Emilio,
May be one interim solution is to assign a low lifetime for sessions in
the TDS web.xml file
<session-config>
<session-timeout>30</session-timeout> <!-- 30 minutes -->
</session-config>
or the other way is to close the browser and open it again, or delete
the cookies associated with the TDS server in your browser.
regards
Antonio
--
Antonio S. Cofiño
Grupo de Meteorología de Santander
Dep. de Matemática Aplicada y
Ciencias de la Computación
Universidad de Cantabria
Escuela de Caminos
Avenida de los Castros, 44
39005 Santander, Spain
Tel: (+34) 942 20 1731
Fax: (+34) 942 20 1703
http://www.meteo.unican.es
mailto:antonio.cofino@xxxxxxxxx
El 29/05/2012 8:45, Emilio escribió:
Hi Marcos
Thanks for your time and your answer. At least I know security is
working the way it's supposed to :)
On the other hand , is there a way to modify this behaviour? Some tag
to switch from true to false or some "cache time" to set to 0 in order
to avoid it? Well, I suppose if it were so, then the user would be
asked for his/her name and password every time (s)he tries to access a
service, which doesn't seem to be such a good idea.
Thanks again for your answer
Cheers
Emilio
On 05/24/2012 11:59 PM, Marcos Hermida wrote:
Hi Emilio,
security restrictions go in two phases: authentication and
authorization.
First time you are prompted the login credentials you get
authenticated in the application with an user and a role and those
authentication credentials will be used during your session. Then,
once you are authenticated, every time you try to access to a
resource the application check if the user in the session has
authorization to access to that resource.
This is why you are not asked again for the user and password when
you try to access to other resources (you are already
authenticated). So, the behaviour you have is correct and to access
to resources with other user you need to clear your session and get
authenticated again with the new credentials.
Cheers!
On 05/24/2012 04:33 AM, Emilio wrote:
Hi all
In the last weeks I've been working on the installation and
administration of TDS and right now I'm stuck with the access
restriction topic
(https://www.unidata.ucar.edu/Projects/THREDDS/tech/tds4.1/reference/RestrictedAccess.html)
I'm using the second approach in order to restrict the users who are
able to execute services in two different catalogues.
"Alternately, you can add an attribute on a dataset or datasetScan
element in the TDS catalog, eg *restrictAccess="**roleName"*. All
services that use that dataset will be restricted to users with the
named role."
CatalogA is accessible to usersA users, and catalogB is accessible
to usersB users.
When I access to catalogA with usersA everything works fine: I'm
asked for the user and password the first time I access any of the
available services and in the next access the service is opened
automaticaly.
But if I return to the original page, where both catalogA and
catalogB are accessible, and get into catalogB, then I'm not asked
for user and password, and get an error page, with the next message:
"HTTP Status 401 - Not authorized to access this dataset.
------------------------------------------------------------------------
*type* Status report
*message* _Not authorized to access this dataset._
*description* _This request requires HTTP authentication (Not
authorized to access this dataset.)._"
I suspect that after visiting catalogA, somehow the password and
user info are stored, and when later I try to access catalogB, it's
being assumed that the same user and password are supposed to be
used, and therefore the error message. This bad behaviour stops
after some minutes, so maybe there's some parameter I can modify in
order to solve this issue.
My catalog.xml file where I define the restricted catalogues looks
like:
<catalogRef xlink:title="A Catalog"
xlink:href="enhancedCatalogA.xml" name=""/>
<catalogRef xlink:title="B Catalog"
xlink:href="enhancedCatalogB.xml" name=""/>
The parts of the enhanced catalogue A looks like (it's exactly the
same for catalogue B):
-For enhancedCatalogA.xml:
<datasetScan name="AData" ID="aEnhanced"
path="aEnhanced" location="content/dio/A/"
harvest="true"
restrictAccess="usersA">
The tomcat-users.xml looks like:
<role rolename="usersA"/>
<role rolename="restrictedDatasetUser"/>
<user username="usersA" password="pass"
roles="gowData,restrictedDatasetUser"/>
When I try to access the second catalogue and get the error
described above, I get this info in the logs:
ip_of_the_machine_accessing_the_tomcat_server - usersB
[24/May/2012:12:00:33 +0200] "GET
/thredds/dodsC/bEnhanced/b_file.nc.html HTTP/1.1" 307 -
ip_of_the_machine_accessing_the_tomcat_server - usersB
[24/May/2012:12:00:34 +0200] "GET /thredds/restrictedAccess/BData
HTTP/1.1" 403 1108
Is this the normal way this access restriction to work or am I doing
some configuration mistake?
Thanks in advance
E Diaz
_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/
_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/
_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit:
http://www.unidata.ucar.edu/mailing_lists/