How to use secure service feature with token in silverlight

6207
6
04-17-2012 09:31 AM
JasonPrice
New Contributor
We are in the process of converting a flex application to Silverlight and I'm having issues with tokens.  I get an "invalid token" error in the layer initializationFailed method no matter what I do.  The flex application resides on the same server and works fine.

It is a very simple map....this is all it is:

<esri:Map Grid.Column="2" x:Name="MyMap" WrapAround="True">
   <esri:ArcGISTiledMapServiceLayer ID="MyService"
           url="http://<myserviceURL>/ArcGIS/rest/services/MDWFP/WMA_Public/MapServer"
           InitializationFailed="MDWFPLayersFailed"
           Token="mytoken"
   />
</esri:Map>

"myserviceURL" and "mytoken" are valid and work fine with flex.  If I change "myserviceURL" to an arcGISonline service and no token it works fine.

I've tried creating new tokens (some with all https some with all http, some with URL/HTTP Referer and some with IP address*) and used each one with and without a proxy ...all end with same "invalid token" error.

*The way our servers are setup (State of Mississippi) the public ip address is behind an access manager (Webseal) so it makes since that it would fail.

I read in the documentation the following information:

"An Identifier to define a distinct ID for the web application that will use the token. You have two options: Web application URL/HTTP Referer or IP address. At the moment, the Referer header cannot be set by a Silverlight application. If you need to create a long term token, use the IP option with a proxy page."

Am I interpreting the documentation correctly if I read it as:  "Referer header cannot be set FOR a silverlight application"?

So does this mean that I can't use Silverlight to develop at all (all our services are secured) since IP is not an option for our configuration? 



PS., the Proxy pages are setup correctly and working....
0 Kudos
6 Replies
DominiqueBroux
Esri Frequent Contributor
Am I interpreting the documentation correctly if I read it as: "Referer header cannot be set FOR a silverlight application"?


Right. The developer can't set the Referer. This one is automatically set by the plugins but is depending on the browser, so is difficult to use.

That being said it's possible to access secured services from Silverlight:)

Likely your problem is coming from the way you generated the token.
You can either generate a short lived token (without client parameter in the web request getting the token) or a token associated to the current IP (by adding the parameter client=requestip in the web request).

Note that you don't have to give the IP address just the literal 'requestip'.

Hope that helps.
0 Kudos
JasonPrice
New Contributor
Right. The developer can't set the Referer. This one is automatically set by the plugins but is depending on the browser, so is difficult to use.

That being said it's possible to access secured services from Silverlight:)

Likely your problem is coming from the way you generated the token.
You can either generate a short lived token (without client parameter in the web request getting the token) or a token associated to the current IP (by adding the parameter client=requestip in the web request).

Note that you don't have to give the IP address just the literal 'requestip'.

Hope that helps.


Thanks Dominique, I'll investigate the client=requestip option...I'm not sure where to begin but will search through the documentation.  I'll report back with results or further questions.  Thanks again for A. letting me know that it will work and B. offering a starting point for a solution.
0 Kudos
JasonPrice
New Contributor
Thanks Dominique, I'll investigate the client=requestip option...I'm not sure where to begin but will search through the documentation.  I'll report back with results or further questions.  Thanks again for A. letting me know that it will work and B. offering a starting point for a solution.


Ok, I'm following the documentation at:

http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/index.html#/Configuring_t...

Please note that the ArcGIS Server resides on our State portal so I do not have the ability to change settings on the server.

When I try to hit the token service to generate a token with client=requestip I get a 403 - Forbidden:  Access is denied error.  I'm using the following url:

https://<ArcGISserver>/ArcGIS/tokens?request=gettoken&username=<myusername>&password=<mypassword>&clientid=requestip

I can login fine with the username/password on the request token html page:
https://<webserver>/ArcGIS/Tokens/gettoken.html


Since I don't have access to the server I don't know how authentication is being done...probably asp.net forms-based or token based?

Do I need to request that my username be added to a certain role to access the token service (I can create tokens with gettoken.html with the username) or do I need to request that the machine name be changed to public domain name for the service to be accessible according to the documentation below?  Or is there something else entirely different that I need to be looking at?




Making the Token Service accessible from the Internet

As discussed above, ArcGIS Desktop, ArcGIS Explorer and Web ADF clients need access to the Token Service in order to request a token for secure services. When making an ArcGIS Server instance accessible of the Internet, you will need to change the URLs for accessing the Token Service so it can be found in the Internet.

When ArcGIS Server is installed, it stores the name of the machine in the URL for accessing the Tokens Service. In an intranet setting where that machine name can be resolved, this will work fine. However when you make that machine accessible over the Internet, the machine name will not be able to be resolved by your clients.

To fix this, you must change three web.config files in the rest, Services, and Tokens folder of your ArcGIS Server instance (<Web Root>\<ArcGIS Server Instance name>). Open each of these web.config files in a text editor and follow these steps:

    Within the appSettings element find the element with the key: TokenServiceURL.
    Change the value for this key from https://<machine name>/ArcGIS/tokens to https://<public domain name>/ArcGIS/tokens.
0 Kudos
DominiqueBroux
Esri Frequent Contributor
What is the version of your server?

When you use 'https://<webserver>/ArcGIS/Tokens/gettoken.html' do you see a check box 'IP Address of this request's origin' ?
0 Kudos
JasonPrice
New Contributor
What is the version of your server?

When you use 'https://<webserver>/ArcGIS/Tokens/gettoken.html' do you see a check box 'IP Address of this request's origin' ?


It is version 10 (or at least that is what I've been told).  I don't get "IP Address of this request's origin" check box.  See attached screenshot of the gettoken.html page.

[ATTACH=CONFIG]13668[/ATTACH]
0 Kudos
AndrewBiggins
New Contributor III

Hi all,

For anyone that gets this issue after upgrading to 10.4.1, there is a new security setting that blocks GET token requests by default. We had to enable this again to get our proxy page working, via the ArcGIS admin page. For details, refer to http://server.arcgis.com/en/server/latest/administer/windows/enable-token-acquisition-through-an-htt... 

0 Kudos