When using ArcGIS Server token-based authentication, acquiring an ArcGIS token is only allowed through an HTTP POST request. Acquiring a token through an HTTP GET request (or HTTP POST request with credentials in the query parameter) is possible, but disabled by default. If your organization uses applications that rely on acquiring a token in this manner, follow the steps below to enable token acquisition through an HTTP GET request.
Caution:
Although using a GET request is a convenient method of acquiring a token, a user's credentials are provided as part of the URL and may be stored in browser history or in network components. It's recommended that you update your applications so that tokens are not acquired through a GET request.
- Log in to the ArcGIS Server Administrator Directory. The URL is formatted http://gisserver.domain.com:6080/arcgis/admin.
- Click security > tokens > update.
- In the Token Manager Configuration dialog box, update the following properties. If necessary, add the properties manually.
- To acquire a token through an HTTP GET request, set the allowHttpGet property to true.
- To acquire a token through an HTTP POST request with credentials in the query parameter, set the allowHttpPostQueryParams property to true.
For example:
{ "type": "BUILTIN", "properties": { "allowHttpGet": "true", "allowHttpPostQueryParams": "true", "longTimeout": "1440", "sharedKey": "VYHyatfGUlFWHgnAVMEc40nL1rn7s+l190vtgMjCx3c=", "shortTimeout": "60" } }
- Click Update.