Community

token used in the map service URL

3588
8
10-25-2012 06:19 AM
CharlesCao
by
New Contributor
‎10-25-2012 06:19 AM
I published a map service yesterday. At the beginning there was only a Service Definition without the map service of the same name, then I close SSL and open SSL (sing in/out) again, then publish the service and created tiles.

But the URL has used token, like as:

https://tiles.arcgis.com/tiles/....../arcgis/rest/services/Imagery/MapServer?token=4JfWt72JDkwm-RB5d...

And there is no token information in URL for the feature service which I published before, like as:

https://services1.arcgis.com/....../arcgis/rest/services/Parcel/FeatureServer/0

Is it right? why is there any diferrent with token?

Additional, the projection of  the original imagery before publishing is the same with other features (NAD_1983_UTM_Zone_17N,Projection: Transverse_Mercator, Spatial Reference: 26917) , but it changed to WGS_1984_Web_Mercator_Auxiliary_Sphere (spatial reference: 102100) automatically, which is same as basemap (streets, topographic, Bing...) in ArcGIS Online.

Is there any effect for web map application?
Tags (2)
0 Kudos
8 Replies
MikeMinami
by Esri Notable Contributor
Esri Notable Contributor
‎10-25-2012 04:00 PM
Where are you looking at this URL?

If the service is secured (not shared with everyone), accessing it will require a token. This is what gives access to the service. For hosted services, if you are signed in, this token is passed automatically. However, sometimes you can see the token as part of the URL.

Having said that, you never want to share the URL to your rest service with a token, or add it to a web map via URL that way. This is because tokens are short lived and expire and the URL will quickly be invalid. Each client application can get their own token by forcing the user to sign in.

Mike
0 Kudos
CharlesCao
by
New Contributor
‎10-29-2012 05:41 AM
Thanks Mike,

This URL comes from the Service Directory(open the DETIAL for the map service, and click the URL below the Map Contents but this URL is not including the tokes information), and there are so much information there, ie. title info, spatial reference etc.

I only share all my services to my organization, whatever feature service or map service, what I am wondering is why the token is only used for the map service instead of the ferture service, and why the spatial reference is converted to WGS84 automatically, and the orginal data is NAD_1983_UTM_Zone_17N?

Where are you looking at this URL?

If the service is secured (not shared with everyone), accessing it will require a token. This is what gives access to the service. For hosted services, if you are signed in, this token is passed automatically. However, sometimes you can see the token as part of the URL.

Having said that, you never want to share the URL to your rest service with a token, or add it to a web map via URL that way. This is because tokens are short lived and expire and the URL will quickly be invalid. Each client application can get their own token by forcing the user to sign in.

Mike
0 Kudos
MikeMinami
by Esri Notable Contributor
Esri Notable Contributor
‎10-29-2012 03:11 PM
The token gets passed to the feature service. The page gets redirected to hide the token so it doesn't accidentially get copied (because people often copy this URL). This has not been done for hosted map services.

If you publish a shapefile or CSV from ArcGIS.com, you don't get to choose the coordinate system. The data gets converted to Web Mercator so it will display nicely over all the basemaps. If you publish from ArcGIS desktop, the coordinate system of the map is preserved on publish.

Thanks,

Mike
0 Kudos
CharlesCao
by
New Contributor
‎11-01-2012 10:56 AM
Thanks Mike.

May I piblish a piece of imagery as a map serveice with tokon to ArcGIS Online? I published one, and it looks good in ArcGIS.com, but it can't display the image layer consistently in our web app. We discussed with ESRI technical support, and they also have same issues. It doesn�??t seem to be a reliable and secure way to use the image map service which I published to ArcGIS Online.

Does anyone have same issues?

Thanks.
0 Kudos
MikeMinami
by Esri Notable Contributor
Esri Notable Contributor
‎11-01-2012 12:07 PM
You never want to create an app that references a service with an embedded token. Tokens are not meant for this kind of use. It's not secure. Plus, tokens become stale quickly. Instead you should write the app and have the app request a token based on valid user credentials.

Mike
0 Kudos
CharlesCao
by
New Contributor
‎11-01-2012 12:40 PM
Thanks Mike.

you meant I should cancel the SSL in my ArcGIS Online Account?

There are several feature servers with https (for example https://canacre.maps.arcgis.com/home/item.html?id=66b6eaf364d74fae8f664d1ed31f3c5b) which I published to ArcGIS Online, and it's OK when it was used in our app.

But for the map service (https://tiles.arcgis.com/tiles/Kg6vHeZ3rwWQ6xlh/arcgis/rest/services/Imagery_BLW_TLine/MapServer?tok...), it doesn't work in our app.

How could we deal with this situation.

You never want to create an app that references a service with an embedded token. Tokens are not meant for this kind of use. It's not secure. Plus, tokens become stale quickly. Instead you should write the app and have the app request a token based on valid user credentials. 

Mike
0 Kudos
MikeMinami
by Esri Notable Contributor
Esri Notable Contributor
‎11-01-2012 12:58 PM
I'm not sure we're talking about the same thing... Tokens and SSL are really two separate things.

ArcGIS Online uses tokens to provide access to services. When a client requests access to a service, the service challenges the client for credentials. The client provides the credentials and gets a token back that the client then uses to access the secured service. SSL provides a higher level of security for communication across the internet. THus, turning on SSL will make your site more secure because of the secured transmissions, but it is not necessary to simply restrict access to your services.

It seems like you are writing your own JavaScript (?) web application that accesses the secured services over HTTPS? What browser and version are you using? Is your application also running over https? If not, and you are using Internet Explorer, try using Chrome or Firefox to run your application. They better handle http to https communications. Alternatively, you'll probably be better off writing your application to run over https.

Are you using the IdentityManager to prompt for a username and password?

Mike
0 Kudos
CharlesCao
by
New Contributor
‎11-07-2012 08:35 AM
Acctually we use JavaScript for customizing our web app without https, and the Identity Manager has been tested for this issue, but it doesn't work either.

I'm not sure we're talking about the same thing... Tokens and SSL are really two separate things.

ArcGIS Online uses tokens to provide access to services. When a client requests access to a service, the service challenges the client for credentials. The client provides the credentials and gets a token back that the client then uses to access the secured service. SSL provides a higher level of security for communication across the internet. THus, turning on SSL will make your site more secure because of the secured transmissions, but it is not necessary to simply restrict access to your services.

It seems like you are writing your own JavaScript (?) web application that accesses the secured services over HTTPS? What browser and version are you using? Is your application also running over https? If not, and you are using Internet Explorer, try using Chrome or Firefox to run your application. They better handle http to https communications. Alternatively, you'll probably be better off writing your application to run over https.

Are you using the IdentityManager to prompt for a username and password?

Mike
0 Kudos