[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Re: opendap restricted access]

Subject: Re: [Fwd: Re: opendap restricted access]
Date: Tue, 23 Jan 2007 14:37:35 -0700

Hi Thomas:

Im not seeing this problem with my test CAS server.

Hi Thomas: basically the authentication is interfering with the .ascii request. 
I think this doesnt happen if you ask for the binary data (.dods). I will 
investigate more.

Thomas LOUBRIEU wrote:

Hi John,
I am happy that you succeed but I have a problem on my side. I didn'tsee that the restricted URL request is not understood by the threddsopendap server. When I try to request data I get the following error (inthreddsServlet.log) :
2007-01-23T18:49:33.494 +0100 [ 77114][ 24] INFO -thredds.servlet.ServletUtil - Remote host: 134.246.144.168 - Request: "GET/thredds/dodsC/restricted/CORIOLIS-GLOBAL-RTOA/sea_water_salinity/aggregated_time_serie.ascii?latitude[0:1:498]HTTP/1.1
"
2007-01-23T18:49:33.559 +0100 [ 77179][ 24] ERROR -dods.servlet.DODSServlet - DODSServlet.anyExceptionHandler
java.lang.NullPointerException
        at dods.dap.ServerVersion.<init>(ServerVersion.java:45)
        at dods.dap.DConnect.openConnection(DConnect.java:221)
        at dods.dap.DConnect.getDataFromUrl(DConnect.java:455)
        at dods.dap.DConnect.getData(DConnect.java:404)
        at dods.servlet.dodsASCII.sendASCII(dodsASCII.java:91)
        at dods.servlet.DODSServlet.doGetASC(DODSServlet.java:874)
        at dods.servlet.DODSServlet.doGet(DODSServlet.java:1457)
        at dods.servers.netcdf.NcDODSServlet.doGet(NcDODSServlet.java:271)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)atedu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:317)atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)atorg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)atorg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)atorg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)atorg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)atorg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)atorg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)atorg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)atorg.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)atorg.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)atorg.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754)atorg.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684)atorg.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876)atorg.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
2007-01-23T18:49:33.564 +0100 [ 77184][ 24] INFO -thredds.servlet.ServletUtil - Request Completed - 200 - -1 - 70
Is it alright for you ? I think the browser use http header orparameters to send the 'CAS ticket'. Is there something wrong with that ?
Thanks,

Thomas


John Caron a écrit :
Hi Thomas:
Thank you very much! I was able to get it working finally (I had thecertificate installed in the wrong JVM!)
In looking at how CAS works with TDS, it appears that a user will getsent to the CAS login page. However, it may be that the user is not ina browser, but in another application or even a web service that doesnot process HTML FORMs. I am wondering if you know if its possible toconfigure CAS to do a HTTP 401 challenge instead of a login page?I am concerned that some OPeNDAP clients may not be able to work witha TDS server protected by CAS. I am trying to make recomendations tothe OPeNDAP conference next month on how to create interoperableOPeNDAP clients and servers that implement security. Do you have plansto attend that conference? Any thoughts that you have about theseissues would be helpful to me.
John





Thomas LOUBRIEU wrote:
Hi John,
Perhaps you can test your CAS-ification with our CAS authentificationserver (https://auth.ifremer.fr). To do so, you'll have to configureyour TDS web.xml file as follow :
   <filter>
    <filter-name>CAS Filter</filter-name>

<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
    <init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
      <param-value>https://auth.ifremer.fr/login</param-value>
    </init-param>
    <init-param>

<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
      <param-value>https://auth.ifremer.fr/proxyValidate</param-value>
    </init-param>
    <init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
      <param-value>your application server dns:your port</param-value>
    </init-param>
  </filter>
You can download the convenient cas.keystore (the public certificatefor our server) at :http://secure.globalsign.net/cacert/sureserverEDU.crt
And then use the jvm options :
JAVA_OPTS="-Xms2048m -Xmx2048m -XX:MaxPermSize=256m-Djavax.net.ssl.trustStore=sureserverEDU.cert"
to launch the tomcat server.


I have created a login for you, it is :
login  : jc1eed0
passwd : aze321


I hope this will help you,

Thomas




John Caron a écrit :
Thomas LOUBRIEU wrote:
Hi Jon,
up to now it is what we are using "as this". Our project, in thecoming weeks, is to extend the 'filter' functions (I don't know yetwhich they are) so that we can't check the CAS-authentification (asit now is) AND if the user login if authorized to access thecurrent URL according to a configuration file as follow (in XML orjava properties) :
URL_pattern1
    login2
    login3
    login4
URL pattern2
    login1
    login5
...

where URL_patternX are base URL under which the access is restricted
and loginY are the authorized CAS logins.
otherwise access is free.
It a very simple authorization configuration but we have shortdelays to built a demonstration system for an European operationalproject.
Hi Thomas, im having trouble getting CAS to work, i keep getting thefollowing errors. I think Ive installed a certificate correctly inboth tomcat keystore and in JRE cacert. So you have any advice?
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable tovalidate ProxyTicketValidator[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null][edu.yale.its.tp.cas.client.ServiceTicketValidatorcasValidateUrl=[https://localhost:8443/cas/proxyValidate]ticket=[ST-2-rduetdijO1DSxhaUv6EPioZdgItQERr7ufZ-20]service=[http%3A%2F%2Flocalhost%3A8080%2Fthredds%2FdodsC%2FtestCAS%2FtestData.nc.html]renew=false]]]atedu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)atedu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)atedu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)atorg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)atorg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)atorg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)atorg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)atorg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)atorg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)atorg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)atorg.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)atorg.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)atorg.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)atorg.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)atorg.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path buildingfailed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested targetatcom.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)atcom.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)atcom.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)atcom.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)atcom.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)atcom.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)atcom.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)atcom.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)atcom.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)atcom.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)atcom.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)atcom.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)atsun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)atsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)atsun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:938)atsun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
atedu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)atedu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
    ... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX pathbuilding failed:sun.security.provider.certpath.SunCertPathBuilderException: unableto find valid certification path to requested targetatsun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)atsun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
    at sun.security.validator.Validator.validate(Validator.java:203)
atcom.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)atcom.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)atcom.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
    ... 31 more
Caused by:sun.security.provider.certpath.SunCertPathBuilderException: unableto find valid certification path to requested targetatsun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)atjava.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)atsun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
    ... 36 more

Prev by Date: OPeNDAP Developer's Meeting 2007
Next by Date: Re: [Fwd: Re: opendap restricted access]
Previous by thread: OPeNDAP Developer's Meeting 2007
Next by thread: Re: [Fwd: Re: opendap restricted access]
Index(es):
- Date
- Thread