On Aug 19, 2006, at 12:44 PM, John Caron wrote:
Hi James, et al:
The TDS currently uses Tomcat-based authentication/authorization.
HTTP basic, digest, form or HTTPS is supported. Unless you are
using session cookies, you have to authenticate every request. I
think the standard dods clients do not support session cookies ( I
have a hacked version of the java dods client that does).
Tomcat requires that you specify the restricted URLs in the web.xml
file. For simple cases, this is not too hard, but for complicated
sites, not a good solution. Id like to specify access control in
the TDS catalog, allowing it down to dataset granularity. I hope to
get that working soon, but im not sure how easy it will be.
Some of my uncertainty is about what dods clients can/should do. I
think the C client library will translate URLS with http://
login:passwd@url in them, or maybe thats being done at the
server ?? But the java client library doesnt handle that ?? Anyway,
im confused about what the constraints are from the dods clients.
Yes, the C++ library does handle the user:password@... URLs. It
parses that and builds the appropriate headers. I forgot what they
are exactly, but thats how it sends the credentials with every request.
James
Ethan Davis wrote:
Hi James,
Currently, the TDS doesn't do any authentication/authorization for
data access. But it is in the plans. John would have a better idea
of the time line for that than I. (Actually, I may be overstating
this. You may be able to set it up to do authentication/
authorization for data access but only on a server-wide level, or
at least the user would have to do all the mucking around with
Tomcat. Sorry for the flip-flopping. Now that I think about it
more it turns out I'm just not that sure. John would know better
and should be around on Monday.)
The TDS does do authentication/authorization (a la Tomcat) for
server configuration and such. If you want more details, see the
"Remote Management" and "Security" links from our TDS docs page
http://motherlode.ucar.edu:8080/thredds/docs/.
Ethan
James Gallagher wrote:
Folks,
I'm hacking together a document of 'Best Practices' about DAP
servers and I was wondering what sort of username/password
protection GDS, FDS and TDS supply? I sort of know what a servlet
engine like Tomcat 5.5 can do (although I'm nowhere near an
expert on it).
There's sort of a short time line on this; I need to get my text
to Dan soon but I should have a chance to hack in some changes
until Tuesday.
Thanks,
James
--
James Gallagher jgallagher at opendap.org
OPeNDAP, Inc 406.723.8663
--
James Gallagher jgallagher at opendap.org
OPeNDAP, Inc 406.723.8663
