Secure map requests when layer permissions enabled
If your Essentials site contains token secured ArcGIS Server layers and you have applied layer permissions, the requests will be proxied through Essentials instead of being sent direclty to the ArcGIS Server with the token attached. Because Essentials will generate a new token whenever needed, the end user never has to worry about token expiry.
The problem occurs when you have a public application that contains a layer configured as above (Guest user layer permissions). In this scenario, the user can capture the request sent to Essentials using tools such as Fiddler (whether or not the communication uses HTTPS) and use it to indefinitely access the secured layer through Essentials because it doesn't employ any authentication and will automatically generate new tokens using the configured username/password.
The solution might be to encrypt or hash the map request sent to Essentials so that at the very least the parameters being sent are hidden but perhaps there is also some way of hashing a timestamp so that, like an AGS token lifespan, an Essentials service request could only be used for a brief period of time.
The problem occurs when you have a public application that contains a layer configured as above (Guest user layer permissions). In this scenario, the user can capture the request sent to Essentials using tools such as Fiddler (whether or not the communication uses HTTPS) and use it to indefinitely access the secured layer through Essentials because it doesn't employ any authentication and will automatically generate new tokens using the configured username/password.
The solution might be to encrypt or hash the map request sent to Essentials so that at the very least the parameters being sent are hidden but perhaps there is also some way of hashing a timestamp so that, like an AGS token lifespan, an Essentials service request could only be used for a brief period of time.
0
-
It appears that the Essesntials (varioius release versions including the latest) are not able to consume token based Arc services at 10.5.x (Web Tier w/proxy page). Is this true? 0
Du måste logga in om du vill lämna en kommentar.
Kommentarer
1 kommentar