[thredds] info retrieved passing tomcat/thredds password protection

I setup a thredds server with version 4.6.3 and Tomcat 8.0 with some dataset 
password protected.  The setup works fine with web browsers.  A user gets 
prompted for password when visiting a catalog or netcdf file that is protected. 
  However, if a user tries to retrieve a netcdf file related info (.dds, .das, 
.dods) with a given URL, for example, from matlab “ncdisp()" or panoply, it 
goes through directly and no password is even prompted.  It appears to be a big 
security hole unless my setup has problems.  Here is the configuration I have.  
What am I missing?


Log file /…/logs/localhost_access_log.2016-03-21.txt  shows that .dds, .das, 
.dods info related to the netcdf file is sent to client without password 
protection.

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.dds 
HTTP/1.1" 200 5323

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.das 
HTTP/1.1" 200 8618

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.dods?xpos,ypos,time,date,layer%5fbnds,sigma
 HTTP/1.1" 200 9708

/…/webapps/thredds/WEB-INF/web.xml shows all path with “restrictedAccess” 
should be password protected.

…

  <security-constraint>

    <web-resource-collection>

      <web-resource-name>restricted access datasets</web-resource-name>

      <url-pattern>/restrictedAccess/*</url-pattern>

      <url-pattern>/*/restrictedAccess/*</url-pattern>

      <url-pattern>/*/*/restrictedAccess/*</url-pattern>

      <url-pattern>/*/*/*/restrictedAccess/*</url-pattern>

    </web-resource-collection>

    <auth-constraint>

      <role-name>restrictedDatasetUser</role-name>

    </auth-constraint>

    <user-data-constraint>

      <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

  </security-constraint>

…

Thanks!

— Kevin Ying

________________________________
Email: kying@xxxxxxxxxxx


  • 2016 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: