What Parameters are used by Essentials to request AGS token?

A follow up to my question from yesterday.  I'm trying to determine what parameters Essentials is sending to AGS when it requests a token.  Since they're POSTed to the AGS service I can't see the parameters directly.

 

There used to be some .NET code (for AGS 10.0) that would allow you to decrypt a token and find the input parameters but that doesn't work with AGS 10.`+.

 

I'm trying to find out this information because I've found an issue with the AGS tokens that I need to resolve.  What I've found is that I can take the token that Essentials requests (and appends to all requests for the secured service in the HTML5 viewer) and make requests directly to the REST endpoint using that token and gain access to the service.

 

I have set up the secured service in Essentials Manager so that it should be tied to a refering URL rather than IP address, so I would have thought that I could only use that token from my HTML5 viewer.

 

I also tried accessing the AGS REST endpoint from a virtual machine with a different IP address and which I was logged in as a local user (not part of the AD group that is assigned to the secure service) and I was still able to access the secure service.  A co-worker also tried it from his computer and could access the secure service.

 

This makes me wonder about how the token was generated, and if it truly is supposed to be tied to the refering URL, why does it work everywhere else?

 

Has anyone else noticed this behaviour?  Could it possibly be the way we have AGS security enabled (GIS Tier security using AD users/roles)?

 

Peter.