Luca Cinquini wrote:
Hi John,
my Thursday actually cleared up so I started testing the new TDS
security. I successfully used Basic/Digest/SSL with one of our local
datasets, it seems to be working fine. I am going to go ahead and try
the rest, but in the meantime I thought about sending you the following
comments/questions:
1) Security seems to be working for the Opendap and WCS services, but
not for the HTTP server
yes, i forgot to do it thanks for reminding
2) I thought there was a filter that intercepts all requests and
redirects to /restrictAccess/ in case of failed authorization, but I
can-t find it - did you move that functionality to the servlet ?
filters work on URL patterns; im trying to put the configuration in the catalogs
themselves, and not worry about url patterns, but rather protect the abstract
"dataset" whatever its access URLs are. So when a data access comes in, i check
if its a restricted dataset, and do the redirect myself (TomcatAuthorizer.authorize())
3) web.xml is setup by default to perform BASIC authentication, while
the instructions mention DIGEST as the default configuration (no big
deal, I just thought I mentioned it)
I saw some funny problems with DIGEST that went away with BASIC; I hope to figure out the problem and ship with DIGEST as default.
4) After a successful authentication, how does the server remember
which URL to redirect the client to ? Is it stored on the server, or is
it passed via cookies or HTTP headers ?
the original URL is stored in the session object on the server.
5) There is now a special security role called "restrictedDatasetUser"
I wonder if it would be possible to make this name configurable,
keeping "restrictedDatasetUser" as the default. The reason I am asking
is because the CDP already has its own deafult security role, called
"USER"
Yes, you just have to change thredds web.xml, and use your own name (grep for
restrictedDatasetUser, you'll see where)
6) In terms of restricting access to a dataset in the thredds
catalog.xml files - could the restrictAccess attribute placed on a
parent be overridden by a different value placed on a child ?
yes, but i need to test to see if I implemented correctly.
thanks, back to work,
Luca
thanks a million, BTW im now trying out CAMS, a commercial SSO provider that we
use.
On Jan 30, 2007, at 3:38 PM, John Caron wrote:
I have a release 3.15.02 that should work
The war file is at
ftp://ftp.unidata.ucar.edu/pub/thredds/3.15/thredds.war
The full source is at
ftp://ftp.unidata.ucar.edu/pub/thredds/temp/threddsSrc-2.2.19.01.jar
Updated docs are at
http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/
RestrictedAccess.html
http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/
PluggableRestrictedAccess.htm
Not sure exactly how you want to proceed, but perhaps get the default
security working, then try using CAS? then write your own? The
relevent code is all in thredds.servlet.restrict
Let me know how its going....
Luca Cinquini wrote:
Hi John,
I am going to try to test it next week - please let me know when
the beta server is ready for me to download it.
thanks, luca
On Jan 25, 2007, at 5:23 PM, John Caron wrote:
I have a first pass working, heres some docs, i will get you a
release tommorrow.
http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/
PluggableRestrictedAccess.htm
