[GIS] How to ensure that only the application has access to ArcGIS Server services

arcgis-javascript-apiarcgis-serverPROXYSecurity

I'm making a web map based on the ArcGIS Server JS API. How can I ensure that users must use my front-end to access the ArcGIS Server layers?

That is, I want anyone visiting MyDomain.com/index.html to have access to the ArcGIS Server layers referenced on the page, but I don't want users to be able to access the ArcGIS Server layers directly (eg, by using Firebug to detect the URLs then using them in their own applications).

I want to allow anonymous users to access the site, so I don't want to provide a prompt for users to log in – it needs to work seamlessly.

An idea is to secure the layers with tokens, and have my application automatically fill in the token credentials.

Has anyone done this? How would I hide the token credentials so that people couldn't access the information?

Best Answer

My comment was half truthful. Every request that you allow your JavaScript App to make, I can make them too. You have to be a little bit smart about it. So, securing your ArcGIS Server is possible, it's only a matter of how much work you are willing to do.

I used to work for a Government client, that had a similar request. I tried to reason with them, but to no avail. After extensive discussion, we agreed that they didn't really want full security. They only wanted the appearance of security. They wanted me to make the lives of any data-stealer as hard as possible.

This is possible. I carried out the following steps:

I then had the bright idea of blocking all the requests, and white-listing only the required requests. This was achieved by having a HTTP Proxy in on the web-facing webserver, which re-routed the requests to the ArcGIS server, which was on the internal LAN.
The REST Services Directory was Disabled from the REST Admin
The URLS were changed from the standard ArcGIS REST format. For example http://example.com/ArcGIS/rest/services/Imagery/County/MapServer became http://imagery.example.com/County
Upto the extent possible, we cached the services, and used the cache directly
The hits to the Query Tasks were logged, and monitored.

Was all of this worth it? Maybe. The client was happy and we got paid. But it did take away my time from implementing actual features in the WebGIS. It also made my life very difficult while developing, since there were several bugs in the Proxy, which didn't work right the first time around.

And at the end of, when we looked at the few open services that we had, I had to ask myself why they were spending so much money on ArcGIS server. We could have achieved all that using a tilecache and some Php services to query the database.

Best Answer

Related Solutions

[GIS] ArcGIS Server security and Windows domains – issues for non-IE browsers

[GIS] How to share a hosted feature service with an application on ArcGIS Online

Related Question