[Open.ogc] services.ogc.noaa.gov password protected under SSL (https)
Micah Wengren
micah.wengren at noaa.gov
Wed Jan 7 19:51:40 UTC 2015
I think the ideal situation would be for only the URLs that optionally
allow authentication to be restricted by the extra HTTP Basic
authentication (or NOAA IP address). Those should be:
/geoserver/web
/geoserver/rest
/geoexplorer
Everything else can be considered a map or data set request to the WMS
or WFS. Typically those are the URLs that Tim included but could also
be to the base WMS and WFS services:
/geoserver/wms
/geoserver/wfs
/geoserver/ows
Those should all be allowed from any IP address. I think this would
help out for use cases like what Tim's is.
Micah
On 1/7/2015 1:16 PM, Tim Haverland - NOAA Federal wrote:
> I'm calling URLs such as:
>
> //services.ogc.noaa.gov/geoserver/nmfs_st/wfs
> <http://services.ogc.noaa.gov/geoserver/nmfs_st/wfs>
> //services.ogc.noaa.gov/geoserver/nmfs_st/wms
> <http://services.ogc.noaa.gov/geoserver/nmfs_st/wms>
> //services.ogc.noaa.gov/geoserver/nmfs_st/ows
> <http://services.ogc.noaa.gov/geoserver/nmfs_st/ows>
>
> After looking at these URLs I realize that I'm including our workspace
> name (nmfs_st). I'm not sure if that's necessary. Micah, do you know?
>
> Tim
>
>
>
>
> On Wed, Jan 7, 2015 at 12:25 PM, Chi Kang - NOAA Federal
> <chi.y.kang at noaa.gov <mailto:chi.y.kang at noaa.gov>> wrote:
>
> Tim / Micah I don't think i have an issue getting more granular but I
> want to understand all the URLs involved first.
>
> Can someone outline them for me as an example?
>
>
> On Fri, Jan 2, 2015 at 5:11 PM, Tim Haverland - NOAA Federal
> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
> > What you suggest would be very helpful and allow my calls to
> geoserver to be
> > protocol relative.
> >
> > I have redirected all https calls to my map to http at the moment.
> >
> > Tim
> >
> > On Fri, Jan 2, 2015 at 5:07 PM, Micah Wengren
> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
> > wrote:
> >>
> >> Tim/WOC,
> >>
> >> I think the reason for the extra authentication step for HTTPS
> was to
> >> prevent public from being able to access /geoserver/web (with
> login form
> >> components) for preventing brute force password attacks and such.
> >>
> >> I can't think of a reason to not allow HTTPS access to the
> /geoserver/wms
> >> and /geoserver/wfs paths though.
> >>
> >> This might be something to look into potentially relaxing, if
> the WOC is
> >> willing to make that change and web server config allows it to
> that level of
> >> granularity.
> >>
> >> Micah
> >>
> >>
> >> On 12/4/2014 12:09 PM, Tim Haverland - NOAA Federal wrote:
> >>
> >> Hi Micah,
> >>
> >> Yes, I was trying to avoid the situation where someone loads
> our map page
> >> via https and our calls to services using http are blocked by
> the browser.
> >>
> >> I can have our sysadmin redirect all https requests to my page
> to http,
> >> but was hoping to avoid that by simply making my service URLs
> protocol
> >> relative.
> >>
> >> Is there a reason why services.ogc.noaa.gov
> <http://services.ogc.noaa.gov> requests a password for ssl?
> >> Are there services that I can't get to via HTTP but can with HTTPS?
> >>
> >> Tim
> >>
> >> On Thu, Dec 4, 2014 at 9:48 AM, Micah Wengren - NOAA Federal
> >> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>> wrote:
> >>>
> >>> Tim,
> >>>
> >>> Your goal is to have your web map SSL-enabled (to allow
> restricted views
> >>> with a user login for example), or are you just trying to
> accommodate users
> >>> who come in to the Fisheries website over HTTPS?
> >>>
> >>> If it's the latter, I think you should be able to hard-code
> the web map
> >>> requests to go over HTTP regardless of which protocol users
> come to the site
> >>> through. This way they shouldn't get the login prompt from a
> non-NOAA
> >>> network to access services.ogc.noaa.gov
> <http://services.ogc.noaa.gov>. The drawback to that is that the
> >>> browser will give a warning message because some content is
> coming over
> >>> HTTP. That's the case for the NOAA Data Catalog, because the
> tile provider
> >>> only supports HTTP not HTTPS: https://data.noaa.gov/dataset
> (the browser
> >>> will show a warning message rather than a secure connection
> message).
> >>>
> >>> It might be more complicated in your case though because
> you're making
> >>> GetFeatureInfo requests to the service that return XML instead
> of map tiles.
> >>> I don't know how that would differ.
> >>>
> >>>
> >>> Can you look into that before we investigate making any
> changes to the
> >>> HTTPS access policies?
> >>>
> >>>
> >>> Micah
> >>>
> >>>
> >>> On Wed, Dec 3, 2014 at 5:46 PM, Tim Haverland - NOAA Federal
> >>> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
> >>>>
> >>>> Hi all,
> >>>>
> >>>> Recently I've been trying to enable an application that uses
> noaa ogc
> >>>> services to run under https. When I do so, the application
> runs when I'm at
> >>>> work, but from home (and no VPN) it asks that I enter my noaa
> email
> >>>> username/pwd.
> >>>>
> >>>> This is fine for me but won't work for public users of my
> application.
> >>>>
> >>>> Is there a reason that ssl access to services.ogc.noaa.gov
> <http://services.ogc.noaa.gov> requires
> >>>> login for users that aren't on a noaa network (I assume).
> >>>>
> >>>> Here's the app if anyone want to see this behavior in action:
> >>>>
> >>>> Works anywhere:
> >>>>
> http://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy
> >>>>
> >>>> Requires password for I assume non-noaa network users:
> >>>>
> https://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy
> >>>>
> >>>> I suppose I could redirect users coming in on https to http,
> but that
> >>>> causes other headaches on my end.
> >>>>
> >>>> Any thoughts?
> >>>>
> >>>> Tim
> >>>>
> >>>> --
> >>>> Tim Haverland
> >>>> Acting Operations Branch Chief
> >>>> NOAA Fisheries Office of Science and Technology
> >>>> 1315 East-West Highway
> >>>> SSMC3 Rm 12303
> >>>> Silver Spring, MD 20910
> >>>> 301-427-8137 <tel:301-427-8137>
> >>>>
> >>>> _______________________________________________
> >>>> Open.ogc mailing list
> >>>> Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
> >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >>>>
> >>>
> >>
> >>
> >>
> >> --
> >> Tim Haverland
> >> Acting Operations Branch Chief
> >> NOAA Fisheries Office of Science and Technology
> >> 1315 East-West Highway
> >> SSMC3 Rm 12303
> >> Silver Spring, MD 20910
> >> 301-427-8137 <tel:301-427-8137>
> >>
> >>
> >
> >
> >
> > --
> > Tim Haverland
> > Acting Operations Branch Chief
> > NOAA Fisheries Office of Science and Technology
> > 1315 East-West Highway
> > SSMC3 Rm 12303
> > Silver Spring, MD 20910
> > 301-427-8137 <tel:301-427-8137>
> >
> > _______________________________________________
> > Open.ogc mailing list
> > Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
> > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
> >
>
>
>
> --
> Chi Y Kang
> Principal Engineer
> Phone: 301.628.5642 <tel:301.628.5642>
> Cell: 240.338.1059 <tel:240.338.1059>
>
>
>
>
> --
> *Tim Haverland*
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20150107/575004e3/attachment-0001.html>
More information about the Open.ogc
mailing list