Community

"Disable Services Directory" issues

5649
11
08-05-2011 06:49 AM
RoyceSimpson
by
Occasional Contributor III
‎08-05-2011 06:49 AM
I've got a AGS/Flex app that's been working great for the past year.  I would like to now disable the services directory from being accessible via the browser but would still like all the functionality within the Flex app of the exposed map services of our AGS installation.

Should that be doable?  I've been trying it and I get stream errors on certain operations like "featureLayer.selectFeatures".  If I enable the services directory again, that operations works just fine.  Assuming there are no bugs in the Flex or REST API regarding this... I'm at a loss as to what the good of "disable services directory" is.

I've looked up the REST API documentation on the services directory options and it only mentions how to disable the directory but doesn't explain any best practices or rationale for doing so.

Anyone got some knowledge on this?

Thanks much,
-Royce
0 Kudos
11 Replies
JeffPace
by MVP Alum
MVP Alum
‎08-05-2011 10:22 AM
I don't think you can disable the endpoints, they have to be accessible.  You can, however, disable the root directory.  Doesn't prevent "stumble upon" discovery of individual services, but prevents browsing.

We took the easy route, and just used a web application firewall (reverse proxy) for our servers.  We then just make endpoints for the subfolders in /arcgis/rest/services/foldername but not the /services directory.

Down side, you have to make a link for each folder, and each service must be in a folder
Up side, no root browsing.
0 Kudos
RoyceSimpson
by
Occasional Contributor III
‎08-05-2011 10:28 AM
I don't think you can disable the endpoints, they have to be accessible.  You can, however, disable the root directory.  Doesn't prevent "stumble upon" discovery of individual services, but prevents browsing.

We took the easy route, and just used a web application firewall (reverse proxy) for our servers.  We then just make endpoints for the subfolders in /arcgis/rest/services/foldername but not the /services directory.

Down side, you have to make a link for each folder, and each service must be in a folder
Up side, no root browsing.


Thanks for all the options.  Just curious though... what's the point of "disabling the services directory" then?  I mean, if you do that, you might as well uninstall arcgis server... if you are using it for web access to map services.

By the way, I was able to go in and set all my Flex objects that default to AMF transport to "false".  So, for example, featureLayer.selectFeatures() works if I set featureLayer.useAMF=false;   Now if I disable the services directory, everything works just fine.
0 Kudos
JeffPace
by MVP Alum
MVP Alum
‎08-05-2011 10:38 AM
Thanks for all the options.  Just curious though... what's the point of "disabling the services directory" then?  I mean, if you do that, you might as well uninstall arcgis server... if you are using it for web access to map services.


Didn't you ask how to do this?

All the endpoint are still accessible, just not the root directory.

Your flex app uses http calls.  If your app can do it, so can a browser.

For example:

My folder
http://www.mymanatee.org/arcgis/rest/services/
is forbidden
but
http://www.mymanatee.org/arcgis/rest/services/base-map/
is accessible.

This allows a user to get to the service they need, but not "nose" around and see what else we are hosting.
0 Kudos
RoyceSimpson
by
Occasional Contributor III
‎08-05-2011 11:30 AM
Didn't you ask how to do this?

All the endpoint are still accessible, just not the root directory.

Your flex app uses http calls.  If your app can do it, so can a browser.

For example:

My folder
http://www.mymanatee.org/arcgis/rest/services/
is forbidden
but
http://www.mymanatee.org/arcgis/rest/services/base-map/
is accessible.

This allows a user to get to the service they need, but not "nose" around and see what else we are hosting.


Well, I'm not sure how it's working but my flex app can get to all the services but if I try to get to them directly in a browser I get the following (see code below)... and it doesn't matter how deep on the url I go... I always get that error if I try to access via the browser.  That is what I want... the flex app to work but direct browsing to not work.  All I had to do was "disable services directory" and set the useAMF properties within my Flex code to "false".

I even fired up Fiddler, copied out a map service url that was passed by my Flex app running, tried pasting it back into the browser and got the below message.  That baffles me but for now, I'll take it.

And just to be clear... I don't want users doing ANY direct browsing of my map services... I only want them to use the Flex app front end to do stuff.

Error

Services Directory is disabled.

Code: 403
0 Kudos
RoyceSimpson
by
Occasional Contributor III
‎08-05-2011 11:42 AM
Well, I'm not sure how it's working but my flex app can get to all the services but if I try to get to them directly in a browser I get the following (see code below)... and it doesn't matter how deep on the url I go... I always get that error if I try to access via the browser.  That is what I want... the flex app to work but direct browsing to not work.  All I had to do was "disable services directory" and set the useAMF properties within my Flex code to "false".

I even fired up Fiddler, copied out a map service url that was passed by my Flex app running, tried pasting it back into the browser and got the below message.  That baffles me but for now, I'll take it.

And just to be clear... I don't want users doing ANY direct browsing of my map services... I only want them to use the Flex app front end to do stuff.

Error

Services Directory is disabled.

Code: 403


Ok, so the fun got spoiled.  And this makes sense.  I opened fiddler again and copied out a map service query URL from the Flex app... and sure enough, when pasted it back in the browser, it showed the response.  So that explains that.  I can, in theory, just change the parameters in the url and get a different response.  Boo hoo.  Guess there's no way around this unless I enable security for the server... ugh.

So, the security rationale for disabling the service directory doesn't run very deep.

But hey, how many malicious AGS/REST/JSON hackers could there be anyway?  😉
0 Kudos
JeffPace
by MVP Alum
MVP Alum
‎08-05-2011 12:07 PM
Ok, so the fun got spoiled.  And this makes sense.  I opened fiddler again and copied out a map service query URL from the Flex app... and sure enough, when pasted it back in the browser, it showed the response.  So that explains that.  I can, in theory, just change the parameters in the url and get a different response.  Boo hoo.  Guess there's no way around this unless I enable security for the server... ugh.

So, the security rationale for disabling the service directory doesn't run very deep.

But hey, how many malicious AGS/REST/JSON hackers could there be anyway?  😉


Yes the only way around that is enable security on the service and hardcode the token/credentials in the app.  To me, not worth it.
0 Kudos
RichardWatson
by
Frequent Contributor
‎08-05-2011 02:38 PM
We enable security on ArcGIS Server and expose only an ASP.NET proxy out to the internet.  Everything we do routes through the proxy and the clients have to provide valid credentials to access the system.  There are no hardcoded credentials in client applications (we use Silverlight).

We use tokens but are those are not exposed to Silvelight either, i.e. the proxy generates them when needed. 

A couple of years ago Dave Bouwman gave a good presentation on what it took to develop a web application for the Department of Homeland Security at the Developers Summit.
0 Kudos
AaronKreag
by
Occasional Contributor
‎03-04-2014 12:23 PM
Guys-

I am having the same issue.  This is just ridiculous.  However I found this text on a REST API page:

"Disabling the Services Directory is recommended as a best practice for ArcGIS Server systems that are public. You may choose to enable the Service Directory on production systems, only if there is a need to make the HTML pages and forms available to the end users. Once disabled, users are not able to view and use the services using Services Directory HTML pages i.e requests that are made for HTML output format (f=html or when parameter f is not specified). They'll receive an error message if they attempt to access the Services Directory once it has been disabled by the admin. All client applications (Web APIs, Desktop, Mobile, etc.) that programmatically access the Services using JSON or other output formats will continue to function as expected."

I am just now trying to figure out how to make my Flex web maps use this JSON format.....

Anyone?
0 Kudos
YangLiu2
by
New Contributor II
‎06-02-2014 12:49 PM
Didn't you ask how to do this?

All the endpoint are still accessible, just not the root directory.

Your flex app uses http calls.  If your app can do it, so can a browser.

For example:

My folder
http://www.mymanatee.org/arcgis/rest/services/
is forbidden
but
http://www.mymanatee.org/arcgis/rest/services/base-map/
is accessible.

This allows a user to get to the service they need, but not "nose" around and see what else we are hosting.


Can you explain more about disabling root directory only and allowing to access a specific service what users need? I have an issue on accessing attachment of a feature service when I disable the service directory. Thanks!

Best,
-yl
0 Kudos