[Open.ogc] services.ogc.noaa.gov password protected under SSL (https)
Micah Wengren
micah.wengren at noaa.gov
Wed Jan 21 17:19:23 UTC 2015
Hi Chi/WOC,
Do you guys think these type of rules can be implemented to improve the
public HTTPS access to the services? I don't think it's a priority or
urgent, but if you might be able to give an estimate for when they could
be added, that would probably help Tim in his planning.
Thanks,
Micah
On 1/7/2015 2:51 PM, Micah Wengren wrote:
> I think the ideal situation would be for only the URLs that optionally
> allow authentication to be restricted by the extra HTTP Basic
> authentication (or NOAA IP address). Those should be:
>
> /geoserver/web
> /geoserver/rest
> /geoexplorer
>
> Everything else can be considered a map or data set request to the WMS
> or WFS. Typically those are the URLs that Tim included but could also
> be to the base WMS and WFS services:
>
> /geoserver/wms
> /geoserver/wfs
> /geoserver/ows
>
> Those should all be allowed from any IP address. I think this would
> help out for use cases like what Tim's is.
>
> Micah
>
>
> On 1/7/2015 1:16 PM, Tim Haverland - NOAA Federal wrote:
>> I'm calling URLs such as:
>>
>> //services.ogc.noaa.gov/geoserver/nmfs_st/wfs
>> <http://services.ogc.noaa.gov/geoserver/nmfs_st/wfs>
>> //services.ogc.noaa.gov/geoserver/nmfs_st/wms
>> <http://services.ogc.noaa.gov/geoserver/nmfs_st/wms>
>> //services.ogc.noaa.gov/geoserver/nmfs_st/ows
>> <http://services.ogc.noaa.gov/geoserver/nmfs_st/ows>
>>
>> After looking at these URLs I realize that I'm including our
>> workspace name (nmfs_st). I'm not sure if that's necessary. Micah, do
>> you know?
>>
>> Tim
>>
>>
>>
>>
>> On Wed, Jan 7, 2015 at 12:25 PM, Chi Kang - NOAA Federal
>> <chi.y.kang at noaa.gov <mailto:chi.y.kang at noaa.gov>> wrote:
>>
>> Tim / Micah I don't think i have an issue getting more granular but I
>> want to understand all the URLs involved first.
>>
>> Can someone outline them for me as an example?
>>
>>
>> On Fri, Jan 2, 2015 at 5:11 PM, Tim Haverland - NOAA Federal
>> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
>> > What you suggest would be very helpful and allow my calls to
>> geoserver to be
>> > protocol relative.
>> >
>> > I have redirected all https calls to my map to http at the moment.
>> >
>> > Tim
>> >
>> > On Fri, Jan 2, 2015 at 5:07 PM, Micah Wengren
>> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>>
>> > wrote:
>> >>
>> >> Tim/WOC,
>> >>
>> >> I think the reason for the extra authentication step for HTTPS
>> was to
>> >> prevent public from being able to access /geoserver/web (with
>> login form
>> >> components) for preventing brute force password attacks and such.
>> >>
>> >> I can't think of a reason to not allow HTTPS access to the
>> /geoserver/wms
>> >> and /geoserver/wfs paths though.
>> >>
>> >> This might be something to look into potentially relaxing, if
>> the WOC is
>> >> willing to make that change and web server config allows it to
>> that level of
>> >> granularity.
>> >>
>> >> Micah
>> >>
>> >>
>> >> On 12/4/2014 12:09 PM, Tim Haverland - NOAA Federal wrote:
>> >>
>> >> Hi Micah,
>> >>
>> >> Yes, I was trying to avoid the situation where someone loads
>> our map page
>> >> via https and our calls to services using http are blocked by
>> the browser.
>> >>
>> >> I can have our sysadmin redirect all https requests to my page
>> to http,
>> >> but was hoping to avoid that by simply making my service URLs
>> protocol
>> >> relative.
>> >>
>> >> Is there a reason why services.ogc.noaa.gov
>> <http://services.ogc.noaa.gov> requests a password for ssl?
>> >> Are there services that I can't get to via HTTP but can with
>> HTTPS?
>> >>
>> >> Tim
>> >>
>> >> On Thu, Dec 4, 2014 at 9:48 AM, Micah Wengren - NOAA Federal
>> >> <micah.wengren at noaa.gov <mailto:micah.wengren at noaa.gov>> wrote:
>> >>>
>> >>> Tim,
>> >>>
>> >>> Your goal is to have your web map SSL-enabled (to allow
>> restricted views
>> >>> with a user login for example), or are you just trying to
>> accommodate users
>> >>> who come in to the Fisheries website over HTTPS?
>> >>>
>> >>> If it's the latter, I think you should be able to hard-code
>> the web map
>> >>> requests to go over HTTP regardless of which protocol users
>> come to the site
>> >>> through. This way they shouldn't get the login prompt from a
>> non-NOAA
>> >>> network to access services.ogc.noaa.gov
>> <http://services.ogc.noaa.gov>. The drawback to that is that the
>> >>> browser will give a warning message because some content is
>> coming over
>> >>> HTTP. That's the case for the NOAA Data Catalog, because the
>> tile provider
>> >>> only supports HTTP not HTTPS: https://data.noaa.gov/dataset
>> (the browser
>> >>> will show a warning message rather than a secure connection
>> message).
>> >>>
>> >>> It might be more complicated in your case though because
>> you're making
>> >>> GetFeatureInfo requests to the service that return XML
>> instead of map tiles.
>> >>> I don't know how that would differ.
>> >>>
>> >>>
>> >>> Can you look into that before we investigate making any
>> changes to the
>> >>> HTTPS access policies?
>> >>>
>> >>>
>> >>> Micah
>> >>>
>> >>>
>> >>> On Wed, Dec 3, 2014 at 5:46 PM, Tim Haverland - NOAA Federal
>> >>> <tim.haverland at noaa.gov <mailto:tim.haverland at noaa.gov>> wrote:
>> >>>>
>> >>>> Hi all,
>> >>>>
>> >>>> Recently I've been trying to enable an application that uses
>> noaa ogc
>> >>>> services to run under https. When I do so, the application
>> runs when I'm at
>> >>>> work, but from home (and no VPN) it asks that I enter my
>> noaa email
>> >>>> username/pwd.
>> >>>>
>> >>>> This is fine for me but won't work for public users of my
>> application.
>> >>>>
>> >>>> Is there a reason that ssl access to services.ogc.noaa.gov
>> <http://services.ogc.noaa.gov> requires
>> >>>> login for users that aren't on a noaa network (I assume).
>> >>>>
>> >>>> Here's the app if anyone want to see this behavior in action:
>> >>>>
>> >>>> Works anywhere:
>> >>>>
>> http://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy
>> >>>>
>> >>>> Requires password for I assume non-noaa network users:
>> >>>>
>> https://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy
>> >>>>
>> >>>> I suppose I could redirect users coming in on https to http,
>> but that
>> >>>> causes other headaches on my end.
>> >>>>
>> >>>> Any thoughts?
>> >>>>
>> >>>> Tim
>> >>>>
>> >>>> --
>> >>>> Tim Haverland
>> >>>> Acting Operations Branch Chief
>> >>>> NOAA Fisheries Office of Science and Technology
>> >>>> 1315 East-West Highway
>> >>>> SSMC3 Rm 12303
>> >>>> Silver Spring, MD 20910
>> >>>> 301-427-8137 <tel:301-427-8137>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Open.ogc mailing list
>> >>>> Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
>> >>>> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>> >>>>
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Tim Haverland
>> >> Acting Operations Branch Chief
>> >> NOAA Fisheries Office of Science and Technology
>> >> 1315 East-West Highway
>> >> SSMC3 Rm 12303
>> >> Silver Spring, MD 20910
>> >> 301-427-8137 <tel:301-427-8137>
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Tim Haverland
>> > Acting Operations Branch Chief
>> > NOAA Fisheries Office of Science and Technology
>> > 1315 East-West Highway
>> > SSMC3 Rm 12303
>> > Silver Spring, MD 20910
>> > 301-427-8137 <tel:301-427-8137>
>> >
>> > _______________________________________________
>> > Open.ogc mailing list
>> > Open.ogc at list.woc.noaa.gov <mailto:Open.ogc at list.woc.noaa.gov>
>> > https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>> >
>>
>>
>>
>> --
>> Chi Y Kang
>> Principal Engineer
>> Phone: 301.628.5642 <tel:301.628.5642>
>> Cell: 240.338.1059 <tel:240.338.1059>
>>
>>
>>
>>
>> --
>> *Tim Haverland*
>> Acting Operations Branch Chief
>> NOAA Fisheries Office of Science and Technology
>> 1315 East-West Highway
>> SSMC3 Rm 12303
>> Silver Spring, MD 20910
>> 301-427-8137
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.woc.noaa.gov/pipermail/open.ogc/attachments/20150121/7efbac09/attachment-0001.html>
More information about the Open.ogc
mailing list