AnsweredAssumed Answered

Security in AppStudio Quick Report

Question asked by kjerath_hanovercounty on Apr 6, 2017
Latest reply on Apr 12, 2017 by kjerath_hanovercounty

I'm working with an app that I want the public to be able to edit through the app, but I do not want the public to be able to access the app through our organizations rest endpoint. I secured the feature service by going into ArcGIS Server Manager and limiting access to a role containing a single user.

 

From there it seems like there are two ways to add the user credentials to the app:

 

1. Embed  the username and password into this line in FeatureServiceManager.qml under the generateToken function

var obj = {"username":"user", "password":"pwd" "f":"json", referer: "http://www.arcgis.com"/*, expiration:"1"*/};

2. OR manually go to the token url, enter the username and password, generate a token, and hard code the token into the app at the top of FeatureServiceManager.qml (Hopefully this is the correct place. I haven't tested this)

Item {

    id: featureServiceManager

 

    property url url

    property string token: "wqFQ8vHYATcjDMrbuecyxmPX2R3R7UoTbQKvo5DBcFsAUdEmiT74f7c-ICYwxI0L"

 

My questions are:

 

Is it safe to store username and password in the code for the app? Is there a way for the public to get to it?

 

If so, is it safe to store the token in the app? If someone got the token, couldn't they plug it into the rest endpoint and get to the service that way?

    http://myserver/arcgis/rest/services?token=wqFQ8vHYATcjDMrbuecyxmPX2R3R7UoTbQKvo5DBcFsAUdEmiT74f7c-ICYwxI0L

 

I'm using AppStudio (Desktop 1.4) and the Quick Report template.

Outcomes