[DAS] [proserver-users] how to not share private data but use proserver?

Andy Jenkinson andy.jenkinson at ebi.ac.uk
Wed Feb 18 17:01:18 UTC 2009 

Hi Catherine,

A great question and one that has surfaced a number of times recently. 
There is no formal specification of how to do authentication within DAS, 
but it has been discussed and will hopefully be addressed soon. I am 
copying this to the DAS mailing list as I believe it's relevant.

In the meantime, ProServer does contain an immature authentication 
framework that might be sufficient, depending on your situation. There 
are two implementations: "ip" and "http". I hope you will bear with me 
whilst I explain these:

The former allows you to define an IP range whitelist so you can 
restrict access to certain machines, but there are two caveats: first, 
you cannot filter the IPs of your users' machines because the IP is 
unlikely to be forwarded by the DAS client (i.e. in your case Ensembl, I 
believe?). Thus all you can do is block requests that are not from 
Ensembl's webservers. So if somebody knows the URL of your DAS server, 
they can visualise the data through Ensembl. The second caveat is that 
IP addresses can be spoofed, so if a malicious party has the technical 
knowledge (and knows the URL) they can pretend to be within the allowed 
IP range.

The second method is vastly more robust, but would require a change to 
Ensembl. It works by extracting a token from the DAS request (e.g. a 
header or parameter) and forwarding it to a known third party server to 
check if the request should be allowed or denied. This system is similar 
to how OpenID works, but was designed for use by Ensembl (wherein the 
token would be encrypted and the third party would be Ensembl itself). 
The idea was that you would be able to control access for specific 
users/groups via the Ensembl interface. Unfortunately it has yet to be 
implemented in the Ensembl web code.

It has been suggested before to use simple HTTP user:password URL syntax 
(UCSC use this for BED files). To cut a long story short, this *might* 
work without needing to modify Ensembl, but despite appearances it's 
actually less secure than using IP filtering.

Hope that's useful,
Andy

Catherine Leroy wrote:
> Hi,
> 
> I have kind of a 'sellfish' question.
> 
> I would like to build my own internal Das Server so that my users 
> (post-docs) can visualize their unpublished data.
> 
>  From what I understand and what we tested, if somebody has the url of a 
> proserver server that is inside Sanger, then this somebody can have 
> access to the data served by this server even from outside the Sanger. 
> In my case, I really don't want that to happen.
> 
> Is there a work around that?
> 
> Thank you very much in advance,
> Cheers,
> Catherine
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> proserver-users mailing list
> proserver-users at sanger.ac.uk
> http://lists.sanger.ac.uk/mailman/listinfo/proserver-users

More information about the DAS mailing list