Re: [thredds] command line access to restricted dataset when authentication is by LDAP

Emanuele,

the othear reason to use wget parameters instead encoding authentication into the URL, is because using the last the authentication information will be lost in the redirection (restrictedAccess) and therefore it will fail:

HTTP request sent, awaiting response... 307 Temporary Redirect
Location: https://utmea.enea.it:8290/medcordexh/restrictedAccess/hymexCore 
[following]
--2014-07-03 11:45:54--  
https://utmea.enea.it:8290/medcordexh/restrictedAccess/hymexCore
Reusing existing connection to utmea.enea.it:8290.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.


if you use the wget parameters the wget will use it when a authentication challange response is been made by the server in the redirection

For a good trace of what is happenning add the --debug flag to the wget.

Antonio

--
Antonio S. Cofiño
Grupo de Meteorología de Santander
Dep. de Matemática Aplicada y
        Ciencias de la Computación
Universidad de Cantabria
http://www.meteo.unican.es

El 03/07/2014 12:24, emanuele lombardi escribió:
THREDDS 4.3.21 and TOMCAT  7.0.54

I setup my TDS to use a romote LDAP server for verifing users credentials to 
allow people access restricted datasets.
It works properly when using a web browser but it doesn't work accessing the 
same dataset from command line (ncdump, cdo or ferret) passing LDAP
credential in the URL.

Since I strongly need to allow dodsC service to command line LDAP autentichated 
users,
can you help me please?

If you are still reading and you can spend your time with the problem, here are 
the details, followed by the related catalina.out messages.

First of all I must say that I verified that using standard tomcat-users.xml 
authentication (insted of LDAP) there are no problems and all works fine
(from web browser and from command line).


To setup my LDAP authorized TDS I first renamed my thredds webapp to 
"medcordexh",
then I changed all things to be changed (catalog.xml, web.xml and 
tds.properties)
then I added server.xml the following code within <Host> and </Host>

      <Context docBase="medcordexh" path="/medcordexh">
        <Realm className="org.apache.catalina.realm.JNDIRealm"
               connectionURL="ldap://xxx.xxx.xxx.xxx";
               connectionName="cn=yyy,dc=yyyy,dc=yyyy,dc=yy"
               connectionPassword="mysecret"
               roleBase="ou=Group,dc=yyyy,dc=yyyy,dc=yy"
               roleName="groupId"
               roleSearch="(memberUid={2})"
               userPattern="mail={0},ou=People,dc=yyyy,dc=yyyy,dc=yy"
               userRoleAttribute="mail"
               roleSubtree="true"
               />
       </Context>

In this way the users authentication is made by the LDAP server.

My catalog.xml I restricted the dataset access with
      restrictAccess="hymexCore"
where HymexCore is the groupId (defined in LDAP server) to which I want to 
allow access.
Once tomcat is restarted I can succesfully access my datasets using the browser 
(in which case LDAP authentication works) but not by command line. To
simplify we'll try to see the ascii representation of a test.nc file


If I point my browser to
https://utmea.enea.it:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?
then I'm requested the LDAP credentials and they are succesfully used to let me 
see the web page


But if I use the same LDAP credentials in the next command
  wget 
'https://XXXXXXXXX:XXXXX@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?'
I get the foowing erro messages:

--2014-07-03 11:45:54--  
https://emanuele.lombardi%F40enea.it:*password*@utmea.enea.it:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?
Resolving utmea.enea.it... 192.107.77.41
Connecting to utmea.enea.it|192.107.77.41|:8290... connected.
WARNING: cannot verify utmea.enea.it's certificate, issued by 
`/C=it/ST=ITALY/L=ROMA/O=ENEA/OU=UTMEA/CN=utmea.enea.it':
   Self-signed certificate encountered.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: https://utmea.enea.it:8290/medcordexh/restrictedAccess/hymexCore 
[following]
--2014-07-03 11:45:54--  
https://utmea.enea.it:8290/medcordexh/restrictedAccess/hymexCore
Reusing existing connection to utmea.enea.it:8290.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.



Here follow the catalina.log of both the above examples:

============================================================================================================================00
catalina.log of succesfull browser access:

Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii
--> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii
--> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii
--> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii
--> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   No applicable constraint located
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase hasRole
FINE: Username emanuele.lombardi@xxxxxxx has role hymexCore



============================================================================================================================00
catalina.log of unsuccesfull wget command
wget --no-check-certificate 
'https://emanuele.lombardi%f40enea.it:XXXXXX@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?'

Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   No applicable constraint located
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET /restrictedAccess/hymexCore
--> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /restrictedAccess/hymexCore --> true
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[allow feature collection rescan 
to be triggered externally]' against GET /restrictedAccess/hymexCore
--> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[cataloggen configuration]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[not allowed]' against GET 
/restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[restricted access datasets]' 
against GET /restrictedAccess/hymexCore --> true
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[sensitive read access]' against 
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
findSecurityConstraints
FINE:   Checking constraint 'SecurityConstraint[Test Restricted access datasets]' 
against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase 
hasUserDataPermission
FINE:   User data constraint already satisfied









_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe,  visit: 
http://www.unidata.ucar.edu/mailing_lists/



  • 2014 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: