Comments (2)
Hi Manuel:
I think you have diagnosed the issue. We did it that way because at the
time our customers wanted to switch back to non-SSL after authentication.
At the time, the browsers allowed this, but since then security has
tightened. We will fix this eventually, by not switching from SSL.
For now, you should use standard Tomcat authentication, where you restrict
by URL pattern. You will have to look through the tomcat docs:
http://tomcat.apache.org/tomcat-7.0-doc/
John
On Tue, Feb 3, 2015 at 5:53 AM, vegasm [email protected] wrote:
I am trying to configure Thredds in order to add SSL to the login. I
configured my web.xml as suggested here
http://www.unidata.ucar.edu/software/thredds/v4.5/tds/reference/RestrictedAccess.html
adding "useSSL=true" and "transport-guarantee = CONFIDENTIAL" in the
restrictedAccess security constraint.My Tomcat's server.xml is also configured to expose the SSL connector:
After configuring that, I try to access to the test dataset (Protected by
a role) through the OpenDap service and I'm successfully redirected to the
log in (SSL). Nevertheless, after entering my credentials, firefox warns
about a circular redirect.I have debugged this process many times and searched in Google trying to
find what is happening. If the session is created with a secured cookie in
the https context then when you switch back to HTTP it loses the session.
And this make sense when you debug all the process.When the request is in the TomcatAuthorizer.authorize method, it has a
non-secured session which is previously created and some new attributes are
added. It is also added a header and then redirects to
https://localhost:8443/restrictedAccess/myroleWhen credentials are entered, TomcatAuthorizer.doGet is called and tries
to find the role. I can see the user’s grants and everything seems to be
OK, nevertheless the session id is different. The request is redirected to
the original URL. After being redirected, the request goes to the
TomcatAuthorizer.authorize but it hasn’t the same session (non-secured) so
req.isUserInRole(role) is false and the process begins again and again.
Obviously the browser warns you about this situation. If you repeat this
process without adding ssl, the second redirect has the role and shows the
data because they have the same session.I don’t know if I’m doing something wrong or something is missing. I'm
using the 4.5.5 version. Could you help me?Best regards,
Manuel Vega.
University of Cantabria.—
Reply to this email directly or view it on GitHub
#95.
from thredds.
Hi John,
Do I have to use the TomcatAuthorizer to perform the redirect to https://localhost:8443/restrictedAccess.. ? Or Do I have to comment the RestrictedDatasetServlet.authorize in the DatasetHandler.java and do it by restricting the dataset itself? For example, secure directly url's like http://.../dodsC/mycatalog/mydataset.ncml.html as /dodsC/.ncml.html?
Thank you
Manuel
from thredds.
Related Issues (20)
- Possible loop in thredds.client.catalog graph?
- Possible Issue with logging ResponseSize caused by insufficient storage type HOT 4
- variable attributes showing up in OPeNDAP global attributes! HOT 8
- Performance Issue with high variable and dimension count
- Thredds do not behave well behind Nginx proxy serving as SSL termination HOT 4
- Question regarding WCS DescribeCoverage ResponseCRSs HOT 4
- Wrong URL in description of this repository HOT 1
- Cross-Origin Read Blocking (CORB) blocked cross-origin response thredds HOT 2
- EOFException on NCDump data
- DAP4 in TDS dap4.core.util.DapException: Resource root not found HOT 3
- WMS GetMap Request with style=contour Returns Error HOT 14
- Unexpected behavior when querying area around Meridian HOT 2
- Date truncated by cast to long HOT 7
- NCML Time axis aggregation with missing / time gaps HOT 6
- double encoding of spaces in filenames when user click on "Get Binary" or "Get ASCII" in OPeNDAP download form HOT 5
- trimDirectiveWhitespaces breaking GetTransect HOT 3
- Unsigned types in NcML
- Tracking log4j security issues HOT 10
- blank Godiva2 basemap HOT 1
- WMS service broken in 4.6.19+ HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from thredds.