Skip to main content

Connecting to a secured ArcGIS Server map service

Permanently deleted user
Hi, I can't figure out how to configure my Essentials REST site to contain a secured AGS MapService. I have some other public AGS services in there, so everthing works fine before I add the secured one. I'm using the REST site in the Silverlight 4 API. With the latest version of Essentials. And I have the Silverlight application and Essentials running on two different servers (and different external IP). I have tried to omit the token parameter, and supply the Username and Password properties. According to the XML-doc, this is the best way, since it then is supposed to use a short lived token. But this doesn't work. I don't understand where you in this case get the url from, to generate the token? If you have some logic to find this from the response returned from ArcGIS Server, I might have a problem - because it's configured to return an internal url. I have also tried with the token-parameter in the ConnectionString, both a token generated with the IP of the SL client, and one with the IP of the Essentials server. Nothing works. How is this supposed to work anyway? If a generate a token that is valid for the client (either by http-referrer or IP), it won't be valid from the Essentials server, and vice versa. By the way, I'm still having problems in Silverlight 4 to use a token based on http referrer (this was supposed to be fixed in Silverlight 4...). I have also tried a short lived token in the ConnectionString (and I was quick). When I say its not working, it means that the Site won't load, and I get errors like this:
0

Comments

3 comments

Date Votes
  • Drew Millen
    Hi Joachim,   Here's how things work when you supply the username and password only within the MapService element for your secured service.

     

    Geocortex Essentials will use this username and password to retreive a token from the ArcGIS Server token service on your ArcGIS Server installation.  It does this by visiting the token service at https://<yourserver>/ArcGIS/tokens.  If this fails, it will try again using "http" instead of "https" since https is preferred.  The token returned is the token used for subsequent requests against your secured service (for example, to get the list of layers belonging to it).  Geocortex Essentials will do this when initializing your map services belonging to your site (for example, when the REST API web application is reloaded, or when your Site.xml changes).   When your Site is published in the REST API, the "site/<yoursite>/map/mapservices/<yourmapservice>" REST endpoint will augment the connection string returned to the calling application (in this case the Silverlight API) with a "token" parameter.  It will do this for JSON responses only.  The token parameter contains a token generated when using the client's IP address or referrer (it tries both, looking for the referrer in the request first).   In this way, both the server side code (Geocortex Essentials) and the client side code (the Silverlight API) can retreive tokens when you define your mapservice using the username and password only.  This is the simplest configuration, which is why this approach is recommended.   For this to work it's important that the Geocortex Essentials REST API is able to retreive tokens from your ArcGIS Server token services at https://<yourserver>/ArcGIS/tokens. 

     

    If you are defining your connection using tokens, instead of the username and password, then you need to supply two tokens: the token in the connection string is used by the client only.  This token is passed to your client API application and used by it when connecting to ArcGIS Server only.   As you have pointed out, your server will also need a token since it's coming from a different referrer or IP address.  In this case, supply the MapService element with a "PrivateToken" property (it's an attribute in the MapService element).  This is the token that the server will use when connecting to ArcGIS Server.   From your post, I can't see the error you're gettting - it looks as though it was cut off.  It sounds like your Site won't load in the REST API.  You will need to troubleshoot this before getting it to working in the Silverlight API.  Here's a few things you may want to verify:  
    • When your map service is running in ArcGIS Server, can you visit the "gettoken" page at 'https://<yourserver>/ArcGIS/tokens/gettoken.html'?
    • Can you get a token when making a request to the gettoken operation such as:

       

      'https://<yourserver>/ArcGIS/tokens/?request=getToken&username=<user>&password=<pass>&clientid=ref.http://www.geocortex.com&expiration=60
    • If your site is running in the REST API, navigate to the "GetToken" operation in the Geocortex Essentials sites directory, and make sure it will generate a token for you.  If you navigate to your mapservice (Site > Map > MapService), at the bottom of the page you will see a link to the "GetToken" operation.  Clicking on this should show you a form where you can enter the duration, and it should also automatically provide you with a token.
    • When you look at the JSON response for your map service, make sure that the connection string is automatically being augmented with a token.  You can see the JSON response by clicking the 'Supported Interfaces: REST' link at the bottom of your map service REST endpoint page in the Geocortex Essentials sites directory.

    I hope these steps will help you troubleshoot the issue further.

    Drew.

    From: Joachim Eckbo Juell

     

    Posted: Wednesday, June 23, 2010 6:47 AM

     

    Subject: Connecting to a secured ArcGIS Server map service

     

    Hi, I can't figure out how to configure my Essentials REST site to contain a secured AGS MapService. I have some other public AGS services in there, so everthing works fine before I add the secured one. I'm using the REST site in the Silverlight 4 API. With the latest version of Essentials. And I have the Silverlight application and Essentials running on two different servers (and different external IP). I have tried to omit the token parameter, and supply the Username and Password properties. According to the XML-doc, this is the best way, since it then is supposed to use a short lived token. But this doesn't work. I don't understand where you in this case get the url from, to generate the token? If you have some logic to find this from the response returned from ArcGIS Server, I might have a problem - because it's configured to return an internal url. I have also tried with the token-parameter in the ConnectionString, both a token generated with the IP of the SL client, and one with the IP of the Essentials server. Nothing works. How is this supposed to work anyway? If a generate a token that is valid for the client (either by http-referrer or IP), it won't be valid from the Essentials server, and vice versa. By the way, I'm still having problems in Silverlight 4 to use a token based on http referrer (this was supposed to be fixed in Silverlight 4...). I have also tried a short lived token in the ConnectionString (and I was quick). When I say its not working, it means that the Site won't load, and I get errors like this:
    0
  • Permanently deleted user
    Drew,

     

    Thank you very much for your thoroughly and quick response :)

     

    It looks like the PrivateToken-property was the solution. But I need to have this property set, along with Username and Password to make it work. Only having Username and Password set doesn't work.

     

    But there is another problem. As mentioned earlier, one has to use IP based token in Silverlight (http-referrer is not being sent from the client). When I decrypt the token that is passed from Essentials to the Silverlight client (the connectionString of the map service), the IP-address in the token is from the firewall that the Essentials server is behind. And not the client IP. And that won't be valid on the external sercured ArcGIS Server service, of course.

     

    As a workaround, I was hoping I could set the ServiceToken on the MapService when it is initialized on the client (cause there I have a valid token used in a few FeatureLayers). But that property is read-only :(

     

    Are you sure you are using "Request.UserHostAddress" to get the client ip on the server? Another option you guys have is to skip the clientip and expiration parameters when you request the token. Then you will get a short lived token that is valid for 60 minutes (default).
    0
  • Drew Millen
    Hi Joachim,   It's very odd that you should require the PrivateToken as well as the Username and Password.  We will investigate this further.   So, the PrivateToken will be used when making requests from Geocortex Essentials server-side components to ArcGIS Server, and the token being used by the Silverlight API is automatically generated by Geocortex Essentials using the IP address of the request.  To automatically generate this token, we first attempt to use the referrer (if it's present).  In the case of Silverlight, it won't be present so we fall back on using the IP address defined in "HttpRequest.UserHostAddress".  You're right, when Essentials is behind a firewall, this IP address will resolve to the IP address of the firewall.  You have a couple of options:
    1. In your MapService connection string, you can define a "token" property.  This is the token that will be used by your Silverlight API.  So, a PrivateToken will be defined as an attribute of the MapService element, and will be used by Essentials, and the token property within the connection string will be used by the Silverlight API.  For example: ConnectionString="url=<yoururl>;token=<clientToken>".
    2. Before Geocortex Essentials automatically generates a token for the client application (when requesting the connection string of a secured map service using the Essentials REST API), it checks for the presence of two request parameters: "SecuringReferrer" and "SecuringIP".  If you pass in the "SecuringIP" parameters using the IP of your Silverlight API client application it will be used instead of "HttpRequest.UserHostAddress".  This is a bit sneaky, but it is supported and it should work for your scenario.
    3. Instead of generating a token which will be sent to the client, you can use a proxy page to perform the requests to ArcGIS server.  The client APIs know how to deal with a proxy page instead of targeting ArcGIS Server directly with a token.  If you specify the "proxy" parameter in your MapService connection string, it can point to a proxy which you have configured to issue requests to ArcGIS Server on behalf of the Silverlight API.  Details on setting up and configuring a proxy can be found here: http://help.arcgis.com/en/webapi/javascript/arcgis/help/jshelp_start.htm#jshelp/ags_proxy.htm.  Once you have this set up, you can define your connection string with a proxy parameter such as: ConnectionString="url=<yoururl>;proxy=http://<yourserver>/Proxy" (assuming you named your proxy virtual application "Proxy".

    We explicitly opted against generating short-live tokens since we desire the ability to allow client applications to run indefinately without timing out, and not all of the client APIs have built in logic to request new tokens when the existing ones expire.  No "session timeout" is one of the distinct advantages to using a client technology.

    I hope one of the above options works for you.  Let me know how it goes.

    Drew.

    From: Joachim Eckbo Juell

     

    Posted: Thursday, June 24, 2010 1:58 AM

     

    Subject: Connecting to a secured ArcGIS Server map service

     

    Drew,

     

    Thank you very much for your thoroughly and quick response :)

     

    It looks like the PrivateToken-property was the solution. But I need to have this property set, along with Username and Password to make it work. Only having Username and Password set doesn't work.

     

    But there is another problem. As mentioned earlier, one has to use IP based token in Silverlight (http-referrer is not being sent from the client). When I decrypt the token that is passed from Essentials to the Silverlight client (the connectionString of the map service), the IP-address in the token is from the firewall that the Essentials server is behind. And not the client IP. And that won't be valid on the external sercured ArcGIS Server service, of course.

     

    As a workaround, I was hoping I could set the ServiceToken on the MapService when it is initialized on the client (cause there I have a valid token used in a few FeatureLayers). But that property is read-only :(

     

    Are you sure you are using "Request.UserHostAddress" to get the client ip on the server? Another option you guys have is to skip the clientip and expiration parameters when you request the token. Then you will get a short lived token that is valid for 60 minutes (default).
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post