Problem using proxy page to post data when token is embedded in application

BillDaigle · ‎02-26-2011

I have a service with an embedded, long-lived token. I just ran into an instance where I have a map request that's longer than 2048 characters so the API is trying to post the request via our proxy page. When this happens, I get an "Invalid token" response. I have tested the proxy page and it works just fine when the service is not secured. I think the problem is...

When I send the regular get request, the Request Header Host is set to the gis server

When I send the request via the proxy page, the Request Header Host is set to the web server.

I'm not sure if this is the problem or even related, but this is the only real difference I can seem to find between the get and the post requests. Anyone have any thoughts or suggestions?

RichardWatson · ‎02-27-2011

2048 is a magic number because some web servers will reject HTTP GETs with requests larger than this. The standard pattern is to convert the GET to a POST with the body containing the query string.

With regards to the referer, you can set it to whatever you want. In the case of the proxy I set it to be the same as the request calling the proxy.

BillDaigle · ‎02-28-2011

I understand why the request is going through the proxy page, but I still can't figure out why I'm getting an invalid token response. I just checked, and my referrer is set to the same for the get and the post requests (the "Host" is different, but I don't see why this would be relevant).

BillDaigle · ‎02-28-2011

The following forum pointed me in the right direction.

http://forums.arcgis.com/threads/19233-Token-used-in-proxy-not-working-for-Feature-Service (this forum is related to flex, but I assume it still applies conceptually).

The fact that the referring URL is set correctly doesn't matter since...

"When you generate the token, you should use the IP address of the proxy machine as seen by the ArcGIS Server. This is because the referer header is not passed on by the proxy."

I'm not using thet IP address method because I'm embedding the token in the application. We tried embedding the token in the proxy page originally. This worked OK, but we had performance problems on our application (JBOSS) when we started doing load tests. Generating a single token for a user's session and embedding it in the application took care of this problem for us. But now I need the proxy page again.

How can I embed the a token in a application and still retain the ability to use the proxy page for "long-winded" requests?

RichardWatson · ‎03-02-2011

Isn't the proxy code that you have?

In our case we started with sample code from ESRI and changed it to suit our needs. I do not think that the ESRI code is 'supported' which is another way of saying that you own it.

If you have the proxy code then you can set the referer header to whatever you want. Just make sure that you copy the referer from the incoming request to the request that you create. In essence, you are making it appear as if the request came from the client.

Another approach is to route all requests through the proxy page including the request to generate the token. In this case you can use the "ip.IPAddressOfProxy" for the clientid.