Hi all
In the last weeks I've been working on the installation and
administration of TDS and right now I'm stuck with the access
restriction topic
(https://www.unidata.ucar.edu/Projects/THREDDS/tech/tds4.1/reference/RestrictedAccess.html)
I'm using the second approach in order to restrict the users who are
able to execute services in two different catalogues.
"Alternately, you can add an attribute on a dataset or datasetScan
element in the TDS catalog, eg *restrictAccess="**roleName"*. All
services that use that dataset will be restricted to users with the
named role."
CatalogA is accessible to usersA users, and catalogB is accessible to
usersB users.
When I access to catalogA with usersA everything works fine: I'm asked
for the user and password the first time I access any of the available
services and in the next access the service is opened automaticaly.
But if I return to the original page, where both catalogA and catalogB
are accessible, and get into catalogB, then I'm not asked for user and
password, and get an error page, with the next message:
"HTTP Status 401 - Not authorized to access this dataset.
------------------------------------------------------------------------
*type* Status report
*message* _Not authorized to access this dataset._
*description* _This request requires HTTP authentication (Not authorized
to access this dataset.)._"
I suspect that after visiting catalogA, somehow the password and user
info are stored, and when later I try to access catalogB, it's being
assumed that the same user and password are supposed to be used, and
therefore the error message. This bad behaviour stops after some
minutes, so maybe there's some parameter I can modify in order to solve
this issue.
My catalog.xml file where I define the restricted catalogues looks like:
<catalogRef xlink:title="A Catalog" xlink:href="enhancedCatalogA.xml"
name=""/>
<catalogRef xlink:title="B Catalog" xlink:href="enhancedCatalogB.xml"
name=""/>
The parts of the enhanced catalogue A looks like (it's exactly the same
for catalogue B):
-For enhancedCatalogA.xml:
<datasetScan name="AData" ID="aEnhanced"
path="aEnhanced" location="content/dio/A/"
harvest="true"
restrictAccess="usersA">
The tomcat-users.xml looks like:
<role rolename="usersA"/>
<role rolename="restrictedDatasetUser"/>
<user username="usersA" password="pass"
roles="gowData,restrictedDatasetUser"/>
When I try to access the second catalogue and get the error described
above, I get this info in the logs:
ip_of_the_machine_accessing_the_tomcat_server - usersB
[24/May/2012:12:00:33 +0200] "GET
/thredds/dodsC/bEnhanced/b_file.nc.html HTTP/1.1" 307 -
ip_of_the_machine_accessing_the_tomcat_server - usersB
[24/May/2012:12:00:34 +0200] "GET /thredds/restrictedAccess/BData
HTTP/1.1" 403 1108
Is this the normal way this access restriction to work or am I doing
some configuration mistake?
Thanks in advance
E Diaz
