[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GDS, FDS and TDS security questions



Hi James, et al:

The TDS currently uses Tomcat-based authentication/authorization. HTTP basic, digest, form or HTTPS is supported. Unless you are using session cookies, you have to authenticate every request. I think the standard dods clients do not support session cookies ( I have a hacked version of the java dods client that does).

Tomcat requires that you specify the restricted URLs in the web.xml file. For simple cases, this is not too hard, but for complicated sites, not a good solution. Id like to specify access control in the TDS catalog, allowing it down to dataset granularity. I hope to get that working soon, but im not sure how easy it will be.

Some of my uncertainty is about what dods clients can/should do. I think the C client library will translate URLS with http://login:passwd@url in them, or maybe thats being done at the server ?? But the java client library doesnt handle that ?? Anyway, im confused about what the constraints are from the dods clients.

Ethan Davis wrote:

Hi James,

Currently, the TDS doesn't do any authentication/authorization for data access. But it is in the plans. John would have a better idea of the time line for that than I. (Actually, I may be overstating this. You may be able to set it up to do authentication/authorization for data access but only on a server-wide level, or at least the user would have to do all the mucking around with Tomcat. Sorry for the flip-flopping. Now that I think about it more it turns out I'm just not that sure. John would know better and should be around on Monday.)

The TDS does do authentication/authorization (a la Tomcat) for server configuration and such. If you want more details, see the "Remote Management" and "Security" links from our TDS docs page http://motherlode.ucar.edu:8080/thredds/docs/.

Ethan

James Gallagher wrote:

Folks,

I'm hacking together a document of 'Best Practices' about DAP servers and I was wondering what sort of username/password protection GDS, FDS and TDS supply? I sort of know what a servlet engine like Tomcat 5.5 can do (although I'm nowhere near an expert on it).

There's sort of a short time line on this; I need to get my text to Dan soon but I should have a chance to hack in some changes until Tuesday.

Thanks,
James
--
James Gallagher                jgallagher at opendap.org
OPeNDAP, Inc                   406.723.8663