i was using cas server 3.0.6; i just dropped the war file into tomcat and used
the default (name=password) to test with. other than using a login page instead
of an HTTP 401 authorization challenge, it worked fine.
Luca Cinquini wrote:
3.0.5 - my CAS server uses some Acegi plugin, I wonder if that causes a
bad interaction. I am going to try with the standard cas distribution
and see what happens - I'll have to do it tomorrow though since I have
a meeting in 5 minutes
L
On Feb 1, 2007, at 2:18 PM, John Caron wrote:
yes, mine was working. what version of CAS server are you using?
Luca Cinquini wrote:
Talking about SSO, I am trying it out with our (working) CAS
server, and it looks like after a successful authentication, the
CAS server does NOT redirect back to the TDS server. Is it working
for you ? I am wondering if a parameter is missing in the first CAS
invocation...
L
On Feb 1, 2007, at 1:33 PM, John Caron wrote:
Luca Cinquini wrote:
Hi John,
my Thursday actually cleared up so I started testing the new
TDS security. I successfully used Basic/Digest/SSL with one of
our local datasets, it seems to be working fine. I am going to
go ahead and try the rest, but in the meantime I thought about
sending you the following comments/questions:
1) Security seems to be working for the Opendap and WCS services,
but not for the HTTP server
yes, i forgot to do it thanks for reminding
2) I thought there was a filter that intercepts all requests and
redirects to /restrictAccess/ in case of failed authorization,
but I can-t find it - did you move that functionality to the
servlet ?
filters work on URL patterns; im trying to put the configuration
in the catalogs themselves, and not worry about url patterns, but
rather protect the abstract "dataset" whatever its access URLs
are. So when a data access comes in, i check if its a restricted
dataset, and do the redirect myself (TomcatAuthorizer.authorize())
3) web.xml is setup by default to perform BASIC authentication,
while the instructions mention DIGEST as the default
configuration (no big deal, I just thought I mentioned it)
I saw some funny problems with DIGEST that went away with BASIC; I
hope to figure out the problem and ship with DIGEST as default.
4) After a successful authentication, how does the server
remember which URL to redirect the client to ? Is it stored on
the server, or is it passed via cookies or HTTP headers ?
the original URL is stored in the session object on the server.
5) There is now a special security role called
"restrictedDatasetUser" I wonder if it would be possible to make
this name configurable, keeping "restrictedDatasetUser" as the
default. The reason I am asking is because the CDP already has
its own deafult security role, called "USER"
Yes, you just have to change thredds web.xml, and use your own
name (grep for restrictedDatasetUser, you'll see where)
6) In terms of restricting access to a dataset in the thredds
catalog.xml files - could the restrictAccess attribute placed on
a parent be overridden by a different value placed on a child ?
yes, but i need to test to see if I implemented correctly.
thanks, back to work,
Luca
thanks a million, BTW im now trying out CAMS, a commercial SSO
provider that we use.
On Jan 30, 2007, at 3:38 PM, John Caron wrote:
I have a release 3.15.02 that should work
The war file is at
ftp://ftp.unidata.ucar.edu/pub/thredds/3.15/thredds.war
The full source is at
ftp://ftp.unidata.ucar.edu/pub/thredds/temp/ threddsSrc-2.2.19.01.jar
Updated docs are at
http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/
RestrictedAccess.html
http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/
PluggableRestrictedAccess.htm
Not sure exactly how you want to proceed, but perhaps get the
default security working, then try using CAS? then write your
own? The relevent code is all in thredds.servlet.restrict
Let me know how its going....
Luca Cinquini wrote:
Hi John,
I am going to try to test it next week - please let me
know when the beta server is ready for me to download it.
thanks, luca
On Jan 25, 2007, at 5:23 PM, John Caron wrote:
I have a first pass working, heres some docs, i will get you
a release tommorrow.
http://www.unidata.ucar.edu/projects/THREDDS/tech/ reference/
PluggableRestrictedAccess.htm
