NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
i was using cas server 3.0.6; i just dropped the war file into tomcat and used the default (name=password) to test with. other than using a login page instead of an HTTP 401 authorization challenge, it worked fine. Luca Cinquini wrote:
3.0.5 - my CAS server uses some Acegi plugin, I wonder if that causes a bad interaction. I am going to try with the standard cas distribution and see what happens - I'll have to do it tomorrow though since I have a meeting in 5 minutesL On Feb 1, 2007, at 2:18 PM, John Caron wrote:yes, mine was working. what version of CAS server are you using? Luca Cinquini wrote:Talking about SSO, I am trying it out with our (working) CAS server, and it looks like after a successful authentication, the CAS server does NOT redirect back to the TDS server. Is it working for you ? I am wondering if a parameter is missing in the first CAS invocation...L On Feb 1, 2007, at 1:33 PM, John Caron wrote:Luca Cinquini wrote:Hi John,my Thursday actually cleared up so I started testing the new TDS security. I successfully used Basic/Digest/SSL with one of our local datasets, it seems to be working fine. I am going to go ahead and try the rest, but in the meantime I thought about sending you the following comments/questions: 1) Security seems to be working for the Opendap and WCS services, but not for the HTTP serveryes, i forgot to do it thanks for reminding2) I thought there was a filter that intercepts all requests and redirects to /restrictAccess/ in case of failed authorization, but I can-t find it - did you move that functionality to the servlet ?filters work on URL patterns; im trying to put the configuration in the catalogs themselves, and not worry about url patterns, but rather protect the abstract "dataset" whatever its access URLs are. So when a data access comes in, i check if its a restricted dataset, and do the redirect myself (TomcatAuthorizer.authorize())3) web.xml is setup by default to perform BASIC authentication, while the instructions mention DIGEST as the default configuration (no big deal, I just thought I mentioned it)I saw some funny problems with DIGEST that went away with BASIC; I hope to figure out the problem and ship with DIGEST as default.4) After a successful authentication, how does the server remember which URL to redirect the client to ? Is it stored on the server, or is it passed via cookies or HTTP headers ?the original URL is stored in the session object on the server.5) There is now a special security role called "restrictedDatasetUser" I wonder if it would be possible to make this name configurable, keeping "restrictedDatasetUser" as the default. The reason I am asking is because the CDP already has its own deafult security role, called "USER"Yes, you just have to change thredds web.xml, and use your own name (grep for restrictedDatasetUser, you'll see where)6) In terms of restricting access to a dataset in the thredds catalog.xml files - could the restrictAccess attribute placed on a parent be overridden by a different value placed on a child ?yes, but i need to test to see if I implemented correctly.thanks, back to work, Lucathanks a million, BTW im now trying out CAMS, a commercial SSO provider that we use.On Jan 30, 2007, at 3:38 PM, John Caron wrote:I have a release 3.15.02 that should work The war file is at ftp://ftp.unidata.ucar.edu/pub/thredds/3.15/thredds.war The full source is at ftp://ftp.unidata.ucar.edu/pub/thredds/temp/ threddsSrc-2.2.19.01.jar Updated docs are athttp://www.unidata.ucar.edu/projects/THREDDS/tech/reference/ RestrictedAccess.html http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/ PluggableRestrictedAccess.htmNot sure exactly how you want to proceed, but perhaps get the default security working, then try using CAS? then write your own? The relevent code is all in thredds.servlet.restrictLet me know how its going.... Luca Cinquini wrote:Hi John,I am going to try to test it next week - please let me know when the beta server is ready for me to download it.thanks, luca On Jan 25, 2007, at 5:23 PM, John Caron wrote:I have a first pass working, heres some docs, i will get you a release tommorrow. http://www.unidata.ucar.edu/projects/THREDDS/tech/ reference/ PluggableRestrictedAccess.htm
thredds archives: