Thanks! That's perfect.

John Duddy
Sr. Staff Software Engineer
Illumina, Inc.
9885 Towne Centre Drive
San Diego, CA 92121
Tel: 858-736-3584

-----Original Message-----
From: Assaf Gordon [] 
Sent: Monday, June 20, 2011 12:09 PM
To: Duddy, John;
Subject: Re: [galaxy-dev] Sharing authentication between Galaxy and other WSGI 
apps on the same web server (with custom UI)?

Hello John,

I'm not an apache expert, but I can try to help with some info.

your question involves two different issues, which are not dependent on one 

First, can one setup apache authentication that will affect both Galaxy and 
other "things" on your server ?
The answer is yes.

We've setup our authentication on the root location of the server.
Galaxy uses the prefix "/galaxy", and other services use other prefixes, and 
since all of them are "below" the root location, the authentication applies to 
The user needs to login only once.

## Root location of the server, protected with NTLM authentication
<Location />
     AuthName CSHL
     AuthType NTLM
     NTLMAuth on
     NTLMAuthoritative on
     ### couple of other authentication parameters...

## Galaxy uses load-balancing and mod_rewrite and other things,
## but since it's below the root location, it will use the same authentication
# Galaxy server
<Proxy balancer://galaxyprod>
            BalancerMember http://localhost:8081
            BalancerMember http://localhost:8082
ReWriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy(.*) balancer://galaxyprod$1 [P]
<Location "/galaxy" >
            require valid-user

## Other services on the same server will use the same authentication,
## and can also limit user access with "require" statement.
Alias /plans/ "/home/gordon/projects/plans/"
<Location "/plans">
            require user gordon 

Can apache use authentication which is not "built-in" in the browser, so 
instead of OS native ugly dialog, the user will see a custom web page?
The answer is still yes, because authentication in Apache is modular.

If you specify "AuthType BASIC" or "AuthType Digest" or "AuthType NTLM" (which 
are the only universally supported built-in authentication methods I'm aware 
of), then the client-side browser will display an OS native user/password 

If you install a custom authentication module, then you can use "AuthType 
CUSTOMXXX" (or sometimes a different command) and apache will use the module 
for custom authentication (which can involve custom webpages or anything else).
As long as the custom module notifies apache that the user is authenticated, 
Apache doesn't care how it's done.

There's one apache module called "mod_auth_form" ( ) which does exactly 
that, but I'm not sure if it's considered stable.

There are other 3rd party solutions available, unfortunately those solution are 
usually quite complicated and laborious to install (I've read about them but 
never tried them myself):

All of them claim to provide apache integration.

And just as in the first question, once you change the "AuthType" in the root 
location to a custom authentication module, all the other sub-URLs will use 
that authentication.

If you do get one of those to work, I'm interested in hearing about it, because 
I would like eventually to get rid of NTLM authentication.


Duddy, John wrote, On 06/20/2011 02:04 PM:
> I'd like to have Galaxy and another application installed on the same
> Apache server and have the user authenticate only once. I think I
> understand how to do that by deferring authentication to Apache
> (instead of using Galaxy's built-in database). So far, so good, I
> think.
> What I'm wondering is if it is possible (in external user mode) to
> control the user experience of authentication versus being stuck with
> the one where the browser pops up the authentication dialog. Is it
> possible to implement a shared authentication mechanism that uses web
> pages for the UI? Or would we have to give up Apache-based security
> and snoop the Galaxy session cookie instead?
> Many thanks -
> *John Duddy Sr. Staff Software Engineer Illumina, Inc. *9885 Towne
> Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail:
> <>

Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

Reply via email to