Session lost when switching from https restricted access to http about thredds HOT 2 OPEN

Hi Manuel:

I think you have diagnosed the issue. We did it that way because at the
time our customers wanted to switch back to non-SSL after authentication.
At the time, the browsers allowed this, but since then security has
tightened. We will fix this eventually, by not switching from SSL.

For now, you should use standard Tomcat authentication, where you restrict
by URL pattern. You will have to look through the tomcat docs:

http://tomcat.apache.org/tomcat-7.0-doc/

John

On Tue, Feb 3, 2015 at 5:53 AM, vegasm [email protected] wrote:

I am trying to configure Thredds in order to add SSL to the login. I
configured my web.xml as suggested here
http://www.unidata.ucar.edu/software/thredds/v4.5/tds/reference/RestrictedAccess.html
adding "useSSL=true" and "transport-guarantee = CONFIDENTIAL" in the
restrictedAccess security constraint.

My Tomcat's server.xml is also configured to expose the SSL connector:

After configuring that, I try to access to the test dataset (Protected by
a role) through the OpenDap service and I'm successfully redirected to the
log in (SSL). Nevertheless, after entering my credentials, firefox warns
about a circular redirect.

I have debugged this process many times and searched in Google trying to
find what is happening. If the session is created with a secured cookie in
the https context then when you switch back to HTTP it loses the session.
And this make sense when you debug all the process.

When the request is in the TomcatAuthorizer.authorize method, it has a
non-secured session which is previously created and some new attributes are
added. It is also added a header and then redirects to
https://localhost:8443/restrictedAccess/myrole

When credentials are entered, TomcatAuthorizer.doGet is called and tries
to find the role. I can see the user’s grants and everything seems to be
OK, nevertheless the session id is different. The request is redirected to
the original URL. After being redirected, the request goes to the
TomcatAuthorizer.authorize but it hasn’t the same session (non-secured) so
req.isUserInRole(role) is false and the process begins again and again.
Obviously the browser warns you about this situation. If you repeat this
process without adding ssl, the second redirect has the role and shows the
data because they have the same session.

I don’t know if I’m doing something wrong or something is missing. I'm
using the 4.5.5 version. Could you help me?

Best regards,

Manuel Vega.
University of Cantabria.

—
Reply to this email directly or view it on GitHub
#95.

from thredds.

Hi John,

Do I have to use the TomcatAuthorizer to perform the redirect to https://localhost:8443/restrictedAccess.. ? Or Do I have to comment the RestrictedDatasetServlet.authorize in the DatasetHandler.java and do it by restricting the dataset itself? For example, secure directly url's like http://.../dodsC/mycatalog/mydataset.ncml.html as /dodsC/.ncml.html?

Thank you

Manuel

from thredds.