Due to the current gap in continued funding from the U.S. National Science Foundation (NSF), the NSF Unidata Program Center has temporarily paused most operations. See NSF Unidata Pause in Most Operations for details.

[thredds] info retrieved passing tomcat/thredds password protection

I setup a thredds server with version 4.6.3 and Tomcat 8.0 with some dataset 
password protected.  The setup works fine with web browsers.  A user gets 
prompted for password when visiting a catalog or netcdf file that is protected. 
  However, if a user tries to retrieve a netcdf file related info (.dds, .das, 
.dods) with a given URL, for example, from matlab “ncdisp()" or panoply, it 
goes through directly and no password is even prompted.  It appears to be a big 
security hole unless my setup has problems.  Here is the configuration I have.  
What am I missing?


Log file /…/logs/localhost_access_log.2016-03-21.txt  shows that .dds, .das, 
.dods info related to the netcdf file is sent to client without password 
protection.

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.dds 
HTTP/1.1" 200 5323

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.das 
HTTP/1.1" 200 8618

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.dods?xpos,ypos,time,date,layer%5fbnds,sigma
 HTTP/1.1" 200 9708

/…/webapps/thredds/WEB-INF/web.xml shows all path with “restrictedAccess” 
should be password protected.

…

  <security-constraint>

    <web-resource-collection>

      <web-resource-name>restricted access datasets</web-resource-name>

      <url-pattern>/restrictedAccess/*</url-pattern>

      <url-pattern>/*/restrictedAccess/*</url-pattern>

      <url-pattern>/*/*/restrictedAccess/*</url-pattern>

      <url-pattern>/*/*/*/restrictedAccess/*</url-pattern>

    </web-resource-collection>

    <auth-constraint>

      <role-name>restrictedDatasetUser</role-name>

    </auth-constraint>

    <user-data-constraint>

      <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

  </security-constraint>

…

Thanks!

— Kevin Ying

________________________________
Email: kying@xxxxxxxxxxx
  • 2016 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: