Secured services
Version 2.5
You can set up ArcGIS Server web services to permit only authorized users by using one of two authentication methods: token-based or HTTP (including Windows) authentication. The ArcGIS Server system administrator provides authentication information to connect to the secured service.
Token-based authentication
Token-based authentication services require that a token be included in each request for a map, query, and so on. A token is an encrypted string that is derived from information about the authorized user, date and time, and client making the request.
To use a service that requires tokens, you must obtain a token, then add it to your application.
Obtaining a token
To obtain a token, take the following steps:
- Get the URL of the service. The URL can be obtained from either your administrator or the Services Directory.
- Visit the URL. You are routed to the Services Directory and may be prompted to log in.
- Click Get Token in the upper right corner. The Secure Token Service web page appears.
Note:If there is no Get Token link, the service is either not secured or it uses HTTP/Windows authentication.
- Click Generate. A token appears.
- Copy this value and use it in your application. If no token appears or if an error message displays, ensure you are using HTTPS and that the values you entered are correct.
If your application is server based (ASP.NET, JSP, PHP, and so on), another option is to generate tokens dynamically at run time. You can use code to send, use, and renew the token and detect its timeout. You will also need to route requests through your server. For more information, see Using the proxy page.
Adding the token to your application
Once you have a valid token, add it to your application in one of the following ways:
- Include the token in the map request by setting the
token property of the service as shown in the following code:
<esri:ArcGISTiledMapServiceLayer token="cggEFLivAeuzeEzxqYbt3XVXwJHtBINpCLQdq4YaxmOghNgsnB6iLWjlHsd7xomB" url="http://www.example.com/ArcGIS/rest/services/TreasureMap/MapServer"/> - Include the token in the map request by adding the token property
to the URL property of the service as shown in the following code:
<esri:ArcGISTiledMapServiceLayer url="http://www.example.com/ArcGIS/rest/services/TreasureMap/MapServer?token=cggEFLivAeuzeEzxqYbt3XVXwJHtBINpCLQdq4YaxmOghNgsnB6iLWjlHsd7xomB"/> - Use a proxy page and include the token in the configuration for the proxy page. This option offers a higher level of protection for the token, as end users do not have access to it. For more information, see Using the proxy page.
Increased security
To increase security, use one of the following methods:
- Use the proxy.
- Use HTTPS and require users to log in to your application. Your token contains the referrer URL of your application, so users should be unable to use the token in an application hosted at a different server. However, it is possible to spoof the referrer. Requiring a login and using HTTPS reduce this possibility.
HTTP/Windows authentication
When a request is made to a service secured with HTTP authentication (including Windows authentication using IIS), the server issues an authentication challenge. The application or user must respond with appropriate user credentials using standard HTTP authentication methods.
The two approaches to accessing a secured service using HTTP/Windows authentication are as follows:
- Use server-side code (ASP.NET, JSP, PHP, and so on) to set an identity for the request. The server sends the request with the identity; the end user does not need to log in. For more information, see Using the proxy page.
- Do not supply any credentials within your application. Instead, let the server challenge the browser user. The user will see a login dialog box in the browser and must provide a valid user name and password for the ArcGIS Server system that issued the challenge. Work with your system administrator to ensure that end users have login information. If you are the administrator of the ArcGIS Server system, consult the Help, under the topic on securing services, for information on creating and managing user accounts.
Tip:If HTTP Basic authentication is used, you should require that users employ HTTPS when accessing your application to prevent password interception. Other authentication methods, such as Digest or Integrated Windows Authentication, may protect user logins, but for maximum security, HTTPS is recommended when users are logging in.
Tip:Authentication is required only for the initial request to the secure service. This may result in a user encountering a login dialog box midway through a session. For example, if the user requests a nonsecure map, then tries to perform a query on a secure server, the login dialog box will appear only after the query. To avoid this, send a request in the background to the ArcGIS Server system when the application starts, such as a simple REST request for service information. The user would be prompted to log in on startup rather than when using the application.
Caution:Supplying end users with a user name and password is not appropriate when services from more than one ArcGIS Server system are used in an application, as multiple logins would be required. This limitation does not apply when using multiple services within the same ArcGIS Server system, since the challenge is issued for the entire server.
Note:The ArcGIS API for Flex supports basic use of secured services from ArcGIS Server 9.3 and above. There is no support for ArcIMS secured services.
If you are the administrator of an ArcGIS Server system, you can restrict access to your ArcGIS web services. Information on restricting access is available in ArcGIS Server Help and online at ESRI.