I setup a thredds server with version 4.6.3 and Tomcat 8.0 with some dataset
password protected. The setup works fine with web browsers. A user gets
prompted for password when visiting a catalog or netcdf file that is protected.
However, if a user tries to retrieve a netcdf file related info (.dds, .das,
.dods) with a given URL, for example, from matlab “ncdisp()" or panoply, it
goes through directly and no password is even prompted. It appears to be a big
security hole unless my setup has problems. Here is the configuration I have.
What am I missing?
Log file /…/logs/localhost_access_log.2016-03-21.txt shows that .dds, .das,
.dods info related to the netcdf file is sent to client without password
protection.
155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.dds
HTTP/1.1" 200 5323
155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.das
HTTP/1.1" 200 8618
155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.dods?xpos,ypos,time,date,layer%5fbnds,sigma
HTTP/1.1" 200 9708
/…/webapps/thredds/WEB-INF/web.xml shows all path with “restrictedAccess”
should be password protected.
…
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted access datasets</web-resource-name>
<url-pattern>/restrictedAccess/*</url-pattern>
<url-pattern>/*/restrictedAccess/*</url-pattern>
<url-pattern>/*/*/restrictedAccess/*</url-pattern>
<url-pattern>/*/*/*/restrictedAccess/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>restrictedDatasetUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
…
Thanks!
— Kevin Ying
________________________________
Email: kying@xxxxxxxxxxx
