Re: [thredds] Problems accessing 2 folders restricted to 2differentusers in the same session

Hi Emilio:

Is this in a browser or some application?

If in the browser, im guessing that the problem is that the browser is caching your credentials - you need to clear them between accesses.

John

On 5/29/2012 9:43 AM, "Antonio S. Cofiño" wrote:
Emilio,


May be one interim solution is to assign a low lifetime for sessions in the TDS web.xml file

<session-config>
<session-timeout>30</session-timeout> <!-- 30 minutes -->
</session-config>

or the other way is to close the browser and open it again, or delete the cookies associated with the TDS server in your browser.

regards

Antonio

--
Antonio S. Cofiño
Grupo de Meteorología de Santander
Dep. de Matemática Aplicada y
        Ciencias de la Computación
Universidad de Cantabria
Escuela de Caminos
Avenida de los Castros, 44
39005 Santander, Spain
Tel: (+34) 942 20 1731
Fax: (+34) 942 20 1703
http://www.meteo.unican.es
mailto:antonio.cofino@xxxxxxxxx


El 29/05/2012 8:45, Emilio escribió:
Hi Marcos

Thanks for your time and your answer. At least I know security is working the way it's supposed to :)

On the other hand , is there a way to modify this behaviour? Some tag to switch from true to false or some "cache time" to set to 0 in order to avoid it? Well, I suppose if it were so, then the user would be asked for his/her name and password every time (s)he tries to access a service, which doesn't seem to be such a good idea.

Thanks again for your answer

Cheers

   Emilio

On 05/24/2012 11:59 PM, Marcos Hermida wrote:
Hi Emilio,

security restrictions go in two phases: authentication and authorization. First time you are prompted the login credentials you get authenticated in the application with an user and a role and those authentication credentials will be used during your session. Then, once you are authenticated, every time you try to access to a resource the application check if the user in the session has authorization to access to that resource. This is why you are not asked again for the user and password when you try to access to other resources (you are already authenticated). So, the behaviour you have is correct and to access to resources with other user you need to clear your session and get authenticated again with the new credentials.

Cheers!

On 05/24/2012 04:33 AM, Emilio wrote:
Hi all

In the last weeks I've been working on the installation and administration of TDS and right now I'm stuck with the access restriction topic (https://www.unidata.ucar.edu/Projects/THREDDS/tech/tds4.1/reference/RestrictedAccess.html)

I'm using the second approach in order to restrict the users who are able to execute services in two different catalogues. "Alternately, you can add an attribute on a dataset or datasetScan element in the TDS catalog, eg *restrictAccess="**roleName"*. All services that use that dataset will be restricted to users with the named role."

CatalogA is accessible to usersA users, and catalogB is accessible to usersB users.

When I access to catalogA with usersA everything works fine: I'm asked for the user and password the first time I access any of the available services and in the next access the service is opened automaticaly. But if I return to the original page, where both catalogA and catalogB are accessible, and get into catalogB, then I'm not asked for user and password, and get an error page, with the next message:

"HTTP Status 401 - Not authorized to access this dataset.
------------------------------------------------------------------------
*type* Status report
*message* _Not authorized to access this dataset._
*description* _This request requires HTTP authentication (Not authorized to access this dataset.)._"


I suspect that after visiting catalogA, somehow the password and user info are stored, and when later I try to access catalogB, it's being assumed that the same user and password are supposed to be used, and therefore the error message. This bad behaviour stops after some minutes, so maybe there's some parameter I can modify in order to solve this issue.

My catalog.xml file where I define the restricted catalogues looks like: <catalogRef xlink:title="A Catalog" xlink:href="enhancedCatalogA.xml" name=""/> <catalogRef xlink:title="B Catalog" xlink:href="enhancedCatalogB.xml" name=""/>

The parts of the enhanced catalogue A looks like (it's exactly the same for catalogue B):
-For enhancedCatalogA.xml:
<datasetScan name="AData" ID="aEnhanced"
                 path="aEnhanced" location="content/dio/A/"
                 harvest="true"
                 restrictAccess="usersA">

The tomcat-users.xml looks like:
<role rolename="usersA"/>
<role rolename="restrictedDatasetUser"/>
<user username="usersA" password="pass" roles="gowData,restrictedDatasetUser"/>

When I try to access the second catalogue and get the error described above, I get this info in the logs: ip_of_the_machine_accessing_the_tomcat_server - usersB [24/May/2012:12:00:33 +0200] "GET /thredds/dodsC/bEnhanced/b_file.nc.html HTTP/1.1" 307 - ip_of_the_machine_accessing_the_tomcat_server - usersB [24/May/2012:12:00:34 +0200] "GET /thredds/restrictedAccess/BData HTTP/1.1" 403 1108


Is this the normal way this access restriction to work or am I doing some configuration mistake?

Thanks in advance

E Diaz


_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/



_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/



_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit: http://www.unidata.ucar.edu/mailing_lists/



_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe,  visit: 
http://www.unidata.ucar.edu/mailing_lists/