AnsweredAssumed Answered

Securing ArcGIS server services and presenting in JS API

Question asked by MollyKFoley on Oct 19, 2018
Latest reply on Oct 19, 2018 by MollyKFoley

I'm trying to figure out what the best course of action is regarding my application built in the javascript API. This application is already behind a password wall that is unrelated to Server, but I would still like to secure the resources as I want to make sure they're not accessible through the REST endpoints. Ideally, I would like to have the user log in only once instead of logging in and then hitting the web map and having to log in another time to view it. This suggests to me that I'm looking for an application log in, where the application authenticates in the background with itself or a generic user somehow hard-coded in there. I've read the help documentation but I'm such a novice when it comes to security that I'd really like to hear some opinions on what solution I should pursue. 


The first part of the help document sounds like what I'm looking for: 


Application logins

The application login approach is used when the application authenticates with the platform on behalf of itself. In this scenario an application that is registered with the platform can log in without requiring application end users to log in using platform credentials. This means you can build applications that provide anonymous access to the resources. Be aware that applications using the application login approach are susceptible to misuse. Developers can build logic into the application to try and limit misuse using techniques like IP address checking and rate limiting.

I don't care to know who is viewing it exactly, they can view it "anonymously" because I know the only users who can get access are the ones who can log in to the overall application anyway.


I will not be registering my application with ArcGIS Online or Portal, so anything with OAuth 2.0 is out. I also do not wish to pursue HTTP/Windows authentication as that seems more complicated than necessary (someone correct me if I'm wrong).


Thus, I am left with tokens. The problem is that I have no idea how to get started with creating a proxy server-side component and I can't seem to find any tutorials on it. Can anybody point me in the right direction or have anything to add?


Using JS API 3.x, AGS 10.6