[Open.ogc] services.ogc.noaa.gov password protected under SSL (https)

Micah Wengren micah.wengren at noaa.gov
Wed Jan 7 19:51:40 UTC 2015


I think the ideal situation would be for only the URLs that optionally 
allow authentication to be restricted by the extra HTTP Basic 
authentication (or NOAA IP address).  Those should be:

/geoserver/web
/geoserver/rest
/geoexplorer

Everything else can be considered a map or data set request to the WMS 
or WFS.  Typically those are the URLs that Tim included but could also 
be to the base WMS and WFS services:

/geoserver/wms
/geoserver/wfs
/geoserver/ows

Those should all be allowed from any IP address.  I think this would 
help out for use cases like what Tim's is.

Micah


On 1/7/2015 1:16 PM, Tim Haverland - NOAA Federal wrote:
> I'm calling URLs such as:
>
> //services.ogc.noaa.gov/geoserver/nmfs_st/wfs 
> <http://services.ogc.noaa.gov/geoserver/nmfs_st/wfs>
> //services.ogc.noaa.gov/geoserver/nmfs_st/wms 
> <http://services.ogc.noaa.gov/geoserver/nmfs_st/wms>
> //services.ogc.noaa.gov/geoserver/nmfs_st/ows 
> <http://services.ogc.noaa.gov/geoserver/nmfs_st/ows>
>
> After looking at these URLs I realize that I'm including our workspace 
> name (nmfs_st). I'm not sure if that's necessary. Micah, do you know?
>
> Tim
>
>
>
>
> On Wed, Jan 7, 2015 at 12:25 PM, Chi Kang - NOAA Federal 
> <chi.y.kang at noaa.gov <mailto:chi.y.kang at noaa.gov>> wrote:
>
>     Tim / Micah I don't think i have an issue getting more granular but I
>     want to understand all the URLs involved first.
>
>     Can someone outline them for me as an example?
>
>
>     On Fri, Jan 2, 2015 at 5:11 PM, Tim Haverland - NOAA Federal
>     <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
>     > What you suggest would be very helpful and allow my calls to
>     geoserver to be
>     > protocol relative.
>     >
>     > I have redirected all https calls to my map to http at the moment.
>     >
>     > Tim
>     >
>     > On Fri, Jan 2, 2015 at 5:07 PM, Micah Wengren
>     <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
>     > wrote:
>     >>
>     >> Tim/WOC,
>     >>
>     >> I think the reason for the extra authentication step for HTTPS
>     was to
>     >> prevent public from being able to access /geoserver/web (with
>     login form
>     >> components) for preventing brute force password attacks and such.
>     >>
>     >> I can't think of a reason to not allow HTTPS access to the
>     /geoserver/wms
>     >> and /geoserver/wfs paths though.
>     >>
>     >> This might be something to look into potentially relaxing, if
>     the WOC is
>     >> willing to make that change and web server config allows it to
>     that level of
>     >> granularity.
>     >>
>     >> Micah
>     >>
>     >>
>     >> On 12/4/2014 12:09 PM, Tim Haverland - NOAA Federal wrote:
>     >>
>     >> Hi Micah,
>     >>
>     >> Yes, I was trying to avoid the situation where someone loads
>     our map page
>     >> via https and our calls to services using http are blocked by
>     the browser.
>     >>
>     >> I can have our sysadmin redirect all https requests to my page
>     to http,
>     >> but was hoping to avoid that by simply making my service URLs
>     protocol
>     >> relative.
>     >>
>     >> Is there a reason why services.ogc.noaa.gov
>     <http://services.ogc.noaa.gov> requests a password for ssl?
>     >> Are there services that I can't get to via HTTP but can with HTTPS?
>     >>
>     >> Tim
>     >>
>     >> On Thu, Dec 4, 2014 at 9:48 AM, Micah Wengren - NOAA Federal
>     >> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>> wrote:
>     >>>
>     >>> Tim,
>     >>>
>     >>> Your goal is to have your web map SSL-enabled (to allow
>     restricted views
>     >>> with a user login for example), or are you just trying to
>     accommodate users
>     >>> who come in to the Fisheries website over HTTPS?
>     >>>
>     >>> If it's the latter, I think you should be able to hard-code
>     the web map
>     >>> requests to go over HTTP regardless of which protocol users
>     come to the site
>     >>> through.  This way they shouldn't get the login prompt from a
>     non-NOAA
>     >>> network to access services.ogc.noaa.gov
>     <http://services.ogc.noaa.gov>. The drawback to that is that the
>     >>> browser will give a warning message because some content is
>     coming over
>     >>> HTTP.  That's the case for the NOAA Data Catalog, because the
>     tile provider
>     >>> only supports HTTP not HTTPS: https://data.noaa.gov/dataset
>     (the browser
>     >>> will show a warning message rather than a secure connection
>     message).
>     >>>
>     >>> It might be more complicated in your case though because
>     you're making
>     >>> GetFeatureInfo requests to the service that return XML instead
>     of map tiles.
>     >>> I don't know how that would differ.
>     >>>
>     >>>
>     >>> Can you look into that before we investigate making any
>     changes to the
>     >>> HTTPS access policies?
>     >>>
>     >>>
>     >>> Micah
>     >>>
>     >>>
>     >>> On Wed, Dec 3, 2014 at 5:46 PM, Tim Haverland - NOAA Federal
>     >>> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
>     >>>>
>     >>>> Hi all,
>     >>>>
>     >>>> Recently I've been trying to enable an application that uses
>     noaa ogc
>     >>>> services to run under https. When I do so, the application
>     runs when I'm at
>     >>>> work, but from home (and no VPN) it asks that I enter my noaa
>     email
>     >>>> username/pwd.
>     >>>>
>     >>>> This is fine for me but won't work for public users of my
>     application.
>     >>>>
>     >>>> Is there a reason that ssl access to services.ogc.noaa.gov
>     <http://services.ogc.noaa.gov> requires
>     >>>> login for users that aren't on a noaa network (I assume).
>     >>>>
>     >>>> Here's the app if anyone want to see this behavior in action:
>     >>>>
>     >>>> Works anywhere:
>     >>>>
>     http://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy
>     >>>>
>     >>>> Requires password for I assume non-noaa network users:
>     >>>>
>     https://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy
>     >>>>
>     >>>> I suppose I could redirect users coming in on https to http,
>     but that
>     >>>> causes other headaches on my end.
>     >>>>
>     >>>> Any thoughts?
>     >>>>
>     >>>> Tim
>     >>>>
>     >>>> --
>     >>>> Tim Haverland
>     >>>> Acting Operations Branch Chief
>     >>>> NOAA Fisheries Office of Science and Technology
>     >>>> 1315 East-West Highway
>     >>>> SSMC3 Rm 12303
>     >>>> Silver Spring, MD 20910
>     >>>> 301-427-8137 <tel:301-427-8137>
>     >>>>
>     >>>> _______________________________________________
>     >>>> Open.ogc mailing list
>     >>>> Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
>     >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>     >>>>
>     >>>
>     >>
>     >>
>     >>
>     >> --
>     >> Tim Haverland
>     >> Acting Operations Branch Chief
>     >> NOAA Fisheries Office of Science and Technology
>     >> 1315 East-West Highway
>     >> SSMC3 Rm 12303
>     >> Silver Spring, MD 20910
>     >> 301-427-8137 <tel:301-427-8137>
>     >>
>     >>
>     >
>     >
>     >
>     > --
>     > Tim Haverland
>     > Acting Operations Branch Chief
>     > NOAA Fisheries Office of Science and Technology
>     > 1315 East-West Highway
>     > SSMC3 Rm 12303
>     > Silver Spring, MD 20910
>     > 301-427-8137 <tel:301-427-8137>
>     >
>     > _______________________________________________
>     > Open.ogc mailing list
>     > Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
>     > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>     >
>
>
>
>     --
>     Chi Y Kang
>     Principal Engineer
>     Phone: 301.628.5642 <tel:301.628.5642>
>     Cell: 240.338.1059 <tel:240.338.1059>
>
>
>
>
> -- 
> *Tim Haverland*
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20150107/575004e3/attachment-0001.html>


More information about the Open.ogc mailing list