A bug in ArcGIS REST Service

We run ArcGIS servers in two different environments DEVELOPMENT and UAT , and the guy who set up the infrastructure has gone.
Last week we deployed the working app into the UAT, and it didn’t work as supposed as in DEVELOPMENT.

Specifically,  we had problem with the ArcGIS login process. We use ArcGIS REST API token generation for login authentication, and the app host address as HTTP referer.
Details see http://resources.arcgis.com/en/help/arcgis-rest-api/index.html#/Generate_Token/02r3000000m5000000/.
After user logs in, we use the generate Sitemap in REST service to get a list of access-controlled layers for the user.
We don’t use the REST method as it only returns the current folders and then again requires ajax under the folder to get all the layers, it slows down the whole app.

In DEV, we successfully get the sitemap XML with all the layers as shown like this.

However, we could not manage it in the UAT, and it always returned an empty XML, i.e. no layer services at all.

Token returned from UAT server was correct, and there was nothing wrong with code and configuration. We debug the login module, the token generation process and any possible out-dated codes. Nothing worked.

The bug cost me one week to catch.  See Server 1 as DEV and Server 2 as UAT, something is missing:


I doubt that the guy who implemented the REST interface was different from the one who implemented the Sitemap interface. The later just ignored the whole folders when there was None Services, but this None only means there is no service under the root. Damn!