[Open.ogc] services.ogc.noaa.gov password protected under SSL (https)

Micah Wengren micah.wengren at noaa.gov
Fri Jan 2 22:07:36 UTC 2015 

Tim/WOC,

I think the reason for the extra authentication step for HTTPS was to 
prevent public from being able to access /geoserver/web (with login form 
components) for preventing brute force password attacks and such.

I can't think of a reason to not allow HTTPS access to the 
/geoserver/wms and /geoserver/wfs paths though.

This might be something to look into potentially relaxing, if the WOC is 
willing to make that change and web server config allows it to that 
level of granularity.

Micah

On 12/4/2014 12:09 PM, Tim Haverland - NOAA Federal wrote:
> Hi Micah,
>
> Yes, I was trying to avoid the situation where someone loads our map 
> page via https and our calls to services using http are blocked by the 
> browser.
>
> I can have our sysadmin redirect all https requests to my page to 
> http, but was hoping to avoid that by simply making my service URLs 
> protocol relative.
>
> Is there a reason why services.ogc.noaa.gov 
> <http://services.ogc.noaa.gov> requests a password for ssl? Are there 
> services that I can't get to via HTTP but can with HTTPS?
>
> Tim
>
> On Thu, Dec 4, 2014 at 9:48 AM, Micah Wengren - NOAA Federal 
> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>> wrote:
>
>     Tim,
>
>     Your goal is to have your web map SSL-enabled (to allow restricted
>     views with a user login for example), or are you just trying to
>     accommodate users who come in to the Fisheries website over HTTPS?
>
>     If it's the latter, I think you should be able to hard-code the
>     web map requests to go over HTTP regardless of which protocol
>     users come to the site through.  This way they shouldn't get the
>     login prompt from a non-NOAA network to access
>     services.ogc.noaa.gov <http://services.ogc.noaa.gov>. The drawback
>     to that is that the browser will give a warning message because
>     some content is coming over HTTP.  That's the case for the NOAA
>     Data Catalog, because the tile provider only supports HTTP not
>     HTTPS: https://data.noaa.gov/dataset (the browser will show a
>     warning message rather than a secure connection message).
>
>     It might be more complicated in your case though because you're
>     making GetFeatureInfo requests to the service that return XML
>     instead of map tiles.  I don't know how that would differ.
>
>
>     Can you look into that before we investigate making any changes to
>     the HTTPS access policies?
>
>
>     Micah
>
>
>     On Wed, Dec 3, 2014 at 5:46 PM, Tim Haverland - NOAA Federal
>     <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
>
>         Hi all,
>
>         Recently I've been trying to enable an application that uses
>         noaa ogc services to run under https. When I do so, the
>         application runs when I'm at work, but from home (and no VPN)
>         it asks that I enter my noaa email username/pwd.
>
>         This is fine for me but won't work for public users of my
>         application.
>
>         Is there a reason that ssl access to services.ogc.noaa.gov
>         <http://services.ogc.noaa.gov> requires login for users that
>         aren't on a noaa network (I assume).
>
>         Here's the app if anyone want to see this behavior in action:
>
>         Works anywhere:
>         http://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy
>
>         Requires password for I assume non-noaa network users:
>         https://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy
>
>         I suppose I could redirect users coming in on https to http,
>         but that causes other headaches on my end.
>
>         Any thoughts?
>
>         Tim
>
>         -- 
>         *Tim Haverland*
>         Acting Operations Branch Chief
>         NOAA Fisheries Office of Science and Technology
>         1315 East-West Highway
>         SSMC3 Rm 12303
>         Silver Spring, MD 20910
>         301-427-8137 <tel:301-427-8137>
>
>         _______________________________________________
>         Open.ogc mailing list
>         Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
>         https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>
>
>
>
>
> -- 
> *Tim Haverland*
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20150102/d65db114/attachment.html>

More information about the Open.ogc mailing list