Blocker
I visited tds.prototype.ucar.edu/thredds and browsed to a data file to download. On selecting the file, the browser returned a detail page with an Access heading with two options: HTTPServer and GridFTP. I clicked on the link of the HTTPServer option and was then directed to provide my openid for authentication. I entered https://esg.prototype.ucar.edu/myopenid/jcunning and clicked GO. This redirected the browser to esg.prototype where I provided my password. The browser was redirected back to the tds site (http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc) and an error page was displayed. HTTP Status 403 - Access Denied
TDS log extracts at moment of attempt:
2011-03-23 15:07:00,969 esg.orp.app.SAMLAuthorizationServiceFilterCollaborator [DEBUG]: Authorizing user=https://esg.prototype.ucar.edu/myopenid/jcunning url=http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc operation=Read
...
2011-03-23 15:07:00,972 esg.orp.app.SAMLAuthorizationServiceFilterCollaborator [DEBUG]: <?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Body>
<saml2p:AuthzDecisionQuery xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="9c6324d9-9e77-43b9-ab2d-0fa18080fb37" IssueInstant="2011-03-23T21:07:00.969Z" Resource="http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">test issuer</saml2:Issuer>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:esg:openid">https://esg.prototype.ucar.edu/myopenid/jcunning</saml2:NameID>
</saml2:Subject>
<saml2:Action xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Read</saml2:Action>
</saml2p:AuthzDecisionQuery>
</soap11:Body>
</soap11:Envelope>
2011-03-23 15:07:00,972 esg.saml.common.SOAPServiceClient [DEBUG]: <?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Body>
<saml2p:AuthzDecisionQuery xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="9c6324d9-9e77-43b9-ab2d-0fa18080fb37" IssueInstant="2011-03-23T21:07:00.969Z" Resource="http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">test issuer</saml2:Issuer>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:esg:openid">https://esg.prototype.ucar.edu/myopenid/jcunning</saml2:NameID>
</saml2:Subject>
<saml2:Action xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Read</saml2:Action>
</saml2p:AuthzDecisionQuery>
</soap11:Body>
</soap11:Envelope>
...
2011-03-23 15:07:00,983 esg.orp.app.SAMLAuthorizationServiceFilterCollaborator [DEBUG]:
2011-03-23 15:07:00,983 esg.saml.authz.service.impl.SAMLAuthorizationServiceClientSoapImpl [DEBUG]: Parsing authorization response=
2011-03-23 15:07:00,983 esg.orp.app.SAMLAuthorizationServiceFilterCollaborator [WARN]: Invalid XML
org.opensaml.xml.parse.XMLParserException: Invalid XML
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:234)
at esg.saml.common.SAMLBuilder.parse(SAMLBuilder.java:463)
at esg.saml.authz.service.impl.SAMLAuthorizationServiceClientSoapImpl.parseAuthorizationResponse(SAMLAuthorizationServiceClientSoapImpl.java:101)
at esg.orp.app.SAMLAuthorizationServiceFilterCollaborator.parseAuthorizationStatement(SAMLAuthorizationServiceFilterCollaborator.java:93)
at esg.orp.app.SAMLAuthorizationServiceFilterCollaborator.authorize(SAMLAuthorizationServiceFilterCollaborator.java:76)
at esg.orp.app.AuthorizationFilter.attemptValidation(AuthorizationFilter.java:59)
at esg.orp.app.AccessControlFilterTemplate.doFilter(AccessControlFilterTemplate.java:62)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at esg.orp.app.AccessControlFilterTemplate.doFilter(AccessControlFilterTemplate.java:66)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at esg.node.filters.AccessLoggingFilter.doFilter(AccessLoggingFilter.java:274)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at eske.web.filters.security.AuthorizationTokenValidationFilter.doFilter(AuthorizationTokenValidationFilter.java:84)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.xml.sax.SAXParseException: Premature end of file.
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParserPool.java:637)
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:231)
... 28 more
2011-03-23 15:07:00,984 esg.orp.app.AuthorizationFilter [DEBUG]: Openid=https://esg.prototype.ucar.edu/myopenid/jcunning url=http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc operation=Read authorization result=false
TDS log extracts at moment of attempt:
2011-03-23 15:07:00,969 esg.orp.app.SAMLAuthorizationServiceFilterCollaborator [DEBUG]: Authorizing user=https://esg.prototype.ucar.edu/myopenid/jcunning url=http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc operation=Read
...
2011-03-23 15:07:00,972 esg.orp.app.SAMLAuthorizationServiceFilterCollaborator [DEBUG]: <?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Body>
<saml2p:AuthzDecisionQuery xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="9c6324d9-9e77-43b9-ab2d-0fa18080fb37" IssueInstant="2011-03-23T21:07:00.969Z" Resource="http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">test issuer</saml2:Issuer>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:esg:openid">https://esg.prototype.ucar.edu/myopenid/jcunning</saml2:NameID>
</saml2:Subject>
<saml2:Action xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Read</saml2:Action>
</saml2p:AuthzDecisionQuery>
</soap11:Body>
</soap11:Envelope>
2011-03-23 15:07:00,972 esg.saml.common.SOAPServiceClient [DEBUG]: <?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Body>
<saml2p:AuthzDecisionQuery xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="9c6324d9-9e77-43b9-ab2d-0fa18080fb37" IssueInstant="2011-03-23T21:07:00.969Z" Resource="http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">test issuer</saml2:Issuer>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:esg:openid">https://esg.prototype.ucar.edu/myopenid/jcunning</saml2:NameID>
</saml2:Subject>
<saml2:Action xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Read</saml2:Action>
</saml2p:AuthzDecisionQuery>
</soap11:Body>
</soap11:Envelope>
...
2011-03-23 15:07:00,983 esg.orp.app.SAMLAuthorizationServiceFilterCollaborator [DEBUG]:
2011-03-23 15:07:00,983 esg.saml.authz.service.impl.SAMLAuthorizationServiceClientSoapImpl [DEBUG]: Parsing authorization response=
2011-03-23 15:07:00,983 esg.orp.app.SAMLAuthorizationServiceFilterCollaborator [WARN]: Invalid XML
org.opensaml.xml.parse.XMLParserException: Invalid XML
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:234)
at esg.saml.common.SAMLBuilder.parse(SAMLBuilder.java:463)
at esg.saml.authz.service.impl.SAMLAuthorizationServiceClientSoapImpl.parseAuthorizationResponse(SAMLAuthorizationServiceClientSoapImpl.java:101)
at esg.orp.app.SAMLAuthorizationServiceFilterCollaborator.parseAuthorizationStatement(SAMLAuthorizationServiceFilterCollaborator.java:93)
at esg.orp.app.SAMLAuthorizationServiceFilterCollaborator.authorize(SAMLAuthorizationServiceFilterCollaborator.java:76)
at esg.orp.app.AuthorizationFilter.attemptValidation(AuthorizationFilter.java:59)
at esg.orp.app.AccessControlFilterTemplate.doFilter(AccessControlFilterTemplate.java:62)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at esg.orp.app.AccessControlFilterTemplate.doFilter(AccessControlFilterTemplate.java:66)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at esg.node.filters.AccessLoggingFilter.doFilter(AccessLoggingFilter.java:274)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at eske.web.filters.security.AuthorizationTokenValidationFilter.doFilter(AuthorizationTokenValidationFilter.java:84)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.xml.sax.SAXParseException: Premature end of file.
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at org.opensaml.xml.parse.BasicParserPool$DocumentBuilderProxy.parse(BasicParserPool.java:637)
at org.opensaml.xml.parse.BasicParserPool.parse(BasicParserPool.java:231)
... 28 more
2011-03-23 15:07:00,984 esg.orp.app.AuthorizationFilter [DEBUG]: Openid=https://esg.prototype.ucar.edu/myopenid/jcunning url=http://tds.prototype.ucar.edu/thredds/fileServer/datazone/narccap/data/MM5I/ncep/table2/huss_MM5I_1979010103.nc operation=Read authorization result=false