On 2004-10-29, Cees Hek <ceeshek-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote:
> Hi Drew,
>
> I have been hinting at an Authentication plugin for a while now, but
> haven't finished it yet. I did a little bit more work on it
> yesterday, but I don't have any docs, or any tests written for the
> module yet.
>
> I you also have a start on a module, maybe we can colaborate. From
> your comments below it sounds like we are probably on the same
> track...
Here's an overview of the solution I'm using now and am satisifed with:
- Not surprisingly, CGI::Session is used for session management.
- My superclass provides a couple new methods:
- redirect_to_login
- _auth_by_url
redirect_to_login() sends people to a URL that is controlled by
an ::Auth.pm that provides:
'login_form',
'login_process',
'logout',
# not strictly Auth, could be moved.
'forgot_passwd_form',
'forgot_passwd_process',
A CGI::App module or super-class provides this:
sub cgiapp_prerun {
my $self = shift;
my @g_ids =
$self->_auth_by_url($self->cfg('URL_AUTH'),$self->session->param('effective_user_id'));
# We aren't authorized, so set the run mode as such and return;
unless ($g_ids[0]) {
$self->prerun_mode('redirect_to_login');
}
#####
The meat of my "_auth_by_url()" is this data structure:
$CFG{URL_AUTH} = [
[ qr#/cgi-bin/staff#, [7], ], # staff
[ qr#/cgi-bin/shelter#, [4], ], # Publicists
[ qr#/cgi-bin#, [], ], # Public
];
The logic walks down the array, looking for the first Regex that matches. We
are matching against the current URL + the first part of the path_info (the run
mode) names. We are /not/ matching against the query string or the host
name ends of the URL, which would allow people to inject random things
that might match.
On the right side, there is an array of group IDs. If you are in any of
these groups, you get in.
########
Here's why I like this design:
1. It works inside or outside of mod_perl
2. Authentication is essentially separate from the rest the application.
If you handle this in a project superclass, no auth code is needed at
all in your run mode modules.
3. You can tell at a glance what authentication in place, just check out
the URL!
4. It could be used in conjuction with TemplateRunner to also protect
static or "semi-static" pages as well:
http://search.cpan.org/~thilo/CGI-Application-Plugin-TemplateRunner-0.02/TemplateRunner.pm
I had planned on turning this into something releasable and am still
interested in doing so. I've enjoyed all the other ideas people have
shared about how they address some of the same issues.
Mark
--
http://mark.stosberg.com/
---------------------------------------------------------------------
Web Archive:
http://www.mail-archive.com/cgiapp-svx1JCNWaqPWzzAP45jFb16hYfS7NtTn@xxxxxxxxxxxxxxxx/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail:
cgiapp-unsubscribe-svx1JCNWaqPWzzAP45jFb16hYfS7NtTn@xxxxxxxxxxxxxxxx
For additional commands, e-mail:
cgiapp-help-svx1JCNWaqPWzzAP45jFb16hYfS7NtTn@xxxxxxxxxxxxxxxx
|
