[GIS] about token based authentication security

arcgis-javascript-apiarcgis-serverjavascriptSecurity

I am reading the authenticated services with token. I understand that a user have to get a token to using arcgis services.
Example: https://domain.com/arcgis/rest/services/myMap/MapServer is my service.
My server administrator give me a token like this. Token = AJSJK876548sjjs7

And I used this service in my javascript api like this
https://domain.com/arcgis/rest/services/myMap/MapServer?token=AJSJK876548sjjs7

A user can view my application source from browser and can get my token. And He/She can access my service.
Is this a security problem?

Best Answer

Yes, it is a security problem.

A common solution is to go through a proxy- a service you write that your client can call that will in turn call the endpoint. Your client calls your service with all arguments except the token. The service copies all the arguments passed to it, adds the token, calls the endpoint, and returns the response to your client.

Best Answer

Related Solutions

[GIS] ArcGIS Server security and Windows domains – issues for non-IE browsers

[GIS] How to get/pass token with ajax call to secured ArcGIS REST Service

Related Question