GIS server tier – ArcGIS token security
The ArcGIS for Server token method is a built-in security mechanism to authenticate requests made to the GIS services. Esri had to develop their own authentication method in order to not be dependent on an existing preparatory product. Here is how it works:
The client makes a request to consume a GIS service.
ArcGIS for Server prompts for the username and password.
The client supplies the credentials and then Server verifies that against the user store.
If the username and password are valid, the Server combines the username, the password, and the expiration period of the token, and applies the Advanced Encryption Standard (AES) along with a shared key to encrypt all that into a string, which is known as a token.
The token is then appended to each request until it expires.
The following diagram shows the entire process:
There are two types of tokens, short-lived and long-lived. The short-lived tokens have a relatively shorter expiration period; these are...
