[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TDS authentication

Luca Cinquini wrote:
Hi John,
my Thursday actually cleared up so I started testing the new TDS security. I successfully used Basic/Digest/SSL with one of our local datasets, it seems to be working fine. I am going to go ahead and try the rest, but in the meantime I thought about sending you the following comments/questions:

1) Security seems to be working for the Opendap and WCS services, but not for the HTTP server

yes, i forgot to do it thanks for reminding

2) I thought there was a filter that intercepts all requests and redirects to /restrictAccess/ in case of failed authorization, but I can-t find it - did you move that functionality to the servlet ?

filters work on URL patterns; im trying to put the configuration in the catalogs themselves, and not worry about url patterns, but rather protect the abstract "dataset" whatever its access URLs are. So when a data access comes in, i check if its a restricted dataset, and do the redirect myself (TomcatAuthorizer.authorize())

3) web.xml is setup by default to perform BASIC authentication, while the instructions mention DIGEST as the default configuration (no big deal, I just thought I mentioned it)

I saw some funny problems with DIGEST that went away with BASIC; I hope to figure out the problem and ship with DIGEST as default.

4) After a successful authentication, how does the server remember which URL to redirect the client to ? Is it stored on the server, or is it passed via cookies or HTTP headers ?

the original URL is stored in the session object on the server.

5) There is now a special security role called "restrictedDatasetUser" I wonder if it would be possible to make this name configurable, keeping "restrictedDatasetUser" as the default. The reason I am asking is because the CDP already has its own deafult security role, called "USER"

Yes, you just have to change thredds web.xml, and use your own name (grep for restrictedDatasetUser, you'll see where)

6) In terms of restricting access to a dataset in the thredds catalog.xml files - could the restrictAccess attribute placed on a parent be overridden by a different value placed on a child ?

yes, but i need to test to see if I implemented correctly.

thanks, back to work, Luca

thanks a million, BTW im now trying out CAMS, a commercial SSO provider that we use.

On Jan 30, 2007, at 3:38 PM, John Caron wrote:

I have a release 3.15.02 that should work

The war file is at

The full source is at


Updated docs are at

http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/ RestrictedAccess.html
http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/ PluggableRestrictedAccess.htm

Not sure exactly how you want to proceed, but perhaps get the default security working, then try using CAS? then write your own? The relevent code is all in thredds.servlet.restrict

Let me know how its going....

Luca Cinquini wrote:

Hi John,
I am going to try to test it next week - please let me know when the beta server is ready for me to download it.
thanks, luca
On Jan 25, 2007, at 5:23 PM, John Caron wrote:

I have a first pass working, heres some docs, i will get you a release tommorrow.
http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/ PluggableRestrictedAccess.htm

NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.