Re: [thredds] Problems accessing 2 folders restricted to 2 different users in the same session

Hi Emilio,

security restrictions go in two phases: authentication and authorization.
First time you are prompted the login credentials you get authenticated in the application with an user and a role and those authentication credentials will be used during your session. Then, once you are authenticated, every time you try to access to a resource the application check if the user in the session has authorization to access to that resource. This is why you are not asked again for the user and password when you try to access to other resources (you are already authenticated). So, the behaviour you have is correct and to access to resources with other user you need to clear your session and get authenticated again with the new credentials.

Cheers!

On 05/24/2012 04:33 AM, Emilio wrote:
Hi all

In the last weeks I've been working on the installation and administration of TDS and right now I'm stuck with the access restriction topic (https://www.unidata.ucar.edu/Projects/THREDDS/tech/tds4.1/reference/RestrictedAccess.html)

I'm using the second approach in order to restrict the users who are able to execute services in two different catalogues. "Alternately, you can add an attribute on a dataset or datasetScan element in the TDS catalog, eg *restrictAccess="**roleName"*. All services that use that dataset will be restricted to users with the named role."

CatalogA is accessible to usersA users, and catalogB is accessible to usersB users.

When I access to catalogA with usersA everything works fine: I'm asked for the user and password the first time I access any of the available services and in the next access the service is opened automaticaly. But if I return to the original page, where both catalogA and catalogB are accessible, and get into catalogB, then I'm not asked for user and password, and get an error page, with the next message:

"HTTP Status 401 - Not authorized to access this dataset.
------------------------------------------------------------------------
*type* Status report
*message* _Not authorized to access this dataset._
*description* _This request requires HTTP authentication (Not authorized to access this dataset.)._"


I suspect that after visiting catalogA, somehow the password and user info are stored, and when later I try to access catalogB, it's being assumed that the same user and password are supposed to be used, and therefore the error message. This bad behaviour stops after some minutes, so maybe there's some parameter I can modify in order to solve this issue.

My catalog.xml file where I define the restricted catalogues  looks like:
<catalogRef xlink:title="A Catalog" xlink:href="enhancedCatalogA.xml" name=""/> <catalogRef xlink:title="B Catalog" xlink:href="enhancedCatalogB.xml" name=""/>

The parts of the enhanced catalogue A looks like (it's exactly the same for catalogue B):
-For enhancedCatalogA.xml:
<datasetScan name="AData" ID="aEnhanced"
                 path="aEnhanced" location="content/dio/A/"
                 harvest="true"
                 restrictAccess="usersA">

The tomcat-users.xml looks like:
<role rolename="usersA"/>
<role rolename="restrictedDatasetUser"/>
<user username="usersA" password="pass" roles="gowData,restrictedDatasetUser"/>

When I try to access the second catalogue and get the error described above, I get this info in the logs: ip_of_the_machine_accessing_the_tomcat_server - usersB [24/May/2012:12:00:33 +0200] "GET /thredds/dodsC/bEnhanced/b_file.nc.html HTTP/1.1" 307 - ip_of_the_machine_accessing_the_tomcat_server - usersB [24/May/2012:12:00:34 +0200] "GET /thredds/restrictedAccess/BData HTTP/1.1" 403 1108


Is this the normal way this access restriction to work or am I doing some configuration mistake?

Thanks in advance

E Diaz


_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe,  visit: 
http://www.unidata.ucar.edu/mailing_lists/