GDS, FDS and TDS security questions

James Gallagher jhrg at mac.com
Sat Aug 19 16:15:19 MDT 2006 

On Aug 19, 2006, at 12:44 PM, John Caron wrote:

> Hi James, et al:
>
> The TDS currently uses Tomcat-based authentication/authorization.  
> HTTP basic, digest, form or HTTPS is supported. Unless you are  
> using session cookies, you have to authenticate every request. I  
> think the standard dods clients do not support session cookies ( I  
> have a hacked version of the java dods client that does).
>
> Tomcat requires that you specify the restricted URLs in the web.xml  
> file. For simple cases, this is not too hard, but for complicated  
> sites, not a good solution. Id like to specify access control in  
> the TDS catalog, allowing it down to dataset granularity. I hope to  
> get that working soon, but im not sure how easy it will be.
>
> Some of my uncertainty is about what dods clients can/should do. I  
> think the C client library will translate URLS with  http:// 
> login:passwd at url  in them, or maybe thats being done at the  
> server ?? But the java client library doesnt handle that ?? Anyway,  
> im confused about what the constraints are from the dods clients.

Yes, the C++ library does handle the user:password at ... URLs. It  
parses that and builds the appropriate headers. I forgot what they  
are exactly, but thats how it sends the credentials with every request.

James
>
> Ethan Davis wrote:
>
>> Hi James,
>>
>> Currently, the TDS doesn't do any authentication/authorization for  
>> data access. But it is in the plans. John would have a better idea  
>> of the time line for that than I. (Actually, I may be overstating  
>> this. You may be able to set it up to do authentication/ 
>> authorization for data access but only on a server-wide level, or  
>> at least the user would have to do all the mucking around with  
>> Tomcat. Sorry for the flip-flopping. Now that I think about it  
>> more it turns out I'm just not that sure. John would know better  
>> and should be around on Monday.)
>>
>> The TDS does do authentication/authorization (a la Tomcat) for  
>> server configuration and such. If you want more details, see the  
>> "Remote Management" and "Security" links from our TDS docs page  
>> http://motherlode.ucar.edu:8080/thredds/docs/.
>>
>> Ethan
>>
>> James Gallagher wrote:
>>
>>> Folks,
>>>
>>> I'm hacking together a document of 'Best Practices' about DAP  
>>> servers and I was wondering what sort of username/password  
>>> protection GDS, FDS and TDS supply? I sort of know what a servlet  
>>> engine like Tomcat 5.5 can do (although I'm nowhere near an  
>>> expert on it).
>>>
>>> There's sort of a short time line on this; I need to get my text  
>>> to Dan soon but I should have a chance to hack in some changes  
>>> until Tuesday.
>>>
>>> Thanks,
>>> James
>>> -- 
>>> James Gallagher                jgallagher at opendap.org
>>> OPeNDAP, Inc                   406.723.8663
>>
>>
>
>

--
James Gallagher                jgallagher at opendap.org
OPeNDAP, Inc                   406.723.8663

More information about the Thredds mailing list