TAP 1.1 securityMethod VOSI-capabilities extension

Juan Gonzalez juan.gonzalez at sciops.esa.int
Thu Oct 3 12:12:10 CEST 2019 

Dear Mark, IVOA DAL, 

Following the discussions in Paris and your early implementation of authentication methods description in VOSI capabilities in TOPCAT, JC. Segovia has prepared a test service of our Gaia TAP including the response with 'securityMethod' items to 'ivo://ivoa.net/std/TAP' capabilities as follows: 

<securityMethod/> 
<securityMethod standardID="ivo://ivoa.net/sso#cookie"/> 

We tested this with the early implementation version of TOPCAT you provided in Paris (topcat-full_tap11b.jar). We were able to specify our service using 'cookies' as security method. But we were not able to retrieve any table nor to launch any sync/async query using a private table with the current Gaia TAP. The service may be added, cookie authentication method selected, and provision of the cookie retrieved as text JSESSIONID=xxxx. We get a 'Table Metadata Error' error: java.io.IOException: Table resource access failure (500 500). Apparently the tool is adding an extra /tables string to the URL before invoking the service (like /tap-server/tap/tap/tables). We can provide you further details or the test service if you wish to dig further this. 

Nevertheless, we think some extra parameters would be required under the 'securityMethod' item in order to have enough flexibility to interpret any cookie-based authenticated TAP. As a minimum we feel it shall be added a login URL, username and password HTTP parameters names, cookie identifier and HTTP method (get vs post) as follows: 

<securityMethod standardID="ivo://ivoa.net/sso#cookie"> 
<param id="url" ucd="meta.ref.url" utype="Access.reference"> [ https://gea.esac.esa.int/tap-server/login | https://host/tap-server/login ] </param> 
<param id="method" ucd="meta.ref.method" utype="Request.method">POST</param> 
<param id="user" ucd="login.name" utype="Request.param">username</param> 
<param id="pwd" ucd="login.password" utype="Request.param">password</param> 
<param id="cookie" ucd="login.cookie" type="Response.cookie">JSESSIONID</param> 
</securityMethod> 

Probably similar parameters could be added for the case of 'tls-with-certificate' services. 

What are your opinions about this? Could this be a discussion item for the upcoming Interop? 

Regards, 
J. González and JC. Segovia 

-- 
-- 
Juan Gonzalez juan.gonzalez at sciops.esa.int 
ESAC Science Data Centre 
European Space Agency (ESA) - SERCO 

European Space Astronomy Centre (ESAC) 
Camino Bajo del Castillo, S/N Tel: +34 91 813 14 82 
Villanueva de la Canada,, 28691, Madrid, SPAIN Fax: +34 91 813 13 22 
--------------------------------------------------------------------- 

This message is intended only for the recipient(s) named above. It may contain proprietary information and/or
protected content. Any unauthorised disclosure, use, retention or dissemination is prohibited. If you have received
this e-mail in error, please notify the sender immediately. ESA applies appropriate organisational measures to protect
personal data, in case of data privacy queries, please contact the ESA Data Protection Officer (dpo at esa.int).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ivoa.net/pipermail/dal/attachments/20191003/277bfc40/attachment-0001.html>

More information about the dal mailing list