Hi Catherine,
A great question and one that has surfaced a number of times recently.
There is no formal specification of how to do authentication within DAS,
but it has been discussed and will hopefully be addressed soon. I am
copying this to the DAS mailing list as I believe it's relevant.
In the meantime, ProServer does contain an immature authentication
framework that might be sufficient, depending on your situation. There
are two implementations: "ip" and "http". I hope you will bear with me
whilst I explain these:
The former allows you to define an IP range whitelist so you can
restrict access to certain machines, but there are two caveats: first,
you cannot filter the IPs of your users' machines because the IP is
unlikely to be forwarded by the DAS client (i.e. in your case Ensembl, I
believe?). Thus all you can do is block requests that are not from
Ensembl's webservers. So if somebody knows the URL of your DAS server,
they can visualise the data through Ensembl. The second caveat is that
IP addresses can be spoofed, so if a malicious party has the technical
knowledge (and knows the URL) they can pretend to be within the allowed
IP range.
The second method is vastly more robust, but would require a change to
Ensembl. It works by extracting a token from the DAS request (e.g. a
header or parameter) and forwarding it to a known third party server to
check if the request should be allowed or denied. This system is similar
to how OpenID works, but was designed for use by Ensembl (wherein the
token would be encrypted and the third party would be Ensembl itself).
The idea was that you would be able to control access for specific
users/groups via the Ensembl interface. Unfortunately it has yet to be
implemented in the Ensembl web code.
It has been suggested before to use simple HTTP user:password URL syntax
(UCSC use this for BED files). To cut a long story short, this *might*
work without needing to modify Ensembl, but despite appearances it's
actually less secure than using IP filtering.
Hope that's useful,
Andy
Catherine Leroy wrote:
Hi,
I have kind of a 'sellfish' question.
I would like to build my own internal Das Server so that my users
(post-docs) can visualize their unpublished data.
From what I understand and what we tested, if somebody has the url of a
proserver server that is inside Sanger, then this somebody can have
access to the data served by this server even from outside the Sanger.
In my case, I really don't want that to happen.
Is there a work around that?
Thank you very much in advance,
Cheers,
Catherine
------------------------------------------------------------------------
_______________________________________________
proserver-users mailing list
[email protected]
http://lists.sanger.ac.uk/mailman/listinfo/proserver-users
_______________________________________________
DAS mailing list
[email protected]
http://lists.open-bio.org/mailman/listinfo/das
