1. A request is made to a restricted access, in this case from a web browser:
GET /thredds/dodsC/restrict/testData.nc.html HTTP/1.1 Host: motherlode.ucar.edu:9080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive
The response is a redirection to a special URL, given in the Location header. Notice that a session Cookie is also sent.
HTTP/1.x 302 Moved Temporarily Server: Apache-Coyote/1.1 Last-Modified: Tue, 30 Jan 2007 17:29:35 GMT Set-Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33; Path=/thredds Location: http://motherlode.ucar.edu:9080/thredds/restrictedAccess/tiggeData Content-Length: 0 Date: Wed, 04 Apr 2007 00:27:14 GMT
2. The client follows the redirect:
GET /thredds/restrictedAccess/tiggeData HTTP/1.1 Host: motherlode.ucar.edu:9080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33
Because SSL is on, a second redirect happens to an HTTPS URL. This is part of the Tomcat managed authentication.
HTTP/1.x 302 Moved Temporarily Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 17:00:00 MST Location: https://motherlode.ucar.edu:9443/thredds/restrictedAccess/tiggeData Content-Length: 0 Date: Wed, 04 Apr 2007 00:27:14 GMT
3. The client again follows the redirect:
GET /thredds/restrictedAccess/tiggeData HTTP/1.1 Host: motherlode.ucar.edu:9443 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33;
The reponse is the HTTP Security challenge. The WWW-Authenticate header indicates its using BASIC authentication for the Realm THREDDS Data Server. BASIC is safe because we are using SSL.
HTTP/1.x 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 17:00:00 MST WWW-Authenticate: Basic realm="THREDDS Data Server" Content-Type: text/html;charset=utf-8 Content-Length: 954 Date: Wed, 04 Apr 2007 00:27:19 GMT
4. At this point, the client must know how to obtain the proper username/password, and base64 encode it into the Authorization header, and repeat the request:
GET /thredds/restrictedAccess/tiggeData HTTP/1.1 Host: motherlode.ucar.edu:9443 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33 Authorization: Basic dGlnZ2VEYXRhOnRpZ2dl
If the server authenticates the user, and the user is authorized to access the resource, then it is redirected back to the original URL:
HTTP/1.x 302 Moved Temporarily Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 17:00:00 MST Location: http://motherlode.ucar.edu:9080/thredds/dodsC/restrict/testData.nc.html Content-Length: 0 Date: Wed, 04 Apr 2007 00:27:52 GMT
If the client sends back an incorrect password, the server responds a 401 Unauthorized:
HTTP/1.x 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 17:00:00 MST WWW-Authenticate: Basic realm="THREDDS Data Server" Content-Type: text/html;charset=utf-8 Content-Length: 954 Date: Wed, 04 Apr 2007 00:27:32 GMT
5. The client follows the redirect, and we're back where we started from (compare 1), except that the server now has created a session for this user, pointed
to by the Session Cookie (which the client has been sending all along)
GET /thredds/dodsC/restrict/testData.nc.html HTTP/1.1 Host: motherlode.ucar.edu:9080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33
Now at last the server sends back the restricted resource:
HTTP/1.x 200 OK Server: Apache-Coyote/1.1 Last-Modified: Tue, 30 Jan 2007 17:29:35 GMT XDODS-Server: opendap/3.7 Content-Description: dods_form Content-Type: text/html Transfer-Encoding: chunked Date: Wed, 04 Apr 2007 00:27:52 GMT
6. On subsequent requests, as long as the client sends back a valid session Cookie, the request is honored without further challenge:
GET /thredds/dodsC/restrict/testData.nc.ascii?reftime[0:1:0] HTTP/1.1 Host: motherlode.ucar.edu:9080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: JSESSIONID=77421EB5C6EEA0BD2AA59BE8A0950F33
HTTP/1.x 200 OK Server: Apache-Coyote/1.1 XDODS-Server: opendap/3.7 Content-Description: dods_ascii Content-Type: text/plain Transfer-Encoding: chunked Date: Wed, 04 Apr 2007 00:56:23 GMT
This document is maintained by Unidata and was last updated April 3, 2007.
Send comments to
THREDDS support.