Community

dynamic token generation

3832
6
03-15-2011 02:36 AM
AlessioDi_Lorenzo1
by
New Contributor III
‎03-15-2011 02:36 AM
Hi,

I'm using a token to access my arcgis secured services from JS APIs based application.
It works fine, but every time the token expires I need to generate a new one and substitute it directy in the js code.
I read that is possible to use a proxy page to send a request to the token service and generate the token dynamically by username and password (stored in the proxy page...). This would be ideal for me.
I found an example in aspx [1], but I need JSP and I don't understand how to adapt the default jsp proxy provided in the esri help.

Thanks in advance

[1] http://forums.esri.com/Thread.asp?c=158&f=2396&t=297001
0 Kudos
6 Replies
AlessioDi_Lorenzo
by
New Contributor
‎03-15-2011 02:50 AM
Hello, the same user here...
Sorry for the double registration, I forgot my username and the "magic question" answer to renew the password for this account, so I used "adilorenzo" to post and then I remembered how to login with my first account.

Hope someone can help me with the dynamic token...
0 Kudos
AlessioDi_Lorenzo
by
New Contributor
‎03-15-2011 06:58 AM
Some additional information.

Before facing the issue about dynamic token generation I tried the provided proxy.jsp as is just to see if it works. The comments in the proxy.jsp code says:

String[] serverUrls = {
  //"<url>[,<token>]"
  //For ex. (secured server): "http://myserver.mycompany.com/arcgis/rest/services,ayn2C2iPvqjeqWoXwV6rjmr43kyo23mhIPnXz2CEiMA6rVu0xR0St8gKsd0olv8a"
  //For ex. (non-secured server): "http://sampleserver1.arcgisonline.com/arcgis/rest/services"
};


so I generated my Token in the token request page specificing, as usual:

  • username/password

  • IP address of the server sending the request to arcgis server (that is my local tomcat: 127.0.0.1:8080)

  • expiration time


then I changed the JSP String[] serverUrls to this:

String[] serverUrls = {
"http://mydomain/arcgis/rest/services,my Token"
}


When I load the application page the secured layer request fails and firebug says:
{"error":{"code":498,"message":"Invalid token","details":[]}}

What I'm doing wrong? Thanks...
In the Javascript part I wrote
esri.arcgis.gmaps.Config.alwaysUseProxy = true;
esri.arcgis.gmaps.Config.proxyUrl = "./proxy.jsp"


A note:
when I use IP address to generate token, the authentication doen't work even if I pass the token directly in the javascript request. Otherwise it works when I use a token generated using the option Web Application URL or HTTP Referrer (but these token, as I read in the help, can't be used in the proxy page!)
0 Kudos
AlessioDi_Lorenzo
by
New Contributor
‎03-17-2011 11:56 PM
UP! News about proxy? Someone from esri staff...?
0 Kudos
TracySchloss
by
Frequent Contributor
‎11-02-2012 09:23 AM
I don't know if posting to a thread that's over a year old will help, but I hate to start another one.  There are a ton of threads already on security, generating tokens and what you may or may not have to do to your proxy.config and proxy.ashx.

The first application I needed a proxy configuration for was because I was creating a buffer. I needed the request to be POST and so the examples from the Resource Center worked just fine once I added my server names to the proxy.config file.  I'm using the ASP.NET version.

Now I need to dynamically generate a token based on a user name/password.  I'm using a sample I found under Concepts.  ArcGIS Server Services > working with secure resources.  Under the section for working with tokens, there is a link to Security Sample.  Since the server I'm testing with is still at 9.3, it sounds like I need to be using esri.request.  (Apparently Identity Manager would help me, but that is only support at 10.0).

From the page I found this one, it's only viewable, I don't see how to download it.  It's not on the samples page and doesn't come up if you do a search on Security.  I was able to view the code through Firebug, but I'm lost on how the proxy is set up for it. I have tried both the original proxy.ashx file 'as-is' from the sample provided from "Using the proxy page" and a version that seems to be working for some that was posted on the forums under the thread "Token Security on an ArcGIS Server (Javascript)" as the file proxyDynamic.zip.  Neither are working for me.  I assume the solution to having your tokens truly dynamic lies in the ability to make a secure request back to your server hosting the services as opposed to trying to somehow store it in another external file, like web.config, that must be periodically edits with a new token.  

I tried the original proxy.ashx and variation for dynamic tokens posted on the forums.  Both generate an error "malformed URI sequence". 

There are over 1000 views on the main threads related to this, but very few answers.  Please, ESRI, review your pages on the configuration and use of secure services.  I can't be the only person who is getting lost on this.
0 Kudos
nicogis
by MVP Frequent Contributor
MVP Frequent Contributor
‎11-02-2012 12:03 PM
Tracy, the simplest mode for check problems with proxy is: go in debug on ashx in Vs.
However you can create your proxy. The esri only forwards request to a component server side with scope permission/filter. They are sample/helper but you should be set your logic security. I have seen sample without check for instance 'referrer'. It's true that you can bypass the REFERER security check...
0 Kudos
TracySchloss
by
Frequent Contributor
‎11-02-2012 01:24 PM
Unfortunately I do not have VS, I'm not likely to get a copy and I've never used it.

Maybe I don't need your modified ashx code.  In the file I see these lines:
public string GetToken(string uri)
    {
        foreach (ServerUrl su in serverUrls)
        {
            if (su.MatchAll && uri.StartsWith(su.Url, StringComparison.InvariantCultureIgnoreCase) && su.DynamicToken)
            {
                // Code to dynamically get the token
                string tokenService = string.Format("https://{0}/ArcGIS/tokens?request=getToken&username={1}&password={2}&expiration=30", su.Host, su.UserName, su.Password);
                string token;


I interpret this to mean that 0, 1, 2 are parameters that are read from the proxy.config file.   I want to be able to let the user enter their user name and password in a form, defining the variables dynamically, in this example usr and pwd.

esri.request({
    url: "https://myserver.mo.gov/ArcGIS/tokens",
    content: {
      request: "getToken",
      username: usr,
      password: pwd
    },
    handleAs: "text",
    load: tokenObtained,
    error: tokenRequestFailed
  });


Do I not really need your modified proxy.ashx since that seems to be looking to proxy.config for these same parameters?  I didn't feel like the original proxy.ashx from the Resource Center was quite what I needed either.
0 Kudos