Securing the cache directory
ArcGIS Server supports precreating map and globe images for faster performance when users are viewing your services. (See What is map caching? for information on creating map caches.) When you secure a map or globe service that has a cache, you may also secure the cache directory if you don't want to allow anonymous (unrestricted) access to the cache through a virtual directory.
When cache tiles are available in a virtual directory, Web clients can access tiles using URLs on the Web server without going through the Web service for the map service. For example, with a map service, MyService1, a tile might be available on your Web server through a URL such as the following:
http://www.example.com/arcgiscache/MyService1/Layers/_alllayers/L00/R00004be4/C00003088.png.
Clients can only see images of the map through this type of request; they cannot interact with the data or do any queries. If you need to restrict access of any viewing of the map, you need to secure the cache folder as discussed below.
The approach outlined below will allow only permitted users to access the cache tiles for your secured services. Since the performance for tile access will be slightly slower than when tiles are accessed directly through JavaScript by the client, you should implement this method only when you need to secure tile access for your secured services.
Using a cache directory with no virtual directory
In this approach, the secured services use a cache directory that has no virtual directory. The application, such as a Web ADF application or ArcGIS Desktop, will request the map or globe tile from the GIS Web service. The service will retrieve the tile from disk after verifying the client's permissions to access the service.
Note that if a cache directory is created during installation of ArcGIS Server, this cache directory will have a virtual directory. A new cache directory that has no virtual directory must be created for use with this approach.
The following steps can be used to create a cache directory and assign services to the cache directory.
- Create a new cache directory. Do not set a virtual directory for this cache directory. See the steps in Creating a server directory for instructions. Be sure that the accounts used to run the Server Object Manager (SOM) and Server Object Container (SOC) have write access to the directory. If you create the new folder within the arcgisserver folder (for example, C:\arcgisserver\arcgiscacheSecure), it will inherit the correct permissions for the SOM and SOC.
- In Manager or ArcCatalog, edit the properties of the secured service to set the server cache directory to the directory created earlier that has no virtual directory. You can set the cache directory on the Parameters tab of the service (in ArcCatalog, the service must be stopped to change its properties).
- If cache tiles have already been created for the service in a cache directory with a virtual directory, move them to the newly set cache directory on disk. See the help topic Copying caches for details. For example, if you originally created the service cache in the default folder C:\arcgisserver\arcgiscache, and you created the new cache directory as C:\arcgisserver\arcgiscacheSecure, you can move the folder to the new cache directory. You should not leave a copy in the cache directory with the virtual directory, since the files in that directory will be available with no security.
- Repeat steps 2 and 3 for each service that is secured.
When creating a new service, you can specify the cache directory when using the Add New Service wizard. If you use the Publish GIS Resource wizard to create the service, you can later set the cache directory onService Properties.