage.getItem(this._jsAPIIDManagerData);
            } else {
                // read from a cookie
                idJson = dojo.cookie(this._jsAPIIDManagerData);
            }
            if (idJson && idJson != "null" && idJson.length > 4) {
                idObject = dojo.fromJson(idJson);
                esri.id.initialize(idObject);
            }
        }
        dojo.addOnLoad(init);
    </script>

I hope this helps you.

SunilPalkar · ‎12-14-2012

Nice example Rahul !!

JeffPace · ‎12-14-2012

thank you! will try shortly

JeffPace · ‎12-14-2012

that worked!! thank you

any hints to obscure the pw in the code?

BillDaigle · ‎12-14-2012

Maybe I'm missing something, but I don't see how your going to hide the credentials if you're sending the request from the client.

We use server side page (jsp) to generate a token for a session. We are still on a 9.3.1 server, so I'm not using the identity manager, but I assume the concept will be similar.

Here is the javascript code:

var getToken = function(onComplete){
  dojo.xhrGet({
    url: this.basePath + "code/getFwpTokenNew.jsp?ref=" + document.location.protocol + "%2F%2F" + document.location.hostname,
    handleAs: "text",
    load: function(data){
      var jsonData = dojo.fromJson(data);
      onComplete(jsonData.token);
    },
    error: function(error){
      console.debug(error);
    }
  });
};

And our jsp code. Warning, I'm not a java programmer, so some of what you see is scraped together.

<%@page session="false"%>
<%@page import="java.net.*,java.io.*" %> 
 
<% 
response.setHeader("Cache-Control","no-cache"); //HTTP 1.1
response.setHeader("Pragma","no-cache"); //HTTP 1.0
response.setDateHeader ("Expires", 0); //prevents caching at the proxy server

String onErrorText = "";

try {
  
  String reqUrl = request.getQueryString();
  String onProd = request.getParameter("prodServer");
  String refUrl = request.getParameter("ref");
  String agsServerUserName = "username";
  String agsServerPswd = "password";
  String agsServerPath = "http://yourserverpath";

  out.clear();
        
  String getTokenUrl = agsServerPath +"/arcgis/tokens/gettoken?request=getToken&username="+agsServerUserName+"&password="+agsServerPswd+"&clientid=ref."+refUrl+"&expiration=1440";
  URL tokenRequest = new URL(getTokenUrl);

  BufferedReader in1 = new BufferedReader(new InputStreamReader(tokenRequest.openStream()));
  String token = in1.readLine();  
  in1.close();
  out.println("{'token':'"+token+"'}");
  return;
  
} 
catch(Exception e) {
  out.println("{'error':'There was retrieving the token for the map server.'}");
}
%>

DanikBourdeau2 · ‎12-14-2012

Thanks for the examples. Does anybody know if these methods would work with secure services hosted on ArcGIS Online?