NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
THREDDS 4.3.21 and TOMCAT 7.0.54
I setup my TDS to use a romote LDAP server for verifing users credentials to
allow people access restricted datasets.
It works properly when using a web browser but it doesn't work accessing the
same dataset from command line (ncdump, cdo or ferret) passing LDAP
credential in the URL.
Since I strongly need to allow dodsC service to command line LDAP autentichated
users,
can you help me please?
If you are still reading and you can spend your time with the problem, here are
the details, followed by the related catalina.out messages.
First of all I must say that I verified that using standard tomcat-users.xml
authentication (insted of LDAP) there are no problems and all works fine
(from web browser and from command line).
To setup my LDAP authorized TDS I first renamed my thredds webapp to
"medcordexh",
then I changed all things to be changed (catalog.xml, web.xml and
tds.properties)
then I added server.xml the following code within <Host> and </Host>
<Context docBase="medcordexh" path="/medcordexh">
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://xxx.xxx.xxx.xxx";
connectionName="cn=yyy,dc=yyyy,dc=yyyy,dc=yy"
connectionPassword="mysecret"
roleBase="ou=Group,dc=yyyy,dc=yyyy,dc=yy"
roleName="groupId"
roleSearch="(memberUid={2})"
userPattern="mail={0},ou=People,dc=yyyy,dc=yyyy,dc=yy"
userRoleAttribute="mail"
roleSubtree="true"
/>
</Context>
In this way the users authentication is made by the LDAP server.
My catalog.xml I restricted the dataset access with
restrictAccess="hymexCore"
where HymexCore is the groupId (defined in LDAP server) to which I want to
allow access.
Once tomcat is restarted I can succesfully access my datasets using the browser
(in which case LDAP authentication works) but not by command line. To
simplify we'll try to see the ascii representation of a test.nc file
If I point my browser to
https://utmea.enea.it:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?
then I'm requested the LDAP credentials and they are succesfully used to let me
see the web page
But if I use the same LDAP credentials in the next command
wget
'https://XXXXXXXXX:XXXXX@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?'
I get the foowing erro messages:
--2014-07-03 11:45:54--
https://emanuele.lombardi%F40enea.it:*password*@utmea.enea.it:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?
Resolving utmea.enea.it... 192.107.77.41
Connecting to utmea.enea.it|192.107.77.41|:8290... connected.
WARNING: cannot verify utmea.enea.it's certificate, issued by
`/C=it/ST=ITALY/L=ROMA/O=ENEA/OU=UTMEA/CN=utmea.enea.it':
Self-signed certificate encountered.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: https://utmea.enea.it:8290/medcordexh/restrictedAccess/hymexCore
[following]
--2014-07-03 11:45:54--
https://utmea.enea.it:8290/medcordexh/restrictedAccess/hymexCore
Reusing existing connection to utmea.enea.it:8290.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.
Here follow the catalina.log of both the above examples:
============================================================================================================================00
catalina.log of succesfull browser access:
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii
--> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii
--> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:54 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii
--> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii
--> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: No applicable constraint located
Jul 03, 2014 11:43:55 AM org.apache.catalina.realm.RealmBase hasRole
FINE: Username emanuele.lombardi@xxxxxxx has role hymexCore
============================================================================================================================00
catalina.log of unsuccesfull wget command
wget --no-check-certificate
'https://emanuele.lombardi%f40enea.it:XXXXXX@xxxxxxxxxxxxx:8290/medcordexh/dodsC/MEDCORDEX/test.nc.ascii?'
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /dodsC/MEDCORDEX/test.nc.ascii --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: No applicable constraint located
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET /restrictedAccess/hymexCore
--> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /restrictedAccess/hymexCore --> true
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[allow feature collection rescan
to be triggered externally]' against GET /restrictedAccess/hymexCore
--> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[cataloggen configuration]'
against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[not allowed]' against GET
/restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[restricted access datasets]'
against GET /restrictedAccess/hymexCore --> true
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[sensitive read access]' against
GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Test Restricted access
datasets]' against GET /restrictedAccess/hymexCore --> false
Jul 03, 2014 11:46:31 AM org.apache.catalina.realm.RealmBase
hasUserDataPermission
FINE: User data constraint already satisfied
thredds archives: