Sharing authentication between Galaxy and other WSGI apps on the same web server (with custom UI)?
I'd like to have Galaxy and another application installed on the same Apache server and have the user authenticate only once. I think I understand how to do that by deferring authentication to Apache (instead of using Galaxy's built-in database). So far, so good, I think. What I'm wondering is if it is possible (in external user mode) to control the user experience of authentication versus being stuck with the one where the browser pops up the authentication dialog. Is it possible to implement a shared authentication mechanism that uses web pages for the UI? Or would we have to give up Apache-based security and snoop the Galaxy session cookie instead? Many thanks - John Duddy Sr. Staff Software Engineer Illumina, Inc. 9885 Towne Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail: jduddy@illumina.com<mailto:jduddy@illumina.com>
Hello John, I'm not an apache expert, but I can try to help with some info. your question involves two different issues, which are not dependent on one another. First, can one setup apache authentication that will affect both Galaxy and other "things" on your server ? The answer is yes. Example: We've setup our authentication on the root location of the server. Galaxy uses the prefix "/galaxy", and other services use other prefixes, and since all of them are "below" the root location, the authentication applies to all. The user needs to login only once. =========== ## Root location of the server, protected with NTLM authentication <Location /> AuthName CSHL AuthType NTLM NTLMAuth on NTLMAuthoritative on ### couple of other authentication parameters... </Location> ## ## Galaxy uses load-balancing and mod_rewrite and other things, ## but since it's below the root location, it will use the same authentication # Galaxy server <Proxy balancer://galaxyprod> BalancerMember http://localhost:8081 BalancerMember http://localhost:8082 </Proxy> ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) balancer://galaxyprod$1 [P] <Location "/galaxy" > require valid-user </Location> ## ## Other services on the same server will use the same authentication, ## and can also limit user access with "require" statement. Alias /plans/ "/home/gordon/projects/plans/" <Location "/plans"> require user gordon </Location> =========== Second, Can apache use authentication which is not "built-in" in the browser, so instead of OS native ugly dialog, the user will see a custom web page? The answer is still yes, because authentication in Apache is modular. If you specify "AuthType BASIC" or "AuthType Digest" or "AuthType NTLM" (which are the only universally supported built-in authentication methods I'm aware of), then the client-side browser will display an OS native user/password dialog. If you install a custom authentication module, then you can use "AuthType CUSTOMXXX" (or sometimes a different command) and apache will use the module for custom authentication (which can involve custom webpages or anything else). As long as the custom module notifies apache that the user is authenticated, Apache doesn't care how it's done. There's one apache module called "mod_auth_form" ( http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html ) which does exactly that, but I'm not sure if it's considered stable. There are other 3rd party solutions available, unfortunately those solution are usually quite complicated and laborious to install (I've read about them but never tried them myself): http://blog.ianbicking.org/more-on-single-signon.html https://neon1.net/mod_auth_pubtkt/ http://cosign.sourceforge.net/ http://mod-auth-script.sourceforge.net/ All of them claim to provide apache integration. And just as in the first question, once you change the "AuthType" in the root location to a custom authentication module, all the other sub-URLs will use that authentication. If you do get one of those to work, I'm interested in hearing about it, because I would like eventually to get rid of NTLM authentication. Regards, -gordon Duddy, John wrote, On 06/20/2011 02:04 PM:
I’d like to have Galaxy and another application installed on the same Apache server and have the user authenticate only once. I think I understand how to do that by deferring authentication to Apache (instead of using Galaxy’s built-in database). So far, so good, I think.
What I’m wondering is if it is possible (in external user mode) to control the user experience of authentication versus being stuck with the one where the browser pops up the authentication dialog. Is it possible to implement a shared authentication mechanism that uses web pages for the UI? Or would we have to give up Apache-based security and snoop the Galaxy session cookie instead?
Many thanks -
*John Duddy Sr. Staff Software Engineer Illumina, Inc. *9885 Towne Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail: jduddy@illumina.com <mailto:jduddy@illumina.com>
Thanks! That's perfect. John Duddy Sr. Staff Software Engineer Illumina, Inc. 9885 Towne Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail: jduddy@illumina.com -----Original Message----- From: Assaf Gordon [mailto:gordon@cshl.edu] Sent: Monday, June 20, 2011 12:09 PM To: Duddy, John; galaxy-dev@bx.psu.edu Subject: Re: [galaxy-dev] Sharing authentication between Galaxy and other WSGI apps on the same web server (with custom UI)? Hello John, I'm not an apache expert, but I can try to help with some info. your question involves two different issues, which are not dependent on one another. First, can one setup apache authentication that will affect both Galaxy and other "things" on your server ? The answer is yes. Example: We've setup our authentication on the root location of the server. Galaxy uses the prefix "/galaxy", and other services use other prefixes, and since all of them are "below" the root location, the authentication applies to all. The user needs to login only once. =========== ## Root location of the server, protected with NTLM authentication <Location /> AuthName CSHL AuthType NTLM NTLMAuth on NTLMAuthoritative on ### couple of other authentication parameters... </Location> ## ## Galaxy uses load-balancing and mod_rewrite and other things, ## but since it's below the root location, it will use the same authentication # Galaxy server <Proxy balancer://galaxyprod> BalancerMember http://localhost:8081 BalancerMember http://localhost:8082 </Proxy> ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) balancer://galaxyprod$1 [P] <Location "/galaxy" > require valid-user </Location> ## ## Other services on the same server will use the same authentication, ## and can also limit user access with "require" statement. Alias /plans/ "/home/gordon/projects/plans/" <Location "/plans"> require user gordon </Location> =========== Second, Can apache use authentication which is not "built-in" in the browser, so instead of OS native ugly dialog, the user will see a custom web page? The answer is still yes, because authentication in Apache is modular. If you specify "AuthType BASIC" or "AuthType Digest" or "AuthType NTLM" (which are the only universally supported built-in authentication methods I'm aware of), then the client-side browser will display an OS native user/password dialog. If you install a custom authentication module, then you can use "AuthType CUSTOMXXX" (or sometimes a different command) and apache will use the module for custom authentication (which can involve custom webpages or anything else). As long as the custom module notifies apache that the user is authenticated, Apache doesn't care how it's done. There's one apache module called "mod_auth_form" ( http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html ) which does exactly that, but I'm not sure if it's considered stable. There are other 3rd party solutions available, unfortunately those solution are usually quite complicated and laborious to install (I've read about them but never tried them myself): http://blog.ianbicking.org/more-on-single-signon.html https://neon1.net/mod_auth_pubtkt/ http://cosign.sourceforge.net/ http://mod-auth-script.sourceforge.net/ All of them claim to provide apache integration. And just as in the first question, once you change the "AuthType" in the root location to a custom authentication module, all the other sub-URLs will use that authentication. If you do get one of those to work, I'm interested in hearing about it, because I would like eventually to get rid of NTLM authentication. Regards, -gordon Duddy, John wrote, On 06/20/2011 02:04 PM:
I'd like to have Galaxy and another application installed on the same Apache server and have the user authenticate only once. I think I understand how to do that by deferring authentication to Apache (instead of using Galaxy's built-in database). So far, so good, I think.
What I'm wondering is if it is possible (in external user mode) to control the user experience of authentication versus being stuck with the one where the browser pops up the authentication dialog. Is it possible to implement a shared authentication mechanism that uses web pages for the UI? Or would we have to give up Apache-based security and snoop the Galaxy session cookie instead?
Many thanks -
*John Duddy Sr. Staff Software Engineer Illumina, Inc. *9885 Towne Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail: jduddy@illumina.com <mailto:jduddy@illumina.com>
FWIW, Penn State uses Cosign for single sign-on, and I've successfully placed Galaxy behind Cosign before (Cosign relies on Kerberos, and so may not be a good fit at all sites). But as Assaf says, basically anything should work. --nate Duddy, John wrote:
Thanks! That's perfect.
John Duddy Sr. Staff Software Engineer Illumina, Inc. 9885 Towne Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail: jduddy@illumina.com
-----Original Message----- From: Assaf Gordon [mailto:gordon@cshl.edu] Sent: Monday, June 20, 2011 12:09 PM To: Duddy, John; galaxy-dev@bx.psu.edu Subject: Re: [galaxy-dev] Sharing authentication between Galaxy and other WSGI apps on the same web server (with custom UI)?
Hello John,
I'm not an apache expert, but I can try to help with some info.
your question involves two different issues, which are not dependent on one another.
First, can one setup apache authentication that will affect both Galaxy and other "things" on your server ? The answer is yes.
Example: We've setup our authentication on the root location of the server. Galaxy uses the prefix "/galaxy", and other services use other prefixes, and since all of them are "below" the root location, the authentication applies to all. The user needs to login only once.
=========== ## Root location of the server, protected with NTLM authentication <Location /> AuthName CSHL AuthType NTLM NTLMAuth on NTLMAuthoritative on ### couple of other authentication parameters... </Location>
## ## Galaxy uses load-balancing and mod_rewrite and other things, ## but since it's below the root location, it will use the same authentication # Galaxy server <Proxy balancer://galaxyprod> BalancerMember http://localhost:8081 BalancerMember http://localhost:8082 </Proxy> ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) balancer://galaxyprod$1 [P] <Location "/galaxy" > require valid-user </Location>
## ## Other services on the same server will use the same authentication, ## and can also limit user access with "require" statement. Alias /plans/ "/home/gordon/projects/plans/" <Location "/plans"> require user gordon </Location> ===========
Second, Can apache use authentication which is not "built-in" in the browser, so instead of OS native ugly dialog, the user will see a custom web page? The answer is still yes, because authentication in Apache is modular.
If you specify "AuthType BASIC" or "AuthType Digest" or "AuthType NTLM" (which are the only universally supported built-in authentication methods I'm aware of), then the client-side browser will display an OS native user/password dialog.
If you install a custom authentication module, then you can use "AuthType CUSTOMXXX" (or sometimes a different command) and apache will use the module for custom authentication (which can involve custom webpages or anything else). As long as the custom module notifies apache that the user is authenticated, Apache doesn't care how it's done.
There's one apache module called "mod_auth_form" ( http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html ) which does exactly that, but I'm not sure if it's considered stable.
There are other 3rd party solutions available, unfortunately those solution are usually quite complicated and laborious to install (I've read about them but never tried them myself): http://blog.ianbicking.org/more-on-single-signon.html https://neon1.net/mod_auth_pubtkt/ http://cosign.sourceforge.net/ http://mod-auth-script.sourceforge.net/
All of them claim to provide apache integration.
And just as in the first question, once you change the "AuthType" in the root location to a custom authentication module, all the other sub-URLs will use that authentication.
If you do get one of those to work, I'm interested in hearing about it, because I would like eventually to get rid of NTLM authentication.
Regards, -gordon
Duddy, John wrote, On 06/20/2011 02:04 PM:
I'd like to have Galaxy and another application installed on the same Apache server and have the user authenticate only once. I think I understand how to do that by deferring authentication to Apache (instead of using Galaxy's built-in database). So far, so good, I think.
What I'm wondering is if it is possible (in external user mode) to control the user experience of authentication versus being stuck with the one where the browser pops up the authentication dialog. Is it possible to implement a shared authentication mechanism that uses web pages for the UI? Or would we have to give up Apache-based security and snoop the Galaxy session cookie instead?
Many thanks -
*John Duddy Sr. Staff Software Engineer Illumina, Inc. *9885 Towne Centre Drive San Diego, CA 92121 Tel: 858-736-3584 E-mail: jduddy@illumina.com <mailto:jduddy@illumina.com>
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
participants (3)
-
Assaf Gordon -
Duddy, John -
Nate Coraor