Hoppa till huvudinnehållet

short lived tokens expiring, not renewed

Permanently deleted user
We have an ArcGIS service that is secured with token security and the lifespan is set to 5 minutes (limiting potential for skimming secure data - but that's another question).

 

Our Essentials site loads fine but after 5 minutes the token expires and no attempt is made (that is visible through Fiddler at least) to request a new token.  Does Essentials have the ability to do this or do we have to make the lifespan of the token longer than the max time someone will spend in the app?
0

Kommentarer

7 kommentarer

Datum Röster
  • Permanently deleted user
    Hi Peter,

     

    That's a great question!  I did some research on this, and published a KBA that explains how to change the token timeout on the Essentials side:

     

    https://support.geocortex.com/essentialsGSCkba?sub-nav=kba&main-nav=essentials&feedtype=SINGLE_ARTICLE_DETAIL&dc=All_Essentials_kba&criteria=BESTANSWERS&id=kA360000000Gqow

     

    Please let me know if you have any further questions on this!

     

    Cheers,

     

    Danny
    0
  • Permanently deleted user
    Daniel, Thanks for the quick response.

     

    When I tried following your instructions, the server throws a 500 Internal Server Error when accessing the Essentials Manager.  We are currently using Essentials 4.2 - does the version matter?

     

    To be clear, this is how I added the key to the web.config: <system.net> <add key="ArcGisRestMapServiceBase.MaximumTokenDuration" value="280" /> </system.net>

     

     
    0
  • Permanently deleted user
    The actual error thrown is The configuration section 'add' cannot be read because it is missing a section declaration Sounds like there may be another tag required somewhere in there?

     

     
    0
  • Permanently deleted user
    Hi there, Peter,

     

    My apologies, I just realized that I typoed that pretty badly,  That item should actually be a child of the appSettings element, not the system.net element.  Sorry for the confusion there!  The KBA has been updated.

     

    Thanks,

     

    Danny
    0
  • Permanently deleted user
    Daniel,

     

    I followed the updated instructions in your KBA and it does work but only sporadically.

     

    When I first added the layer I wanted to secure and set permission for the Guest account, it worked like it should - the map continued to draw parcels regardless of how many minutes had passed (I set the short lived token lifespan to 1 minute) and the tokens were never passed to the client.

     

    However, while working on another issue with support, I modified my site configuration (added a second copy of the parcel layer) after which the viewer stopped drawing parcels after the first 1 minute token timed out.  Couldn't figure out why it stopped working and left it overnight.  Came back this morning and it started working properly again.  Unchecked the Guest permission for the parcel layer and reloaded the viewer and requests were being sent to ArcGIS along with the token as I would expect.  After 1 minute though, I get back Invalid Token messages and the browser never gets a new token.  Re-add the guest permission for parcel and reload the viewer, the requests go to Essentials as they should but it still times out after 1 minute.

     

    The behaviour seems rather unpredictable so far - is there some cache I need to clear in order for Essentials to know it should be getting a new token as defined by the time limit set in your KBA?

     

    Peter
    0
  • Permanently deleted user
    Hi Peter,

     

    I think the problem may be that the interval is in minutes, not seconds.  I didn't notice that in the original testing I did with this.  Sorry about that!  So if you want your viewer to get a new token every minute, you'll want your parameter to look like this: <add key="ArcGisRestMapServiceBase.MaximumTokenDuration" value="1" /> Sorry again for the confusion there.  

     

    When I applied those settings in my web.config files, I recycled the app pools in IIS, but you can achieve the same results by re-running the Post installer.

     

    I hope that helps!

     

    Thanks,

     

    Danny
    0
  • Permanently deleted user
    Thanks Daniel,

     

    I think that has solved the problem.  Should have thought of that myself, since the AGS setting for short-lived tokens is in minutes also.

     

    Now that I've got that part working it does get me back to my underlying investigation of how to best secure our AGS services.  From what I've gathered, there really isn't a good way to ensure that your secure service can't be breached once you have added it to a map.

     

    I'm going to start a new post for that question though.  Thanks for your help with this.

     

    Peter.
    0

Du måste logga in om du vill lämna en kommentar.

Hittade du inte vad du sökte?

Nytt inlägg