TAP 1.1 securityMethod VOSI-capabilities extension

Thu Oct 3 12:33:48 CEST 2019

Dear Juan, Juan-Carlos,
I think this discussion fits the DAL & GWS joint session
foreseen in the current program on Saturday 12.
There could be still some room for a talk from your side there.
Let me know if you're interested.

This from the DAL coordination.

Personally I think the added parameters to securityMethod
(the ones you propose or others to be defined) as children
are needed in many sense, not only for different auth protocols.
I'm thus curious to hear the discussion.

Cheers
    Marco

Il giorno gio 3 ott 2019 alle ore 12:12 Juan Gonzalez <
juan.gonzalez at sciops.esa.int> ha scritto:

> Dear Mark, IVOA DAL,
>
> Following the discussions in Paris and your early implementation of
> authentication methods description in VOSI capabilities in TOPCAT, JC.
> Segovia has prepared a test service of our Gaia TAP including the response
> with 'securityMethod' items to 'ivo://ivoa.net/std/TAP' capabilities as
> follows:
>
> <securityMethod/>
> <securityMethod standardID="ivo://ivoa.net/sso#cookie"/>
>
> We tested this with the early implementation version of TOPCAT you
> provided in Paris (topcat-full_tap11b.jar). We were able to specify our
> service using 'cookies' as security method. But we were not able to
> retrieve any table nor to launch any sync/async query using a private table
> with the current Gaia TAP. The service may be added, cookie authentication
> method selected, and provision of the cookie retrieved as text JSESSIONID=xxxx.
> We get a 'Table Metadata Error' error: java.io.IOException: Table resource
> access failure (500 500). Apparently the tool is adding an extra /tables
> string to the URL before invoking the service
> (like /tap-server/tap/tap/tables). We can provide you further details or
> the test service if you wish to dig further this.
>
> Nevertheless, we think some extra parameters would be required under the
> 'securityMethod' item in order to have enough flexibility to interpret any
> cookie-based authenticated TAP. As a minimum we feel it shall be added a
> login URL, username and password HTTP parameters names, cookie identifier
> and HTTP method (get vs post) as follows:
>
> <securityMethod standardID="ivo://ivoa.net/sso#cookie">
>  <param id="url" ucd="meta.ref.url" utype="Access.reference">
> https://host/tap-server/login <https://gea.esac.esa.int/tap-server/login>
> </param>
>  <param id="method" ucd="meta.ref.method"
> utype="Request.method">POST</param>
>  <param id="user" ucd="login.name" utype="Request.param">username</param>
>  <param id="pwd" ucd="login.password"
> utype="Request.param">password</param>
>  <param id="cookie" ucd="login.cookie"
> type="Response.cookie">JSESSIONID</param>
> </securityMethod>
>
> Probably similar parameters could be added for the case of 'tls-with-certificate'
> services.
>
> What are your opinions about this? Could this be a discussion item for the
> upcoming Interop?
>
> Regards,
> J. González and JC. Segovia
>
> --
> --
> Juan Gonzalez
> juan.gonzalez at sciops.esa.int
> ESAC Science Data Centre
> European Space Agency (ESA) - SERCO
>
> European Space Astronomy Centre (ESAC)
> Camino Bajo del Castillo, S/N                            Tel: +34 91 813
> 14 82
> Villanueva de la Canada,, 28691, Madrid, SPAIN        Fax: +34 91 813 13 22
> ---------------------------------------------------------------------
>
> This message is intended only for the recipient(s) named above. It may contain proprietary information and/or
> protected content. Any unauthorised disclosure, use, retention or dissemination is prohibited. If you have received
> this e-mail in error, please notify the sender immediately. ESA applies appropriate organisational measures to protect
> personal data, in case of data privacy queries, please contact the ESA Data Protection Officer (dpo at esa.int).
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ivoa.net/pipermail/dal/attachments/20191003/db0d6f36/attachment.html>