[thredds] Problems accessing 2 folders restricted to 2 different users in the same session

  • To: thredds@xxxxxxxxxxxxxxxx
  • Subject: [thredds] Problems accessing 2 folders restricted to 2 different users in the same session
  • From: Emilio <uc3709@xxxxxxxx>
  • Date: Thu, 24 May 2012 12:33:59 +0200
Hi all

In the last weeks I've been working on the installation and administration of TDS and right now I'm stuck with the access restriction topic (https://www.unidata.ucar.edu/Projects/THREDDS/tech/tds4.1/reference/RestrictedAccess.html)

I'm using the second approach in order to restrict the users who are able to execute services in two different catalogues. "Alternately, you can add an attribute on a dataset or datasetScan element in the TDS catalog, eg *restrictAccess="**roleName"*. All services that use that dataset will be restricted to users with the named role."

CatalogA is accessible to usersA users, and catalogB is accessible to usersB users.

When I access to catalogA with usersA everything works fine: I'm asked for the user and password the first time I access any of the available services and in the next access the service is opened automaticaly. But if I return to the original page, where both catalogA and catalogB are accessible, and get into catalogB, then I'm not asked for user and password, and get an error page, with the next message:

"HTTP Status 401 - Not authorized to access this dataset.
*type* Status report
*message* _Not authorized to access this dataset._
*description* _This request requires HTTP authentication (Not authorized to access this dataset.)._"

I suspect that after visiting catalogA, somehow the password and user info are stored, and when later I try to access catalogB, it's being assumed that the same user and password are supposed to be used, and therefore the error message. This bad behaviour stops after some minutes, so maybe there's some parameter I can modify in order to solve this issue.

My catalog.xml file where I define the restricted catalogues  looks like:
<catalogRef xlink:title="A Catalog" xlink:href="enhancedCatalogA.xml" name=""/> <catalogRef xlink:title="B Catalog" xlink:href="enhancedCatalogB.xml" name=""/>

The parts of the enhanced catalogue A looks like (it's exactly the same for catalogue B):
-For enhancedCatalogA.xml:
<datasetScan name="AData" ID="aEnhanced"
                 path="aEnhanced" location="content/dio/A/"

The tomcat-users.xml looks like:
<role rolename="usersA"/>
<role rolename="restrictedDatasetUser"/>
<user username="usersA" password="pass" roles="gowData,restrictedDatasetUser"/>

When I try to access the second catalogue and get the error described above, I get this info in the logs: ip_of_the_machine_accessing_the_tomcat_server - usersB [24/May/2012:12:00:33 +0200] "GET /thredds/dodsC/bEnhanced/b_file.nc.html HTTP/1.1" 307 - ip_of_the_machine_accessing_the_tomcat_server - usersB [24/May/2012:12:00:34 +0200] "GET /thredds/restrictedAccess/BData HTTP/1.1" 403 1108

Is this the normal way this access restriction to work or am I doing some configuration mistake?

Thanks in advance

E Diaz
  • 2012 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: