LAS: light (but insecure) access control

To: las_users@xxxxxxxxxxxxxxxxxxx
Subject: LAS: light (but insecure) access control
From: <mkastow@xxxxxxxxxxxxxxx>
Date: Fri, 15 Nov 2002 12:13:40 +0100 (CET)
Cc: Miles@xxxxxxxxxxxxxxx
Sender: owner-las_users@xxxxxxxxxxxxxxxxxxx
User-agent: IMP/PHP IMAP webmail program 2.2.8

To:
las_users@ferret.wrc.noaa.gov
Refers to:
LAS: light (but insecure) access control
Andrew Woolf, 12/14/01


How to implement password protection for LAS 6.0?
-------------------------------------------------

I have successfully set up LAS 6.0 and are now trying some
customization. I can use a cataloge file to define categories.
Great!

Then I tried the suggested password protection using the
Ferret initialization script method. This mechanism worked
after I cleaned the ../las/server/output directory. Before
doing so, the server eventually skipped the requested Ferret
initialization and just sent any files existing in the output
directory regardless of the XML Ferret initialization settings.
Ok.

With the above method the user just gets a simple message
when trying to access certain datasets. One would like to
give users a chance to authenticate and then proceed. There
is a strategy described by Andrew Woolf which I failed
to copy.

The following things were checked.

1) The custom.pl script is found and executed.
2) preExecuteHook is acivated.
3) The supplied custom tags <secure> and <url> are
   both existent within preExecuteHook. url seems to
   be empty even though it was set to passwd.html in the
   XML file.
4) The directory ../ui was created and passwd.html was
   put there (server,ui,xml are at the same directory
   level). I verified that the form tries to send data
   to "top.submitCustom" when started in a browser.
5) I didn't create an AddSecureURL function and script,
   since custom JavaScript is no longer supported.
6) I don't know what to do with serializing and
   deserializing.

On testing, when <secure> tagged datasets are accessed,
the perExecuteHook is called first. This generates a call
to passwd_verify obviously with empty arguments. Then,
consequently the pwd verify fails and the
"This is a secure dataset..." message appears.
The passwd.html is obviously never called?


I see that this can't work? Any ideas?

Thanks,
               M I L E S
_____________________________________________________________

E-mail: mkastow@bgc-jena.mpg.de

Dr. Manfred J. Kastowsky
Max-Planck-Institut für Biogeochemie
Winzerlaer Strasse 10
07745 Jena
Phone: +49 3641 57 6213
Telefax: +49 3641 57 7200

Previous by thread: [Fwd: longitude problem]
Next by thread: woce conference in Texas

[Thread Prev][Thread Next][Index]

Dept of Commerce / NOAA / OAR / PMEL / TMAP
Contact Us | Privacy Policy | Disclaimer | Accessibility Statement