Working
with secure Web services
ArcGIS
Server Web services may be secured to permit only authorized users. Working
with a secured service depends on how the service handles authentication.
ArcGIS Server Web services support two authentication
methods: HTTP\Windows authentication and token-based authentication. Only
one authentication type can be enabled at a time on an ArcGIS Server Web
site.
HTTP/Windows authentication:
Services using this method issue a challenge in response to a request,
and the client must respond with appropriate credentials to authenticate
the client. The client may be authenticated in one of several ways, including
Basic, Digest, or Integrated Windows Authentication. To authenticate the
request, as a developer you must set the identity within the request.
When using a SOAP proxy, set the identity on proxy. This
technique is different depending on which development environment you
are working with.
Token-based
authentication:
This method is typically used when users are stored in a database or file,
rather than as operating system users. To authenticate the request, you
must obtain a token from the token service recognized by the ArcGIS Server
instance. The token is appended to the query string of the Web service
URL. If you have access to the user name and password in your server-side
code, you should request the token dynamically. It is also possible to
pre-create the token and embed it within the application, but dynamically
created tokens are safer because they generally time out and hence will
not be as useful to someone who might intercept the token. Use
the Catalog service to determine
if a service requires token-based authentication.
Tutorial:
Both
methods are demonstrated in the tutorial "Using secure services".
Click on the language link below to view the tutorial
content.