Access Secured Feature Service using JavaScript API 4.0

JustMe6 · ‎03-07-2021

Hello,

We have a GIS website that we recently updated to use the Javascript API 4.17 and moved it to a new server along with updated feature services on a new ArcGIS server. The site is public-facing, open to all, and utilizes a good number of feature/image services we host on our internal ArcGIS servers (10.7) via a web adapter. After closing down the old web site, our IT department reported there was still substantial traffic to our old feature services. Apparently, several outside entities have been consuming our imagery services for their own use as they had been publicly exposed.

We want to make the data and imagery available to the public via our website but we are not a hosting service for other entities. It is especially frustrating as IT has reported these other entities are accounting for more than 30 times our own network traffic to the image services.

Can feature and image services hosted on a standalone ArcGIS server deployment be secured but yet still available to an open, public-facing website that is mostly client-side javascript? We do not want users to have to log in to view the site. Looking through the Developers documentation (Access secure resources), it appears this can be accomplished using ArcGIS Tokens but I cannot find a comprehensive example for the Javascript API 4.17.

I also want to make sure this is not a violation of any ESRI policy.

JustMe6 · ‎03-10-2021

Anyone?

@JohnGrayson @ReneRubalcava @RobertScheitlin__GISP

JohnGrayson · ‎03-10-2021

I normally share content to a group only and then create an item for my app, register it, and use OAuth in the application to access the services, and you can even provide a referrer for your app.

JustMe6 · ‎03-10-2021

John,

Thanks for the reply. We are trying to do this but how do you use OAuth when the user does not logon? The web site allows anonymous.

JohnGrayson · ‎03-10-2021

Sorry, I misinterpreted the use case. I think that using a self-hosted resource proxy as described in the 'Application login' section would be an option. The calls to the secure service from the public app would go through the proxy.

BlakeTerhune · ‎03-10-2021

You could disable directory browsing but the service is still available if you use browser developer tools to monitor network traffic. If your organization has a load balancer managing traffic coming in, maybe you could set up a url referrer allow list for your services so it blocks anything coming in that's not from your app. I'm not a network engineer so I can't be of anymore help there. I don't think there's anything natively available in ArcGIS Server to do this.