Skip to content

ESGF_Access_Control_Filters

Jump to bottom Edit New page
Stephen Pascoe edited this page Apr 9, 2014 · 7 revisions
Wiki Reorganisation
This page has been classified for reorganisation. It has been given the category REVISE.
This page contains useful content but needs revision. It may contain out of date or inaccurate content.

ESGF Access Control Filters

Following is the recommended configuration for the ESGF access control filters in the THREDDS deployment descriptor WEB-INF/web.xml. Please note that the order of the filters is of critical importance . Also, it is important to use the latest jars of the esgf-security and esg-orp modules in the webapps/thredds/WEB-INF/lib directory, currently:

  • esgf-security-1.5.4.jar
  • esg-orp-1.2.8.jar

IP Filter

This filter allows free access to any host with IP contained in a local configuration list. Typically used to allow LAS servers to access local datasets bypassing security.

  <filter>
    <filter-name>ipFilter</filter-name>
    <filter-class>esg.orp.app.AuthenticationByIPFilter</filter-class>
    <init-param>
      <param-name>ip_whitelist</param-name>
      <param-value>/esg/content/las/conf/server/las_servers.xml</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>ipFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Authentication Filter

The authentication filter intercepts any incoming requests and determines wether the requested resource is freely available or protected, in which case it redirects the client to the Openid Relying Party for authentication. One or more policy services can be configured to determine wether the resource is secure: the authentication filter will allow the request to proceed through if at least one of the policy services determines that the resource is free.

In the example below, the _ RegexPolicyService _ will allow free access to any URL that matches one of the configured patterns, while the _ LocalXmlPolicyService _ will allow free access to any class of URLs that is marked as such in the typical ESGF policy configuration files.

  <filter>
    <filter-name>authenticationFilter</filter-name>
    <filter-class>esg.orp.app.AuthenticationFilter</filter-class>
    <init-param>
      <param-name>policyServiceClass</param-name>
      <param-value>esg.orp.app.CompositePolicyService</param-value>
    </init-param>
    <init-param>
      <param-name>policyServiceClasses</param-name>
      <param-value>esg.orp.app.RegexPolicyService, esg.orp.app.LocalXmlPolicyService</param-value>
    </init-param>
    <init-param>
        <param-name>authenticationNotRequiredPatterns</param-name>
        <param-value>"[^?]*(/|(/admin/)(.*)|(/remoteCatalogService\?.*)|(?&lt;=\.(html|xml|css|gif|pdf))(\?.*)?)"</param-value>
  <!--  Alternatively, e.g.:
        <param-name>authenticationRequiredPatterns</param-name>
        <param-value>"[^?]*/fileServer/.*", "[^?]*/dodsC/[^?]*(?&lt;!\.html)(\?.*)?"</param-value>
  -->
    </init-param>
    <init-param>
      <param-name>policyFiles</param-name>
      <param-value>/esg/config/esgf_policies_local.xml, /esg/config/esgf_policies_common.xml</param-value>
    </init-param>
    <init-param>
      <param-name>openidRelyingPartyUrl</param-name>
      <param-value>https://<your data node hostname here>/esg-orp/home.htm</param-value>
    </init-param>
    <init-param>
      <param-name>trustoreFile</param-name>
      <param-value>/esg/certificates/esg-truststore.ts</param-value>
    </init-param>
    <init-param>
      <param-name>trustorePassword</param-name>
      <param-value>*</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>authenticationFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Authorization Filter

The authorization filter will determine if the user previously authenticated is authorized to access the requested resource, for the specific requested operation. This filter can contact one or more authorization services, and will allow access the first time an authorization service returns a positive response.

In the example below, three authorization services are contacted: the local ESGF P2P authorization service, and the JPL gateway and PCMDI gateway legacy authorization services. Note that for compatibility with the legacy systems, OpenDAP request URLs are transformed into NetCDF file access URLs.

  <filter>
    <filter-name>authorizationFilter</filter-name>
    <filter-class>esg.orp.app.AuthorizationFilter</filter-class>
    <init-param>
      <param-name>authorizationServiceClass</param-name>
      <param-value>esg.orp.app.SAMLAuthorizationServiceFilterCollaborator</param-value>
    </init-param>
    <init-param>
       <param-name>urlTransformer</param-name>
       <param-value>esg.orp.app.RegexReplaceAuthorizationFilterUrlTransformer</param-value>
     </init-param>
     <init-param>
       <param-name>urlTransformerReplacements</param-name>
       <param-value>"\?.*":"", "/dodsC/":"/fileServer/", "\.(asc|ascii|das|dds|dods|html)\Z":""</param-value>
    </init-param>
    <init-param>
      <param-name>authorizationServiceUrl</param-name>
      <param-value>
        https://<your data node p2p hostname here>/esgf-security/saml/soap/secure/authorizationService.htm,
        https://esg-gateway.jpl.nasa.gov/saml/soap/secure/authorizationService.htm,
        https://pcmdi3.llnl.gov/esgcet/saml/soap/secure/authorizationService.htm
      </param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>authorizationFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Registration Filter

The registration filter will intercept a non-authorized request, and redirect the client to the Openid Relying Party user interface for requesting membership in one of the necessary access control groups.

 <filter>
    <filter-name>registrationFilter</filter-name>
    <filter-class>esg.orp.app.RegistrationFilter</filter-class>
    <init-param>
      <param-name>registrationRelayUrl</param-name>
      <param-value>https://<your local node hostname here>/OpenidRelyingParty/registration-request.htm</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>registrationFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Enforcer Filter

The enforcer filter comes last in the access control chain: it guarantees that the user has proper authorization to access the requested resource, and returns an access denied response if not.

  <filter>
     <filter-name>enforcererFilter</filter-name>
     <filter-class>esg.orp.app.FilterAuthorizationEnforcerer</filter-class>
  </filter>
  <filter-mapping>
     <filter-name>enforcererFilter</filter-name>
     <url-pattern>/*</url-pattern>
  </filter-mapping>
Add a custom footer
Add a custom sidebar
Clone this wiki locally