Token Security on an ArcGIS Server (Javascript)

[gwhelan87]

Hello

I have a javascript application that connects to an ArcGIS server and does some functionality with the feature services. Today we added token based security to the rest end point which means I can no longer access it without the appropriate login details.

Can anyone provide a code example in javascript or point me in the direction of an example, of how to get a token using login details and store it/use it for a defined period of time. I cant find anything on the resource center.

Thanks in advance.

Graham

[ciava.at]

you can use a proxy page. Here you can set your period of time ect.

I have attached an example of proxy modified for call dynamic token in proxy page
In method gettokens you can change your rules

Code:

public string GetToken(string uri)
    {
        foreach (ServerUrl su in serverUrls)
        {
            if (su.MatchAll && uri.StartsWith(su.Url, StringComparison.InvariantCultureIgnoreCase) && su.DynamicToken)
            {
                // Code to dynamically get the token
                string tokenService = string.Format("https://{0}/arcgis/tokens?request=getToken&username={1}&password={2}&expiration=30", su.Host, su.UserName, su.Password);
                string token;
                
                
                // This script is added to force the application to certify the SSL script (if for example you have a self certificate on server)
                System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
                {
                    return true;
                };
                
                
                
                System.Net.WebRequest tokenRequest = System.Net.WebRequest.Create(tokenService);
                System.Net.WebResponse tokenResponse = tokenRequest.GetResponse();
                System.IO.Stream responseStream = tokenResponse.GetResponseStream();
                System.IO.StreamReader readStream = new System.IO.StreamReader(responseStream);
                token = readStream.ReadToEnd();

                return token;
            }
            else if (su.MatchAll && uri.StartsWith(su.Url, StringComparison.InvariantCultureIgnoreCase)) 
            {
                return su.Token;
            }
            else
            {
                if (String.Compare(uri, su.Url, StringComparison.InvariantCultureIgnoreCase) == 0)
                    return su.Token;
            }
        }

        if (mustMatch)
            throw new InvalidOperationException();

        return string.Empty;
    }

[gwhelan87]

Hi Domenico

Thanks for the response. I tried your code and a few other similar examples but i keep getting a 403 error when the proxy tries to access the service.

For the config im using

Code:

    
<serverUrl url ="https://212.147.136.135/ArcGIS/rest/services/DoEHLG/ACTIVITIES/FeatureServer"
               matchAll="true"
               dynamicToken="true"
               host="https://localhost/imds/"
               userName="USERNAME"
               password="PASSWORD">
    </serverUrl>

I'm obviously doing something wrong somewhere is the config code correct?

A snippet from the htm.

Code:

esriConfig.defaults.io.alwaysUseProxy = true;

featureLayer = new esri.layers.FeatureLayer("https://212.147.136.135/ArcGIS/rest/services/DoEHLG/ACTIVITIES/FeatureServer/0", {
                    mode: esri.layers.FeatureLayer.MODE_SNAPSHOT,
                    outFields: ["*"],
                    id: "featureLayer"
                });

And this is the error that appears after the request is denied/times out

Code:

  
Error: Unable to load proxy.ashx?https://212.147.136.135/ArcGIS/rest/...Server/0/query status:403
http://serverapi.arcgisonline.com/jsapi/arcgis/?v=2.3
Line 14

Thanks again

[ciava.at]

remove the web.config. I have attached for error.... You need only proxy.ashx and proxy.config.

Have you service token on https? tokenService = string.Format("https://...

In property host of proxy.config you set "localhost" and not "https://localhost/imds/" : if you see in gettoken string tokenService = string.Format("https://{0}/arcgis/tokens? ... -> {0} is hostname (Server where there is token service).

Have you in mapping of the application proxy ashx enabled? (you can see http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx)

Extra info:
-If your instance is <> 'arcgis' change here in method gettoken the name. string tokenService = string.Format("https://{0}/<nameofinstanceags>/tokens?

-if you have certificate from third parties (verisign, geotrust, geosign, godaddy ect.) you also can remove this block of code because is yet in trust list:

Code:

 // This script is added to force the application to certify the SSL script (if for example you have a self certificate on server)
                System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
                {
                    return true;
                };

or set your check for accept certificate in this delegate. In this case with return true accept the certificate.

[gwhelan87]

That worked great. Thanks a lot for your help Domenico.

[vikrant327]

I am having the same issue, where trying to access the rest service page through proxy.ashx is getting error out saying error 403 Access denied to the proxy page

[ciava.at]

vikrant, can you give me further details?

[vikrant327]

Hi Domenico,
When ever I am trying to go to rest service through the proxy page and with https connection, its giving 403 error. For example my syntax is

https://wsbv7/proxy/proxy.ashx?https.../rest/services

its will give me the error, but when I try http (non ssl) connection, it does not return any error. The problem going to be is that when we try to get token for the service, we have to use the https connection, which doesn't work.

Any thoughts?


Thanks,

[ciava.at]

in proxy.config have you set:

Code:

  <serverUrl url ="https://wsbv7/WebGIS/rest/services..."

Perahps you have

Code:

<serverUrl url ="http://wsbv7/WebGIS/rest/services..."

[vikrant327]

I tired that to, but that doesn't work either.

after adding the given line on config file , I tried this
http://wsbv7/proxy/proxy.ashx?https:...t&password=vik

this again gives 403 error. I am not sure if this is related to our IIS settings or something in our server.



Even trying to access secured service on esri server (given on esri token based security demo sample), through proxy page using the given username and password (rick and rick@esri) doesn't work either.

[ciava.at]

Open in visual studio the application where there is your proxy and you try go in debug

[vikrant327]

I got an error when I debug the proxy.ashx

error message screenshot is attached.

[ciava.at]

when you go in debug you provide a url after http://.../proxy.ashx -> http://.../proxy.ashx?http://yourrequest

[bgfield]

I got an error when I debug the proxy.ashx

error message screenshot is attached.

Were you ever able to solve this issue? I get the same thing when I try to access http://localhost/proxy/proxy.ashx, and anytime I try to access a service through the proxy page I get an error 403.

[jgravois]

are you working with the sample ASP.NET proxy from the Javascript resource center? if you haven't already, please try setting the global flag "mustMatch" to false to see whether you can forward traffic to a standard webpage directly from the browser.

ie:
http://localhost/proxy/proxy.ashx?http://esri.com

[bgfield]

Yep - that's the one I'm using. I tried setting mustMatch to false and I'm still unable to connect to anything.

When I try to connect directly to localhost/proxy/proxy.ashx I get the same error page that vikrant327 posted. I tried turning debugging on and it gave me the error message in the attached screenshot.



I'm guessing I'm just doing something stupid here!

[jgravois]

its normal to see an error when you try to access the proxy without attempting to forward a url, but you should definitely be able to forward traffic if you aren't restricting sites.

did you convert the proxy folder to an application in IIS?

[bgfield]

I did, and just to be sure I tried doing so again. One thing I'm noticing this time, when I click Convert to Application and try the "Test Settings" button, I get an error that says "Invalid Application Path", even though the physical path is pointing directly to C:\inetpub\wwwroot\proxy.

I apologize if these are dumb questions - I'm really out of my element working with this stuff!

[jgravois]

i just did a quick test and it seems that an "invalid application path" error when converting an application is normal for working proxies as well.

in IIS manager, do you have handler mappings for .ashx files?

[bgfield]

I have three of them - SimpleHandlerFactory - Integrated; SimpleHandlerFactory-ISAPI-2.0; and SimpleHandlerFactory-ISAPI-2.0-64.

[jgravois]

if the global mustMatch policy in the proxy is set to "false" the proxy isn't evaluating URLs to confirm that they are in the list. this means the 403 permission error is being generated by another component.

are you using the default application pool?
is Anonymous Authentication enabled for the app?
does it make any difference if you use 127.0.0.1 instead of localhost? machinename?

[bgfield]

Yes to the first two questions, and no, it doesn't seem to make a difference if I try my machine name or 127.0.0.1.

Whew! This is frustrating!

[jgravois]

this is just a shot in the dark, but you might check to make sure you have the following IIS components installed.

http://blogs.esri.com/esri/arcgis/20...net-framework/

also, i'm not sure what sites you are testing, but i've experienced intermittent problems bouncing tests off of google.

you're testing the following, correct?

http://localhost/[proxyfolder]/proxy.ashx?http://esri.com

is the error the same in all browsers?

[bgfield]

Thanks for all your help with this, John, but I told you it would be something stupid! Turns out the proxy page files I had downloaded were from an older help page (http://resources.esri.com/help/9.3/a...gs_proxy.htm); once I downloaded the more up to date proxy page files, everything worked perfectly.