vandervoort

How to get a token when CORS and HTTPS are in play?

Discussion created by vandervoort on Nov 6, 2012
I'm writing a mobile web application. The requirements are:

  • A login screen (view) where username and password are entered. Therefore the IdentityManager singleton is not a valid option.

  • Username and password are used to create a credential for *everything* in the application. Not just ArcGIS services, but also other services that use the same user store. These services use the token generated by the AGS token server.

  • Dojo, jQuery and ArcGIS JavaScript API need to be hosted remotely. i.e., making use of content delivery network (CDN).

  • The token server is, of course, secured: i.e., https://www.MyServer.com/ArcGIS/tokens/

  • The mobile application is not secured by SSL, i.e., http://www.MyServer.com/MyApplication/login.html and http://www.MyServer.com/MyApplication/MapApp.html (no https).

  • Exposing the token to the Internet is not an issue. In other words, http://www.MyServer.com/MyApplication/MapApp.html?token=HugeBigHonkingLongTokenStringblahblahblah is perfectly acceptable.

  • The map application uses both local token-secured local GIS services and public Esri services. The SOM is on the same hardware as the web server (IIS). ArcGIS Server release is 10.0. No upgrade to 10.1 in the immediate future.


I'm really struggling with getting the token string. Under this scenarion, I'm using jQuery to get the token. I'm not familiar enough with Dojo to POST (yet).
$.post(
url,
{ request: request, clientid: clientid, expiration: expiration, username: userName, password : password },
function(data) { tokenSuccess(data);}
);
//(clientid is "requestip"_.

I am having issues with CORS:
XMLHttpRequest cannot load https://www.MyServer.com/ArcGIS/tokens/. Origin http://www.MyServer.com is not allowed by Access-Control-Allow-Origin.

In my web.config I have Access-Control-Allow-Origin wide open ("*") for now, I'll eventually ratchet it down to just the CDN providers.

If there is an easier was to get the token string based on this scenario, I'm all ears.

Am I going to have to set up a proxy? Or can I just use CORS? Is IdentityManageBase an option?

TIA

Outcomes