custom header values for http request

[lukepatrick]

when adding various service URI's to the map, is it possible to set custom header values to the http request that the ESRI iOS api is making to my arcgis server? The intention here is get through a security policy that places usernames/passwords in the headers.

[technobrat]

Unfortunately, this is not possible at this time.

Could you please elaborate on the security policy you're referring to. The API already supports ArcGIS Server security model (Basic/Digest/Token).
If we have more information about your needs we can try and suggest ways to meet them or build provisions in the API for a future release.

[lukepatrick]

Unfortunately, this is not possible at this time.

Could you please elaborate on the security policy you're referring to. The API already supports ArcGIS Server security model (Basic/Digest/Token).
If we have more information about your needs we can try and suggest ways to meet them or build provisions in the API for a future release.

Instead of relying on ArcGIS Server for security, we have a 'mediation platform' (think Layer 7 or Tibco) to give a front end for all service calls to the back-end enterprise. This also handles the security up front and lessens the need for the back end enterprise to try to stay in sync with evolving security access/profiles. Once authenticated this provides basically a pass-through to the ArcGIS Server endpoints, using token values specified in the http request header, not URL parameters. Other http request header values provide for various other logging/tracking of service calls. What I would like simply would be more access to the http request object.

[lukepatrick]

Let me add some details to my request. What we have implemented as a security mechanism in front of our services is modeled after OAuth2, and for the OAuth 2.0 API you can pass through your tokens/username/password has header values or URI params, we limit it to header values. Is this type of security planned for the ESRI api's?

Another thought is if it would be possible to have the ESRI api make a request to a URI that is nothing more than 'http://localhost', then for me to intercept that and make the call myself with the Oauth security.