Hi Shantanu,

Thank you for your update,  I've done my config a little differently and it appears to work just the same.  The relevant part looks like this:

   <Location />
       ## ActiveDirectory authentication and authorization
       AuthType Basic
       AuthBasicProvider ldap
       AuthName "R&D Galaxy Testing/QA Server"
       AuthLDAPURL "ldap://my.server.com:389/OU=Users & Workstations,DC=domain,DC=com?sAMAccountName?sub?(|(objectClass=person)(objectClass=group))"

       # ...more AuthLDAP directives here...

       RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
   </Location>
   
   <Location /datasets>
       Order Allow,Deny
       Allow from All
       Satisfy Any
       RequestHeader set REMOTE_USER "anonymous"
   </Location>
   
   ## Static content and reverse proxy
   RewriteEngine On
   RewriteRule ^/static/style/(.*) /path/to/galaxy/galaxy_dist/static/june_2007_style/blue/$1 [L]
   RewriteRule ^/static/scripts/(.*) /path/to/galaxy/galaxy_dist/static/scripts/packed/$1 [L]
   RewriteRule ^/static/(.*) /path/to/galaxy/galaxy_dist/static/$1 [L]
   RewriteRule ^/favicon.ico /path/to/galaxy/galaxy_dist/static/favicon.ico [L]
   RewriteRule ^/robots.txt /path/to/galaxy/galaxy_dist/static/robots.txt [L]
   RewriteRule ^(.*) http://galaxy.server.hostname:8080 [P]



On Fri, Jul 1, 2011 at 12:13 AM, Shantanu Pavgi <pavgi@uab.edu> wrote:
>
> On Jun 30, 2011, at 6:34 AM, Leandro Hermida wrote:
>
>> Hi Nate and Shantanu,
>>
>> Thanks so much for the clear guidance, this works and sorry I didn't
>> read the Apache docs properly
>>
>> best,
>> Leandro
>>
>> On Thu, Jun 30, 2011 at 6:14 AM, Shantanu Pavgi <pavgi@uab.edu> wrote:
>>>
>>> On Jun 29, 2011, at 12:21 PM, Nate Coraor wrote:
>>>
>>> Leandro Hermida wrote:
>>>
>>> Hi Shantanu,
>>>
>>> In your Apache configuration exactly how did you set up an anonymous
>>>
>>> REMOTE_USER just for specific locations like the /datasets/ path?  I'm just
>>>
>>> looking at the Apache docs and the RequestHeader directive has a context of
>>>
>>> the entire VirtualHost and cannot be put into a Location container so I'm
>>>
>>> not sure how to do it.
>>>
>>> Hi Leandro,
>>>
>>> See the optional 'env=' argument and docs on the same for ways to make
>>> RequestHeader conditional:
>>>
>>>    http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader
>>>
>>> So, depending on the path accessed, you should be able to have
>>> mod_rewrite set an environment variable specifying which REMOTE_USER
>>> (real username or fake anonymouse user) should be set.
>>>
>>> You could also just set it as the anonymous user to start with and then
>>> use 'RequestHeader set' to overwrite it with the real username in the
>>> case that a real username is available.
>>>
>>> This is all just from glancing at the docs, though, I have not tried any
>>> of it out, and this sort of Apache trickery is always difficult to get
>>> right.
>>>
>>> --nate
>>>
>>>
>>>
>>> Leandro,
>>> The RequestHeader has a context of 'directory' as well, which includes
>>> <Directory>, <Location>, <Files>, and <Proxy> containers [1]. So you should
>>> be able to use it in Location directive.
>>> Following is a configuration snippet related to what Nate described in his
>>> earlier response. We are setting REMOTE_USER variable to anonymous when it's
>>> not set/empty.
>>>         <Location ~ "/(datasets|history)/">
>>>                 AuthType shibboleth
>>>                 ShibRequireSession off
>>>                 Require shibboleth
>>>                 RewriteCond %{LA-U:REMOTE_USER} =""
>>>                 RequestHeader set REMOTE_USER "anonymous"
>>>         </Location>
>>> Hope this helps.
>>>
>>> 1. http://httpd.apache.org/docs/current/mod/directive-dict.html#Context
>>> --
>>> Shantanu.
>>>
>
>
> Leandro,
>
> I realized that above mentioned configuration is wrong. It will set RequestHeader to 'anonymous' regardless of authentication status. I think following config should work (still testing). In our case it resides outside of Location directive now. You may need to adjust it according to your setup:
>
> {{{
>        # Take the  environment variable and set it as a header in the proxy request.
>        RewriteCond %{IS_SUBREQ} ^false$
>        RewriteCond %{LA-U:REMOTE_USER} (.+)
>        RewriteRule . - [E=RU:%1]
>        # Set RU to anonymous if No REMOTE_USER
>        RewriteCond %{IS_SUBREQ} ^false$
>        RewriteCond %{LA-U:REMOTE_USER} =""
>        RewriteRule . - [E=RU:"anonymous"]
>        # Set RequestHeader
>        RequestHeader set REMOTE_USER %{RU}e
> }}}
>
>
> --
> Shantanu.
>
>