Working with secure web services
ArcGIS Server web services may be secured to permit only authorized users. Working with a secured service depends on how the service handles authentication. ArcGIS Server web services support two authentication methods: HTTP/Windows authentication and token-based authentication. Only one authentication type can be enabled at a time on an ArcGIS Server site.
HTTP/Windows authentication
Services using this method issue a challenge in response to a request, and the client must respond with appropriate credentials to authenticate the client. The client may be authenticated in one of several ways, including Basic, Digest, or Integrated Windows Authentication. To authenticate the request, as a developer you must set the identity within the request. When using a SOAP proxy, set the identity on proxy. This technique is different depending on which development environment you are working with.
Token-based authentication
This method is typically used when users are stored in a database or file, rather than as operating system users. To authenticate the request, you must obtain a token from the token service recognized by the ArcGIS Server instance. The token is appended to the query string of the web service URL. If you have access to the user name and password in your server-side code, you should request the token dynamically. It is also possible to pre-create the token and embed it within the application, but dynamically created tokens are safer because they generally time out and hence will not be as useful to someone who might intercept the token. Use the Catalog service to determine if a service requires token-based authentication.
Tutorial
Both methods are demonstrated in the tutorial "Using secure services". Click on the language link below to view the tutorial content.