漏洞
Locally hosted token-based authentication for the Web AppBuilder for ArcGIS Print Widget generates an invalid PDF output when printing a secured map service that has stored credentials in ArcGIS Online.
| 漏洞 ID 编号 | BUG-000109333 |
|---|---|
| 已提交 | November 6, 2017 |
| 上次修改时间 | June 5, 2024 |
| 适用范围 | ArcGIS Online |
| 找到的版本 | 5.3 |
| 状态 | Known Limit |
附加信息
The behavior in this issue is the normal security strategy by design, not a bug. Token-based authentication When the locally hosted app wants to access the online item, including web map item and its secured layers, it must send a request to "https://www.arcgis.com/sharing/generateToken" to get the token. The token itself contains your credential and other necessary information. When printing the map, the token will be sent to the print service. The problem is that the token is generated only for the host machine of the app which is controlled by the following request parameters: origin:http://**.local:5000 referer:http://**.local:5000/USA_secure/ The print service is hosted on another server, so it cannot use the token directly. OAuth authentication When using OAuth authentication, users must create a registered app and assign the appId to the locally hosted WAB app. When users log in, they will also get a token, but this token is different from the token in token-based authentication. When the service receives such a request, it checks users' credential against the registered app. The service works if the registered app says "OK, the token is issued from here".重现步骤
漏洞 ID: BUG-000109333
软件:
- ArcGIS Online
当漏洞状态发生变化时获得通知
发现关于本主题的更多内容
搜索相关信息
查找与此主题相关的培训
探索想法并提供反馈
获取来自 ArcGIS 专家的帮助
下载 Esri 支持应用程序