i was using cas server 3.0.6; i just dropped the war file into tomcat and used the default (name=password) to test with. other than using a login page instead of an HTTP 401 authorization challenge, it worked fine.
3.0.5 - my CAS server uses some Acegi plugin, I wonder if that causes a bad interaction. I am going to try with the standard cas distribution and see what happens - I'll have to do it tomorrow though since I have a meeting in 5 minutes
On Feb 1, 2007, at 2:18 PM, John Caron wrote:
yes, mine was working. what version of CAS server are you using?
Luca Cinquini wrote:
Talking about SSO, I am trying it out with our (working) CAS server, and it looks like after a successful authentication, the CAS server does NOT redirect back to the TDS server. Is it working for you ? I am wondering if a parameter is missing in the first CAS invocation...
On Feb 1, 2007, at 1:33 PM, John Caron wrote:
Luca Cinquini wrote:
my Thursday actually cleared up so I started testing the new TDS security. I successfully used Basic/Digest/SSL with one of our local datasets, it seems to be working fine. I am going to go ahead and try the rest, but in the meantime I thought about sending you the following comments/questions:
1) Security seems to be working for the Opendap and WCS services, but not for the HTTP server
yes, i forgot to do it thanks for reminding
2) I thought there was a filter that intercepts all requests and redirects to /restrictAccess/ in case of failed authorization, but I can-t find it - did you move that functionality to the servlet ?
filters work on URL patterns; im trying to put the configuration in the catalogs themselves, and not worry about url patterns, but rather protect the abstract "dataset" whatever its access URLs are. So when a data access comes in, i check if its a restricted dataset, and do the redirect myself (TomcatAuthorizer.authorize())
3) web.xml is setup by default to perform BASIC authentication, while the instructions mention DIGEST as the default configuration (no big deal, I just thought I mentioned it)
I saw some funny problems with DIGEST that went away with BASIC; I hope to figure out the problem and ship with DIGEST as default.
4) After a successful authentication, how does the server remember which URL to redirect the client to ? Is it stored on the server, or is it passed via cookies or HTTP headers ?
the original URL is stored in the session object on the server.
5) There is now a special security role called "restrictedDatasetUser" I wonder if it would be possible to make this name configurable, keeping "restrictedDatasetUser" as the default. The reason I am asking is because the CDP already has its own deafult security role, called "USER"
Yes, you just have to change thredds web.xml, and use your own name (grep for restrictedDatasetUser, you'll see where)
6) In terms of restricting access to a dataset in the thredds catalog.xml files - could the restrictAccess attribute placed on a parent be overridden by a different value placed on a child ?
yes, but i need to test to see if I implemented correctly.
thanks, back to work, Luca
thanks a million, BTW im now trying out CAMS, a commercial SSO provider that we use.
On Jan 30, 2007, at 3:38 PM, John Caron wrote:
I have a release 3.15.02 that should work
The war file is at ftp://ftp.unidata.ucar.edu/pub/thredds/3.15/thredds.war
The full source is at
Updated docs are at
Not sure exactly how you want to proceed, but perhaps get the default security working, then try using CAS? then write your own? The relevent code is all in thredds.servlet.restrict
Let me know how its going....
Luca Cinquini wrote:
I am going to try to test it next week - please let me know when the beta server is ready for me to download it.
On Jan 25, 2007, at 5:23 PM, John Caron wrote:
I have a first pass working, heres some docs, i will get you a release tommorrow.
http://www.unidata.ucar.edu/projects/THREDDS/tech/ reference/ PluggableRestrictedAccess.htm
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.