Hide username and password in web traffic?
We are still using some ArcGIS Token auth services, with certain VGS Workflows in development. A user needs to enter their AD creds to generate a token in the workflow, and the username and password info is seen in the web traffic in VGS Web. This is not ideal, at all... Is there a way to encrypt this info or hide somehow so it is not exposed?
-
Hi Ryan Kelley I'm inferring this is client-side workflow. The tricky thing here is these are all web requests, including the one being sent as a query to your ArcGIS Server.
A few further thoughts:
- Is this workflow querying a secured layer from a webmap, or is this token arcgis server URL entirely separate from the webmap?
- In the context of GE (I know this is VSW) we had some best practices about how to Encrypt connection strings and sensitive data in configuration files – VertiGIS - I'm picturing a similar style thing for VSW/VSWF.
0 -
Hi Gareth -
Yes, this is a client side workflow passing user/pass to a server side workflow to generate the token, and pass the token string back to the client side workflow. The feature service of interest is not in the webmap, but is on a traditional ArcGIS Server setup that we are writing features to, if you have access to do so. This will not be an issue in the future when we go full ArcGIS Enterprise, so this is really a short term problem. Per the article you posted in this thread, I thought about a config file, and using a service acct to generate the token instead of the user's credentials. I am sure there is a better way to do what we are attempting... and I might just see if the user is in the right Portal group before then firing off a request to get the token with the service acct credentials embedded in the server side workflow or called from there.
1 -
If it is the end user's username and password you can likely just use the Generate ArcGIS Token activity in the client workflow with no need for the server workflow. The server workflow pattern to do this is more common when the end user doesn't have credentials and the server workflow has the credentials of a service account.
The Generate ArcGIS Token activity simply invokes the /generateToken endpoint https://developers.arcgis.com/rest/services-reference/enterprise/generate-token.htm. This endpoint doesn't support any officially documented additional level of encryption, although there is some behaviour of ArcGIS Server that does this when you sign in to the REST API directly.
Generally, if the credentials are in the body of a POST (which is the case for this activity) and the request is over a HTTPS connection it is safe.
0
Du måste logga in om du vill lämna en kommentar.
Kommentarer
3 kommentarer