Java operation access SOI
This sample illustrates how to add an extra layer of security control for individual operations that users are allowed to access. This SOI only allows three operations - Find, Identify, and Export Map to certain users that are defined in the code, and blocks unauthorized users to access those operations. It also blocks all other service operations.
Deploying the SOI from the .soe file (
../OperationAccessSOI/target/OperationAccessSOI.soe) does not require you to open a Java IDE. However, you can open the project (
../OperationAccessSOI) in a Java IDE, such as Eclipse or IntelliJ, to debug, modify, and recompile the SOI project.
- Get logged-in user information
- Block REST requests
Any dynamic map service published from ArcGIS Pro. This instruction uses the USA map service as the sample service to test with the SOI.
- Make sure you have published the USA map service using ArcGIS Pro. If not, refer to USA map service.
- Grant proper user access to the USA map service.
This environment is configured with users and roles from the built-in store.
- Browse to ArcGIS Server Manager > Security tab.
Click the Users tab and Roles tab to make sure that the role gold123 is created and has members assigned.
To check role members, click the edit button next to a role.
The Edit Role wizard will appear and show all the users assigned to this role.
You can also create users and roles under the Users and Roles tabs.
- Browse to ArcGIS Server Manager > Services tab.
Right-click the Sharing Properties button next to the map service to secure it for logged-in users.
- You can either choose Allow access to all users who are logged in or choose a role by clicking the Add button under Action so that the role is listed under Allowed roles.
- Similarly, you can also create another role platinum123, assign users to it, and share the map service with this role.
This environment is configured with built-in users using the portal's identity store.
- Create groups.
Sign in to the Portal for ArcGIS website. On the Groups page, create a new group named gold123.
- Invite users to the group created from the last step.
Share the map service with the group.
Find the map service published from step 1 at ArcGIS Server or the Content page of the Portal for ArcGIS website. Ensure that the group gold123 has access to this map service.
- Similarly, you can also create another group named platinum123, assign users to it, and share the map service with this group.
- Log in to ArcGIS Server Manager and click the Site tab.
- Click Extensions.
- Click Add Extension.
- Click Choose File and choose the OperationAccessSOI.soe file (
- Click Add.
- Log in to ArcGIS Server Manager and click the Services tab. Select USA map service and select Capabilities.
- In the Interceptors section, select Operation Access SOI in the Available Interceptors box and click the right arrow button to move it to Enabled Interceptors.
- Click the Save and Restart button to restart the service.
- Open a browser and navigate to the REST services page (URL:
- Click Login at the upper right corner to log in with a valid user account that belongs to the group gold123.
Click the USA map service and Export Map in Supported Extensions.
This leads you to the following URL. You can see the Export Map operation generates a valid result:
Click Logout at the upper right corner and clear the browser cache/history.
Note: You must clear the browser cache, otherwise the following steps will still show the same results because the browser caches the previous requests.
- Log in as another user who does not belong to the group gold123 or platinum123.
- Try with the Export Map operation again. Now no image is exported and the operation returns a "404 Not Found" error, because the group that this logged-in user belongs to does not have permission to the Export Map operation.
- Test with other service operations under different user accounts, and see how this SOI blocks requests and grants access. This Operation Access SOI lets through the requests for Export Map, Find, and Identify operations and blocks all other requests if the logged-in user belongs to the gold123 or platinum123 group. The SOI blocks all the requests if the service is accessed without being logged in, or with a logged-in user that does not belong to either gold123 or platinum123.