Re: [galaxy-dev] Sharing authentication between Galaxy and other WSGI apps on the same web server (with custom UI)?

2011-06-20 Thread Nate Coraor
FWIW, Penn State uses Cosign for single sign-on, and I've successfully
placed Galaxy behind Cosign before (Cosign relies on Kerberos, and so
may not be a good fit at all sites).  But as Assaf says, basically
anything should work.

--nate

Duddy, John wrote:
> Thanks! That's perfect.
> 
> John Duddy
> Sr. Staff Software Engineer
> Illumina, Inc.
> 9885 Towne Centre Drive
> San Diego, CA 92121
> Tel: 858-736-3584
> E-mail: jdu...@illumina.com
> 
> -Original Message-
> From: Assaf Gordon [mailto:gor...@cshl.edu] 
> Sent: Monday, June 20, 2011 12:09 PM
> To: Duddy, John; galaxy-...@bx.psu.edu
> Subject: Re: [galaxy-dev] Sharing authentication between Galaxy and other 
> WSGI apps on the same web server (with custom UI)?
> 
> Hello John,
> 
> I'm not an apache expert, but I can try to help with some info.
> 
> your question involves two different issues, which are not dependent on one 
> another.
> 
> First, can one setup apache authentication that will affect both Galaxy and 
> other "things" on your server ?
> The answer is yes.
> 
> Example:
> We've setup our authentication on the root location of the server.
> Galaxy uses the prefix "/galaxy", and other services use other prefixes, and 
> since all of them are "below" the root location, the authentication applies 
> to all.
> The user needs to login only once.
> 
> ===
> ## Root location of the server, protected with NTLM authentication
> 
>  AuthName CSHL
>  AuthType NTLM
>  NTLMAuth on
>  NTLMAuthoritative on
>  ### couple of other authentication parameters...
> 
> 
> ##
> ## Galaxy uses load-balancing and mod_rewrite and other things,
> ## but since it's below the root location, it will use the same authentication
> # Galaxy server
> 
> BalancerMember http://localhost:8081
> BalancerMember http://localhost:8082
> 
> ReWriteRule ^/galaxy$ /galaxy/ [R]
> RewriteRule ^/galaxy(.*) balancer://galaxyprod$1 [P]
> 
> require valid-user
> 
> 
> ##
> ## Other services on the same server will use the same authentication,
> ## and can also limit user access with "require" statement.
> Alias /plans/ "/home/gordon/projects/plans/"
> 
> require user gordon 
> 
> ===
> 
> 
> Second,
> Can apache use authentication which is not "built-in" in the browser, so 
> instead of OS native ugly dialog, the user will see a custom web page?
> The answer is still yes, because authentication in Apache is modular.
> 
> If you specify "AuthType BASIC" or "AuthType Digest" or "AuthType NTLM" 
> (which are the only universally supported built-in authentication methods I'm 
> aware of), then the client-side browser will display an OS native 
> user/password dialog.
> 
> If you install a custom authentication module, then you can use "AuthType 
> CUSTOMXXX" (or sometimes a different command) and apache will use the module 
> for custom authentication (which can involve custom webpages or anything 
> else).
> As long as the custom module notifies apache that the user is authenticated, 
> Apache doesn't care how it's done.
> 
> There's one apache module called "mod_auth_form" ( 
> http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html ) which does 
> exactly that, but I'm not sure if it's considered stable.
> 
> 
> There are other 3rd party solutions available, unfortunately those solution 
> are usually quite complicated and laborious to install (I've read about them 
> but never tried them myself):
> http://blog.ianbicking.org/more-on-single-signon.html
> https://neon1.net/mod_auth_pubtkt/
> http://cosign.sourceforge.net/
> http://mod-auth-script.sourceforge.net/
> 
> All of them claim to provide apache integration.
> 
> And just as in the first question, once you change the "AuthType" in the root 
> location to a custom authentication module, all the other sub-URLs will use 
> that authentication.
> 
> If you do get one of those to work, I'm interested in hearing about it, 
> because I would like eventually to get rid of NTLM authentication.
> 
> Regards, 
>   -gordon
> 
> 
> Duddy, John wrote, On 06/20/2011 02:04 PM:
> > I'd like to have Galaxy and another application installed on the same
> > Apache server and have the user authenticate only once. I think I
> > understand how to do that by deferring authentication to Apache
> > (instead of using Galaxy's built-in database). So far, so good, I
> > think.
> > 
> > 
> > 
&g

Re: [galaxy-dev] Sharing authentication between Galaxy and other WSGI apps on the same web server (with custom UI)?

2011-06-20 Thread Duddy, John
Thanks! That's perfect.

John Duddy
Sr. Staff Software Engineer
Illumina, Inc.
9885 Towne Centre Drive
San Diego, CA 92121
Tel: 858-736-3584
E-mail: jdu...@illumina.com

-Original Message-
From: Assaf Gordon [mailto:gor...@cshl.edu] 
Sent: Monday, June 20, 2011 12:09 PM
To: Duddy, John; galaxy-...@bx.psu.edu
Subject: Re: [galaxy-dev] Sharing authentication between Galaxy and other WSGI 
apps on the same web server (with custom UI)?

Hello John,

I'm not an apache expert, but I can try to help with some info.

your question involves two different issues, which are not dependent on one 
another.

First, can one setup apache authentication that will affect both Galaxy and 
other "things" on your server ?
The answer is yes.

Example:
We've setup our authentication on the root location of the server.
Galaxy uses the prefix "/galaxy", and other services use other prefixes, and 
since all of them are "below" the root location, the authentication applies to 
all.
The user needs to login only once.

===
## Root location of the server, protected with NTLM authentication

 AuthName CSHL
 AuthType NTLM
 NTLMAuth on
 NTLMAuthoritative on
 ### couple of other authentication parameters...


##
## Galaxy uses load-balancing and mod_rewrite and other things,
## but since it's below the root location, it will use the same authentication
# Galaxy server

BalancerMember http://localhost:8081
BalancerMember http://localhost:8082

ReWriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy(.*) balancer://galaxyprod$1 [P]

require valid-user


##
## Other services on the same server will use the same authentication,
## and can also limit user access with "require" statement.
Alias /plans/ "/home/gordon/projects/plans/"

require user gordon 

===


Second,
Can apache use authentication which is not "built-in" in the browser, so 
instead of OS native ugly dialog, the user will see a custom web page?
The answer is still yes, because authentication in Apache is modular.

If you specify "AuthType BASIC" or "AuthType Digest" or "AuthType NTLM" (which 
are the only universally supported built-in authentication methods I'm aware 
of), then the client-side browser will display an OS native user/password 
dialog.

If you install a custom authentication module, then you can use "AuthType 
CUSTOMXXX" (or sometimes a different command) and apache will use the module 
for custom authentication (which can involve custom webpages or anything else).
As long as the custom module notifies apache that the user is authenticated, 
Apache doesn't care how it's done.

There's one apache module called "mod_auth_form" ( 
http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html ) which does exactly 
that, but I'm not sure if it's considered stable.


There are other 3rd party solutions available, unfortunately those solution are 
usually quite complicated and laborious to install (I've read about them but 
never tried them myself):
http://blog.ianbicking.org/more-on-single-signon.html
https://neon1.net/mod_auth_pubtkt/
http://cosign.sourceforge.net/
http://mod-auth-script.sourceforge.net/

All of them claim to provide apache integration.

And just as in the first question, once you change the "AuthType" in the root 
location to a custom authentication module, all the other sub-URLs will use 
that authentication.

If you do get one of those to work, I'm interested in hearing about it, because 
I would like eventually to get rid of NTLM authentication.

Regards, 
  -gordon


Duddy, John wrote, On 06/20/2011 02:04 PM:
> I'd like to have Galaxy and another application installed on the same
> Apache server and have the user authenticate only once. I think I
> understand how to do that by deferring authentication to Apache
> (instead of using Galaxy's built-in database). So far, so good, I
> think.
> 
> 
> 
> What I'm wondering is if it is possible (in external user mode) to
> control the user experience of authentication versus being stuck with
> the one where the browser pops up the authentication dialog. Is it
> possible to implement a shared authentication mechanism that uses web
> pages for the UI? Or would we have to give up Apache-based security
> and snoop the Galaxy session cookie instead?
> 
> 
> 
> Many thanks -
> 
> 
> 
> *John Duddy Sr. Staff Software Engineer Illumina, Inc. *9885 Towne
> Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail:
> jdu...@illumina.com <mailto:jdu...@illumina.com>
> 
> 
> 



___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/


Re: [galaxy-dev] Sharing authentication between Galaxy and other WSGI apps on the same web server (with custom UI)?

2011-06-20 Thread Assaf Gordon
Hello John,

I'm not an apache expert, but I can try to help with some info.

your question involves two different issues, which are not dependent on one 
another.

First, can one setup apache authentication that will affect both Galaxy and 
other "things" on your server ?
The answer is yes.

Example:
We've setup our authentication on the root location of the server.
Galaxy uses the prefix "/galaxy", and other services use other prefixes, and 
since all of them are "below" the root location, the authentication applies to 
all.
The user needs to login only once.

===
## Root location of the server, protected with NTLM authentication

 AuthName CSHL
 AuthType NTLM
 NTLMAuth on
 NTLMAuthoritative on
 ### couple of other authentication parameters...


##
## Galaxy uses load-balancing and mod_rewrite and other things,
## but since it's below the root location, it will use the same authentication
# Galaxy server

BalancerMember http://localhost:8081
BalancerMember http://localhost:8082

ReWriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy(.*) balancer://galaxyprod$1 [P]

require valid-user


##
## Other services on the same server will use the same authentication,
## and can also limit user access with "require" statement.
Alias /plans/ "/home/gordon/projects/plans/"

require user gordon 

===


Second,
Can apache use authentication which is not "built-in" in the browser, so 
instead of OS native ugly dialog, the user will see a custom web page?
The answer is still yes, because authentication in Apache is modular.

If you specify "AuthType BASIC" or "AuthType Digest" or "AuthType NTLM" (which 
are the only universally supported built-in authentication methods I'm aware 
of), then the client-side browser will display an OS native user/password 
dialog.

If you install a custom authentication module, then you can use "AuthType 
CUSTOMXXX" (or sometimes a different command) and apache will use the module 
for custom authentication (which can involve custom webpages or anything else).
As long as the custom module notifies apache that the user is authenticated, 
Apache doesn't care how it's done.

There's one apache module called "mod_auth_form" ( 
http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html ) which does exactly 
that, but I'm not sure if it's considered stable.


There are other 3rd party solutions available, unfortunately those solution are 
usually quite complicated and laborious to install (I've read about them but 
never tried them myself):
http://blog.ianbicking.org/more-on-single-signon.html
https://neon1.net/mod_auth_pubtkt/
http://cosign.sourceforge.net/
http://mod-auth-script.sourceforge.net/

All of them claim to provide apache integration.

And just as in the first question, once you change the "AuthType" in the root 
location to a custom authentication module, all the other sub-URLs will use 
that authentication.

If you do get one of those to work, I'm interested in hearing about it, because 
I would like eventually to get rid of NTLM authentication.

Regards, 
  -gordon


Duddy, John wrote, On 06/20/2011 02:04 PM:
> I’d like to have Galaxy and another application installed on the same
> Apache server and have the user authenticate only once. I think I
> understand how to do that by deferring authentication to Apache
> (instead of using Galaxy’s built-in database). So far, so good, I
> think.
> 
> 
> 
> What I’m wondering is if it is possible (in external user mode) to
> control the user experience of authentication versus being stuck with
> the one where the browser pops up the authentication dialog. Is it
> possible to implement a shared authentication mechanism that uses web
> pages for the UI? Or would we have to give up Apache-based security
> and snoop the Galaxy session cookie instead?
> 
> 
> 
> Many thanks -
> 
> 
> 
> *John Duddy Sr. Staff Software Engineer Illumina, Inc. *9885 Towne
> Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail:
> jdu...@illumina.com 
> 
> 
> 



___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/


[galaxy-dev] Sharing authentication between Galaxy and other WSGI apps on the same web server (with custom UI)?

2011-06-20 Thread Duddy, John
I'd like to have Galaxy and another application installed on the same Apache 
server and have the user authenticate only once. I think I understand how to do 
that by deferring authentication to Apache (instead of using Galaxy's built-in 
database). So far, so good, I think.

What I'm wondering is if it is possible (in external user mode) to control the 
user experience of authentication versus being stuck with the one where the 
browser pops up the authentication dialog. Is it possible to implement a shared 
authentication mechanism that uses web pages for the UI? Or would we have to 
give up Apache-based security and snoop the Galaxy session cookie instead?

Many thanks -

John Duddy
Sr. Staff Software Engineer
Illumina, Inc.
9885 Towne Centre Drive
San Diego, CA 92121
Tel: 858-736-3584
E-mail: jdu...@illumina.com

___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/