NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.

To learn about what's going on, see About the Archive Site.

[thredds] info retrieved passing tomcat/thredds password protection

I setup a thredds server with version 4.6.3 and Tomcat 8.0 with some dataset 
password protected.  The setup works fine with web browsers.  A user gets 
prompted for password when visiting a catalog or netcdf file that is protected. 
  However, if a user tries to retrieve a netcdf file related info (.dds, .das, 
.dods) with a given URL, for example, from matlab “ncdisp()" or panoply, it 
goes through directly and no password is even prompted.  It appears to be a big 
security hole unless my setup has problems.  Here is the configuration I have.  
What am I missing?


Log file /…/logs/localhost_access_log.2016-03-21.txt  shows that .dds, .das, 
.dods info related to the netcdf file is sent to client without password 
protection.

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.dds 
HTTP/1.1" 200 5323

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.das 
HTTP/1.1" 200 8618

155.246.104.22 - - [21/Mar/2016:15:05:14 -0400] "GET 
/thredds/dodsC/restrictedAccess/version3/individual/Run_20151227_0000.nc.dods?xpos,ypos,time,date,layer%5fbnds,sigma
 HTTP/1.1" 200 9708

/…/webapps/thredds/WEB-INF/web.xml shows all path with “restrictedAccess” 
should be password protected.

…

  <security-constraint>

    <web-resource-collection>

      <web-resource-name>restricted access datasets</web-resource-name>

      <url-pattern>/restrictedAccess/*</url-pattern>

      <url-pattern>/*/restrictedAccess/*</url-pattern>

      <url-pattern>/*/*/restrictedAccess/*</url-pattern>

      <url-pattern>/*/*/*/restrictedAccess/*</url-pattern>

    </web-resource-collection>

    <auth-constraint>

      <role-name>restrictedDatasetUser</role-name>

    </auth-constraint>

    <user-data-constraint>

      <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

  </security-constraint>

…

Thanks!

— Kevin Ying

________________________________
Email: kying@xxxxxxxxxxx
  • 2016 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: