Programmatic authentication to ArcGIS Server secured layers via RESTful API
I finally found what I was looking for: a proper ArcGIS Server web endpoint that I could use to generate tokens!
The call is this:
GET http://<arcgisserver_host:port>/arcgis/tokens?request=getToken&username=<usr>&password=<usr>&expiration=<token_lifespan>
which gives back the token into the HTTP response body, and one can send it along to any further request to secured resources without being prompted for credentials again. The token must be the value for the Cookie request header, as it is currently stored into a cookie on the client side.
But...damn! This token generator is NOT part of the ArcGIS Server REST API!!! I couldn't find it in the online API documentation! Where in the world could I found it???
This means that ArcGIS Server does not have a RESTful authentication framework.
In example, if we have this mapservice exposed under the ArcGIS REST API: /arcgis/rest/services/myDir/myMapService/MapServer/layers and we try to GET this resource, what we get from ArcGIS Server is a response having a 200: OK status code and an HTML document in the body (the HTML is a login form). From a would-be-RESTful login, I would expect that the request gave me back a 401: Authentication Required status code along with a WWW-Authenticate header...
I tested this whole thing out myself using a REST client program.
Please have a look at How ArcGIS Server Security works.
Basically, you will need to make users and groups, and give a particular User rights over certain services.
Once you have done that, then you need to use Token based security in your JavaScript Application. What this means is that, you ask the User for their UserName & password. That is sent to the ArcGIS Server, which validates the Credentials, and sends back a token. This token is used to validate the user whenever a resource is requested.
You as a programmer will send this token to every mapservice, query service etc.
This page details how to use Token Based Services.
The ArcGIS Javascript API already comes with a Class, the IdentityManager to do this.
Here are a couple of samples on how to use the Identity Manager.
In the ArcGIS API for JavaScript, there's a widget called the Identity Manager that addresses exactly what you want to do. Check out samples that use the identity manager to see how it works.
The sample linked by Devdatta, while valid, is the pre-Identity Manager way of doing this and involves a lot more code that is necessary now that authentication for secure services is baked into the API.