Portal for ArcGIS 11.1: cannot add item by URL if not in "allowedProxyHosts"

NicolasGIS · ‎06-07-2023

Hello,

I am running Portal for ArcGIS 11.1 and I have been reported a weird behaviour by a user: he could not add a layer by URL either from the new MapViewer or directly in Portal for ArcGIS when adding a new item / URL / New item.

It hangs on "Retrieving Service Info". Looking at the network tab, it's an infinite loop hammering our Portal for ArcGIS !

1. https://myserver.onecompany.com/arcgis/rest/services/foo/MapServer?f=json => 200: no issue

2. https://myportal.company.com/geoportal/sharing/rest/portals/checkurl?url=https%3A%2F%2Fmyserver.onec...

=> {"success":false,"error":{"message":"Error checking resource"}}

And it retries for ever...

I spent quite some time to understand the issue and found out that it seems to be related to the “allowedProxyHosts” security property which, following security best practice, was restricted to few URLs and of course "myserver.onecompany.com" was not one them. After I added it, it worked.

But according to the documentation of this parameter, this proxy server is used in the following situations:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/restricting-the-portal-s-proxy-cap...

The thing is that "myserver.onecompany.com" has CORS enabled and is an open data one with no credentials involved so no need to use the Portal proxy:

This means that every time a user wants to add a layer from URL, he will have to contact us to whitelist this domain even if CORS is enabled. Seems like a bug to me or did I miss anything ?

Also, it's not really nice that it hammers the Portal for ArcGIS like this.

Thanks for your feedback,

Nicolas

NicolasGIS · ‎06-09-2023

Hi @JeffSmith,

Support logged the following defect:

BUG-000158980 : Trying to add a service to the Map Viewer or as an item is resulting in an infinite loop of checkURL-requests when the allowedProxyHosts-parameter does not contain the domain of the service

View solution in original post

NicolasGIS · ‎06-07-2023

Note that at 11.0, I did not have this issue.

- New MapViewer was not using 'checkUrl' end point

- In Portal for ArcGIS, when adding an item as Url, even if 'checkUrl' was failing, it was still possible to register the item

Scott_Tansley · ‎06-07-2023

It's not a bug. I think it would be fair to state that it's a part of continual security hardening and doing the right thing. If not whitelisted, then the proxy could be potentially used maliciously. Having a whitelist is painful to manage, but for many organisations I work with it is required to pass penetration testing.

For one, I'm pleased to see this. It means end users can't just add URLs, because that can be inherently bad. My one wish is that there was a nicer 'error message' returned recommending a discussion with the GIS Administrators to review and whitelist the URL in question. If that could be automated then even better.

I agree it's not nice, but I'd suggest it's not a bug and for many organisations it's a necessity.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

NicolasGIS · ‎06-07-2023

Thanks for your reply @Scott_Tansley.

If not whitelisted, then the proxy could be potentially used maliciously.

That is the whole point: even if servers are CORS enabled, URL cannot be registered. If CORS is enabled, proxy won't be used and client can query this server by himself. I don't see the issue personnaly.

If you are right documentation should as be updated

JeffSmith · ‎06-08-2023

@NicolasGIS I agree with you that this behavior shouldn't happen when trying to add a service that is not secured to either the new Map Viewer or to the Content page. The checkurl request should only be made if the service is secured.

To @Scott_Tansley's point, yes, from a security hardening perspective, it is good that more organizations are using the "allowedProxyHosts" to limit what hostnames the portal can make proxy requests to. As you observed, it is working as expected where the checkurl requests are blocked if the hostname is not in allowedProxyHosts.

That being said, when trying to add an unsecured map/feature service (with CORS enabled) to the new Map Viewer, no proxy requests should be needed and it shouldn't get stuck in a loop like that. If you haven't already, could you please contact Technical Support and get a bug logged?

NicolasGIS · ‎06-08-2023

Hi @JeffSmith,

Thanks for your explanations and for confirmation that the observed behavior is a regression.

I currently have a case opened with support. Will update here once I have more information.

NicolasGIS · ‎06-09-2023

Hi @JeffSmith,

Support logged the following defect:

BUG-000158980 : Trying to add a service to the Map Viewer or as an item is resulting in an infinite loop of checkURL-requests when the allowedProxyHosts-parameter does not contain the domain of the service