[DAS] [proserver-users] how to not share private data but use proserver?
David Nix
david.nix at hci.utah.edu
Wed Feb 18 17:35:56 UTC 2009
I've built an authentication method into the genoviz DAS/2 server. It may
be appropriate for your use. Installation instructions are at
http://bioserver.hci.utah.edu/BioInfo/index.php/Software:DAS2 . We use this
to grant public/ private access to particular folders for ~20 different lab
groups (we're a core facility).
Once installed modify the restrictedDirectories.txt and users.txt files to
define who can see what. The test install comes with some restricted data
directories.
This is DAS/2 not DAS and only IGB has been modified to make the appropriate
handshake. Although this could be built into other browsers.
-cheers, David
--
David Austin Nix, PhD | HCI Bioinformatics | Huntsman Cancer Institute |
2000 Circle of Hope | SLC, UT 84112 | Rm: 3165 | Vc: 801.587.4611 | Fx:
801.585.6458 | david.nix at hci.utah.edu | http://bioserver.hci.utah.edu
-cheers, David
On 2/18/09 10:01 AM, "Andy Jenkinson" <andy.jenkinson at ebi.ac.uk> wrote:
> Hi Catherine,
>
> A great question and one that has surfaced a number of times recently.
> There is no formal specification of how to do authentication within DAS,
> but it has been discussed and will hopefully be addressed soon. I am
> copying this to the DAS mailing list as I believe it's relevant.
>
> In the meantime, ProServer does contain an immature authentication
> framework that might be sufficient, depending on your situation. There
> are two implementations: "ip" and "http". I hope you will bear with me
> whilst I explain these:
>
> The former allows you to define an IP range whitelist so you can
> restrict access to certain machines, but there are two caveats: first,
> you cannot filter the IPs of your users' machines because the IP is
> unlikely to be forwarded by the DAS client (i.e. in your case Ensembl, I
> believe?). Thus all you can do is block requests that are not from
> Ensembl's webservers. So if somebody knows the URL of your DAS server,
> they can visualise the data through Ensembl. The second caveat is that
> IP addresses can be spoofed, so if a malicious party has the technical
> knowledge (and knows the URL) they can pretend to be within the allowed
> IP range.
>
> The second method is vastly more robust, but would require a change to
> Ensembl. It works by extracting a token from the DAS request (e.g. a
> header or parameter) and forwarding it to a known third party server to
> check if the request should be allowed or denied. This system is similar
> to how OpenID works, but was designed for use by Ensembl (wherein the
> token would be encrypted and the third party would be Ensembl itself).
> The idea was that you would be able to control access for specific
> users/groups via the Ensembl interface. Unfortunately it has yet to be
> implemented in the Ensembl web code.
>
> It has been suggested before to use simple HTTP user:password URL syntax
> (UCSC use this for BED files). To cut a long story short, this *might*
> work without needing to modify Ensembl, but despite appearances it's
> actually less secure than using IP filtering.
>
> Hope that's useful,
> Andy
>
> Catherine Leroy wrote:
>> Hi,
>>
>> I have kind of a 'sellfish' question.
>>
>> I would like to build my own internal Das Server so that my users
>> (post-docs) can visualize their unpublished data.
>>
>> From what I understand and what we tested, if somebody has the url of a
>> proserver server that is inside Sanger, then this somebody can have
>> access to the data served by this server even from outside the Sanger.
>> In my case, I really don't want that to happen.
>>
>> Is there a work around that?
>>
>> Thank you very much in advance,
>> Cheers,
>> Catherine
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> proserver-users mailing list
>> proserver-users at sanger.ac.uk
>> http://lists.sanger.ac.uk/mailman/listinfo/proserver-users
> _______________________________________________
> DAS mailing list
> DAS at lists.open-bio.org
> http://lists.open-bio.org/mailman/listinfo/das
More information about the DAS
mailing list