Open topic with navigation

ArcWeb Services authentication information

ArcWeb Services uses an authentication system to validate access to its services and data. This authentication process helps protect your account information and ArcWeb Services from potential security breaches. ArcWeb Services offers several ways for clients to validate that they are ArcWeb users—Authentication Web Service, Web Services Security (WS-Security) 1.0, UserID, Bouncy Castle, and URL registration.

• SOAP, OpenLS, and REST APIs use Authentication Web Service to acquire a time-limited authentication token for calling other ArcWeb services. In addition, the SOAP toolkits Axis (Java) and .NET can take advantage of WS-Security 1.0, developed by the Organization for the Advancement of Structured Information Standards (OASIS).
• REST offers a UserID authentication which does not expire and is not bound to the IP address of a client machine. This allows a REST request to be shared between multiple users. (Because UserID does not expire, ArcWeb recommends only using it during development and testing.)
• ArcWeb J2ME Mobile Toolkit uses Bouncy Castle, a client-side authentication library.
• Authentication for ArcWeb Explorer JavaScript API and ArcWeb Explorer Flex API is done by URL registration. Authorized ArcWeb users register their application URLs on their account page, which ArcWeb then uses to verify that an incoming URL request is from a valid user. Internally, ArcWeb utilizes encryption and HTTPS while communicating between the applications and the Web services.

Any request to an ArcWeb service needs to include validating information that the request is coming from an authorized ArcWeb user. As a SOAP user, you can either authenticate yourself with a time-limited binary string returned from Authentication Web Service or include authentication information via a WS-Security header.

Both methods are secure, but they rely on different processes. Authentication Web Service requires that you send it a request prior to accessing an ArcWeb service. Authentication Web Service checks that you have permission to access ArcWeb Services, and if you do, it returns a time-limited token which you then use to call an ArcWeb service. When the token expires, you must send another request to Authentication Web Service. The main advantage of this method is that it is compatible with SOAP, REST mapping, and OpenLS (J2ME Mobile Toolkit relies on Bouncy Castle for authentication). See Authentication Web Service overview for more information on how to use Authentication Web Service.

If you use WS-Security 1.0, you bypass the process of obtaining an authentication token and instead include a "security header" in your ArcWeb service request. This security header contains your user name and password information so you can access the ArcWeb service (assuming you are an authorized user). WS-Security 1.0 provides a secure method of sending a single request to a Web service (as opposed to a "double" request required through Authentication Web Service). At this time, only Axis (Java) and .NET toolkits support sending WS-Security headers. Glue and ColdFusion MX do not fully support WS-Security. See Using WS-Security with Axis (Java) and Using WS-Security with .NET for step-by-step instructions for configuring your requests with WS-Security headers.

See also

• Using WS-Security with Axis (Java)
• Using WS-Security with .NET
• WS-Security password helper
• Authentication Web Service overview
• ArcWeb Explorer Developer's Guide

Visit the Feedback page to give comments or suggestions about the ArcWeb Developer's Guide.

ArcWeb site | ArcWeb support | support.esri.com

Copyright © ESRI