I've built an authentication method into the genoviz DAS/2 server. It may be appropriate for your use. Installation instructions are at http://bioserver.hci.utah.edu/BioInfo/index.php/Software:DAS2 . We use this to grant public/ private access to particular folders for ~20 different lab groups (we're a core facility).
Once installed modify the restrictedDirectories.txt and users.txt files to define who can see what. The test install comes with some restricted data directories. This is DAS/2 not DAS and only IGB has been modified to make the appropriate handshake. Although this could be built into other browsers. -cheers, David -- David Austin Nix, PhD | HCI Bioinformatics | Huntsman Cancer Institute | 2000 Circle of Hope | SLC, UT 84112 | Rm: 3165 | Vc: 801.587.4611 | Fx: 801.585.6458 | [email protected] | http://bioserver.hci.utah.edu -cheers, David On 2/18/09 10:01 AM, "Andy Jenkinson" <[email protected]> wrote: > Hi Catherine, > > A great question and one that has surfaced a number of times recently. > There is no formal specification of how to do authentication within DAS, > but it has been discussed and will hopefully be addressed soon. I am > copying this to the DAS mailing list as I believe it's relevant. > > In the meantime, ProServer does contain an immature authentication > framework that might be sufficient, depending on your situation. There > are two implementations: "ip" and "http". I hope you will bear with me > whilst I explain these: > > The former allows you to define an IP range whitelist so you can > restrict access to certain machines, but there are two caveats: first, > you cannot filter the IPs of your users' machines because the IP is > unlikely to be forwarded by the DAS client (i.e. in your case Ensembl, I > believe?). Thus all you can do is block requests that are not from > Ensembl's webservers. So if somebody knows the URL of your DAS server, > they can visualise the data through Ensembl. The second caveat is that > IP addresses can be spoofed, so if a malicious party has the technical > knowledge (and knows the URL) they can pretend to be within the allowed > IP range. > > The second method is vastly more robust, but would require a change to > Ensembl. It works by extracting a token from the DAS request (e.g. a > header or parameter) and forwarding it to a known third party server to > check if the request should be allowed or denied. This system is similar > to how OpenID works, but was designed for use by Ensembl (wherein the > token would be encrypted and the third party would be Ensembl itself). > The idea was that you would be able to control access for specific > users/groups via the Ensembl interface. Unfortunately it has yet to be > implemented in the Ensembl web code. > > It has been suggested before to use simple HTTP user:password URL syntax > (UCSC use this for BED files). To cut a long story short, this *might* > work without needing to modify Ensembl, but despite appearances it's > actually less secure than using IP filtering. > > Hope that's useful, > Andy > > Catherine Leroy wrote: >> Hi, >> >> I have kind of a 'sellfish' question. >> >> I would like to build my own internal Das Server so that my users >> (post-docs) can visualize their unpublished data. >> >> From what I understand and what we tested, if somebody has the url of a >> proserver server that is inside Sanger, then this somebody can have >> access to the data served by this server even from outside the Sanger. >> In my case, I really don't want that to happen. >> >> Is there a work around that? >> >> Thank you very much in advance, >> Cheers, >> Catherine >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> proserver-users mailing list >> [email protected] >> http://lists.sanger.ac.uk/mailman/listinfo/proserver-users > _______________________________________________ > DAS mailing list > [email protected] > http://lists.open-bio.org/mailman/listinfo/das _______________________________________________ DAS mailing list [email protected] http://lists.open-bio.org/mailman/listinfo/das
