[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GDS, FDS and TDS security questions




On Aug 19, 2006, at 12:44 PM, John Caron wrote:

Hi James, et al:

The TDS currently uses Tomcat-based authentication/authorization. HTTP basic, digest, form or HTTPS is supported. Unless you are using session cookies, you have to authenticate every request. I think the standard dods clients do not support session cookies ( I have a hacked version of the java dods client that does).

Tomcat requires that you specify the restricted URLs in the web.xml file. For simple cases, this is not too hard, but for complicated sites, not a good solution. Id like to specify access control in the TDS catalog, allowing it down to dataset granularity. I hope to get that working soon, but im not sure how easy it will be.

Some of my uncertainty is about what dods clients can/should do. I think the C client library will translate URLS with http:// login:address@hidden in them, or maybe thats being done at the server ?? But the java client library doesnt handle that ?? Anyway, im confused about what the constraints are from the dods clients.

Yes, the C++ library does handle the user:address@hidden URLs. It parses that and builds the appropriate headers. I forgot what they are exactly, but thats how it sends the credentials with every request.


James

Ethan Davis wrote:

Hi James,

Currently, the TDS doesn't do any authentication/authorization for data access. But it is in the plans. John would have a better idea of the time line for that than I. (Actually, I may be overstating this. You may be able to set it up to do authentication/ authorization for data access but only on a server-wide level, or at least the user would have to do all the mucking around with Tomcat. Sorry for the flip-flopping. Now that I think about it more it turns out I'm just not that sure. John would know better and should be around on Monday.)

The TDS does do authentication/authorization (a la Tomcat) for server configuration and such. If you want more details, see the "Remote Management" and "Security" links from our TDS docs page http://motherlode.ucar.edu:8080/thredds/docs/.

Ethan

James Gallagher wrote:

Folks,

I'm hacking together a document of 'Best Practices' about DAP servers and I was wondering what sort of username/password protection GDS, FDS and TDS supply? I sort of know what a servlet engine like Tomcat 5.5 can do (although I'm nowhere near an expert on it).

There's sort of a short time line on this; I need to get my text to Dan soon but I should have a chance to hack in some changes until Tuesday.

Thanks,
James
--
James Gallagher                jgallagher at opendap.org
OPeNDAP, Inc                   406.723.8663





-- James Gallagher jgallagher at opendap.org OPeNDAP, Inc 406.723.8663


NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.