On 5/16/2011 11:01 AM, Cinquini, Luca (3880) wrote:
Hi John,
how's going ? I have a follow-up question to our brief conversation at
GO-ESSP last week. Could you confirm that theoretically the TDS access control
model should be able to secure access to http requests ending in .dods, besides
those ending in .nc ?
The reason I am asking is because looking at the log files it seems otherwise.
The ESG filters establish whether or not a URL is secure by calling
DatasetHandler.findResourceControl(uri). Up to now, we have changed every URL
of the form XYZ.nc.dods to XYZ.nc, and fed this last uri to the DatasetHandler,
but this approach does not work for aggregations.
For example, this is what I see in the logs when making an opendap request on a
single file:
2011-05-16T09:50:28.655 -0700 [ 53640][ 14] DEBUG -
esg.orp.app.tds.TDSPolicyService -
URI=/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods
resource control=null
2011-05-16T09:50:28.656 -0700 [ 53641][ 14] DEBUG -
esg.orp.app.tds.TDSPolicyService - Uri changed.
2011-05-16T09:50:28.656 -0700 [ 53641][ 14] DEBUG -
esg.orp.app.tds.TDSPolicyService -
URI=/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc
resource control=esg-user is secure=true
2011-05-16T09:50:28.656 -0700 [ 53641][ 14] DEBUG -
esg.orp.app.AuthenticationFilter -
URL=http://test-datanode.jpl.nasa.gov/thredds/dodsC/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods?hus[0:1:0][0:1:0][0:1:0][0:1:0]
is secure
You'll notice that the original URI
*/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods is NOT secure, but after
dropping the last extension, the URI
hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc IS secure.
Off course I might be doing something wrong here, but before digging any
further I wanted to make sure that you think dods requests are treated just
like normal file requests as far as security is concerned. FYI the catalog I am
using to test is:
http://test-datanode.jpl.nasa.gov/thredds/esgcet/1/obs4cmip5.NASA-JPL.AQUA.AIRS.mon.v1.xml
thanks a lot, it was great seeing you at the workshop,
Luca
hi luca:
this is a bug in our code. its looking for exact matches on access paths
. i will get a fix asap. thanks for finding it.
john