Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
CGI::Application::PlugUserAContributed:Perlication::Plugin::Authentication(3)

NAME
       CGI::Application::Plugin::Authentication	- Authentication framework for
       CGI::Application

SYNOPSIS
	package	MyCGIApp;

	use base qw(CGI::Application); # make sure this	occurs before you load the plugin

	use CGI::Application::Plugin::Authentication;

	MyCGIApp->authen->config(
	      DRIVER =>	[ 'Generic', { user1 =>	'123' }	],
	);
	MyCGIApp->authen->protected_runmodes('myrunmode');

	sub myrunmode {
	   my $self = shift;

	   # The user should be	logged in if we	got here
	   my $username	= $self->authen->username;

	}

DESCRIPTION
       CGI::Application::Plugin::Authentication	adds the ability to
       authenticate users in your CGI::Application modules.  It	imports	one
       method called 'authen' into your	CGI::Application module.  Through the
       authen method you can call all the methods of the
       CGI::Application::Plugin::Authentication	plugin.

       There are two main decisions that you need to make when using this
       module.	How will the usernames and password be verified	(i.e. from a
       database, LDAP, etc...),	and how	can we keep the	knowledge that a user
       has already logged in persistent, so that they will not have to enter
       their credentials again on the next request (i.e. how do	we 'Store' the
       authentication information across requests).

   Choosing a Driver
       There are three drivers that are	included with the distribution.	 Also,
       there is	built in support for all of the	Authen::Simple modules (search
       CPAN for	Authen::Simple for more	information).  This should be enough
       to cover	everyone's needs.

       If you need to authenticate against a source that is not	provided, you
       can use the Generic driver which	will accept either a hash of
       username/password pairs,	or an array of arrays of credentials, or a
       subroutine reference that can verify the	credentials.  So through the
       Generic driver you should be able to write your own verification
       system.	There is also a	Dummy driver, which blindly accepts any
       credentials (useful for testing).  See the
       CGI::Application::Plugin::Authentication::Driver::Generic,
       CGI::Application::Plugin::Authentication::Driver::DBI and,
       CGI::Application::Plugin::Authentication::Driver::Dummy docs for	more
       information on how to use these drivers.	 And see the Authen::Simple
       suite of	modules	for information	on those drivers.

   Choosing a Store
       The Store modules keep information about	the authentication status of
       the user	persistent across multiple requests.  The information that is
       stored in the store include the username, and the expiry	time of	the
       login.  There are two Store modules included with this distribution.  A
       Session based store, and	a Cookie based store.  If your application is
       already using Sessions (through the CGI::Application::Plugin::Session
       module),	then I would recommend that you	use the	Session	store for
       authentication.	If you are not using the Session plugin, then you can
       use the Cookie store.  The Cookie store keeps all the authentication in
       a cookie, which contains	a checksum to ensure that users	can not	change
       the information.

       If you do not specify which Store module	you wish to use, the plugin
       will try	to determine the best one for you.

   Login page
       The Authentication plugin comes with a default login page that can be
       used if you do not want to create a custom login	page.  This login form
       will automatically be used if you do not	provide	either a LOGIN_URL or
       LOGIN_RUNMODE parameter in the configuration.  If you plan to create
       your own	login page, I would recommend that you start with the HTML
       code for	the default login page,	so that	your login page	will contain
       the correct form	fields and hidden fields.

   Ticket based	authentication
       This Authentication plugin can handle ticket based authentication
       systems as well.	 All that is required of you is	to write a Store
       module that can understand the contents of the ticket.  The
       Authentication plugin will require at least the 'username' to be
       retrieved from the ticket.  A Ticket based authentication scheme	will
       not need	a Driver module	at all,	since the actual verification of
       credentials is done by an external authentication system, possibly even
       on a different host.  You will need to specify the location of the
       login page using	the LOGIN_URL configuration variable, and
       unauthenticated users will automatically	be redirected to your ticket
       authentication login page.

EXPORTED METHODS
   authen
       This is the only	method exported	from this module.  Everything is
       controlled through this method call, which will return a
       CGI::Application::Plugin::Authentication	object,	or just	the class name
       if called as a class method.  When using	the plugin, you	will always
       first call $self->authen	or __PACKAGE__->authen and then	the method you
       wish to invoke.	For example:

	 __PACKAGE__->authen->config(
	       LOGIN_RUNMODE =>	'login',
	 );

       - or -

	 $self->authen->protected_runmodes(qw(one two));

METHODS
   config
       This method is used to configure	the
       CGI::Application::Plugin::Authentication	module.	 It can	be called as
       an object method, or as a class method. Calling this function, will not
       itself generate cookies or session ids.

       The following parameters	are accepted:

       DRIVER
	   Here	you can	choose which authentication module(s) you want to use
	   to perform the authentication.  For simplicity, you can leave off
	   the CGI::Application::Plugin::Authentication::Driver:: part when
	   specifying the DRIVER name  If this module requires extra
	   parameters, you can pass an array reference that contains as	the
	   first parameter the name of the module, and the rest	of the values
	   in the array	will be	considered options for the driver.  You	can
	   provide multiple drivers which will be used,	in order, to check the
	   credentials until a valid response is received.

		DRIVER => 'Dummy' # let	anyone in regardless of	the password

	     - or -

		DRIVER => [ 'DBI',
		    DBH		=> $self->dbh,
		    TABLE	=> 'user',
		    CONSTRAINTS	=> {
			'user.name'	    => '__CREDENTIAL_1__',
			'MD5:user.password' => '__CREDENTIAL_2__'
		    },
		],

	     - or -

		DRIVER => [
		    [ 'Generic', { user1 => '123' } ],
		    [ 'Generic', sub { my ($u, $p) = @_; is_prime($p) ?	1 : 0 }	]
		],

	     - or -

		DRIVER => [ 'Authen::Simple::LDAP',
		    host   => 'ldap.company.com',
		    basedn => 'ou=People,dc=company,dc=net'
		],

       STORE
	   Here	you can	choose how we store the	authenticated information
	   after a user	has successfully logged	in.  We	need to	store the
	   username so that on the next	request	we can tell the	user has
	   already logged in, and we do	not have to present them with another
	   login form.	If you do not provide the STORE	option,	then the
	   plugin will look to see if you are using the
	   CGI::Application::Plugin::Session module and	based on that info use
	   either the Session module, or fall back on the Cookie module.  If
	   the module requires extra parameters, you can pass an array
	   reference that contains as the first	parameter the name of the
	   module, and the rest	of the array should contain key	value pairs of
	   options for this module.  These storage modules generally live
	   under the CGI::Application::Plugin::Authentication::Store:: name-
	   space, and this part	of the package name can	be left	off when
	   specifying the STORE	parameter.

	       STORE =>	'Session'

	     - or -

	       STORE =>	['Cookie',
		   NAME	  => 'MYAuthCookie',
		   SECRET => 'FortyTwo',
		   EXPIRY => '1d',
	       ]

       POST_LOGIN_RUNMODE
	   Here	you can	specify	a runmode that the user	will be	redirected to
	   if they successfully	login.

	     POST_LOGIN_RUNMODE	=> 'welcome'

       POST_LOGIN_URL
	   Here	you can	specify	a URL that the user will be redirected to if
	   they	successfully login.  If	both POST_LOGIN_URL and
	   POST_LOGIN_RUNMODE are specified, then the latter will take
	   precedence.

	     POST_LOGIN_URL => 'http://example.com/start.cgi'

       POST_LOGIN_CALLBACK
	   A code reference that is executed after login processing but	before
	   POST_LOGIN_RUNMODE or redirecting to	POST_LOGIN_URL.	This is
	   normally a method in	your CGI::Application application and as such
	   the CGI::Application	object is passed as a parameter.

	     POST_LOGIN_CALLBACK => \&update_login_date

	   and later in	your code:

	     sub update_login_date {
	       my $self	= shift;

	       return unless($self->authen->is_authenticated);

	       ...
	     }

       LOGIN_RUNMODE
	   Here	you can	specify	a runmode that the user	will be	redirected to
	   if they need	to login.

	     LOGIN_RUNMODE => 'login'

       LOGIN_URL
	   If your login page is external to this module, then you can use
	   this	option to specify a URL	that the user will be redirected to
	   when	they need to login. If both LOGIN_URL and LOGIN_RUNMODE	are
	   specified, then the latter will take	precedence.

	     LOGIN_URL => 'http://example.com/login.cgi'

       LOGOUT_RUNMODE
	   Here	you can	specify	a runmode that the user	will be	redirected to
	   if they ask to logout.

	     LOGOUT_RUNMODE => 'logout'

       LOGOUT_URL
	   If your logout page is external to this module, then	you can	use
	   this	option to specify a URL	that the user will be redirected to
	   when	they ask to logout.  If	both LOGOUT_URL	and LOGOUT_RUNMODE are
	   specified, then the latter will take	precedence.

	     LOGIN_URL => 'http://example.com/logout.html'

       DETAINT_URL_REGEXP
	   This	is a regular expression	used to	detaint	URLs used in the login
	   form. By default it will be set to

	     ^([\w\_\%\?\&\;\-\/\@\.\+\$\=\#\:\!\*\"\'\(\)\,]+)$

	   This	regular	expression is based upon the document
	   http://www.w3.org/Addressing/URL/url-spec.txt. You could set	it to
	   a more specific regular expression to limit the domains to which
	   users could be directed.

       DETAINT_USERNAME_REGEXP
	   This	is a regular expression	used to	detaint	the username parameter
	   used	in the login form. By default it will be set to

	     ^([\w\_]+)$

       CREDENTIALS
	   Set this to the list	of form	fields where the user will type	in
	   their username and password.	 By default this is set	to
	   ['authen_username', 'authen_password'].  The	form field names
	   should be set to a value that you are not likely to use in any
	   other forms.	 This is important because this	plugin will
	   automatically look for query	parameters that	match these values on
	   every request to see	if a user is trying to log in.	So if you use
	   the same parameter names on a user management page, you may
	   inadvertently perform a login when that was not intended.  Most of
	   the Driver modules will return the first CREDENTIAL as the
	   username, so	make sure that you list	the username field first.
	   This	option can be ignored if you use the built in login box

	     CREDENTIALS => 'authen_password'

	     - or -

	     CREDENTIALS => [ 'authen_username', 'authen_domain', 'authen_password' ]

       LOGIN_SESSION_TIMEOUT
	   This	option can be used to tell the system when to force the	user
	   to re-authenticate.	There are a few	different possibilities	that
	   can all be used concurrently:

	   IDLE_FOR
	       If this value is	set, a re-authentication will be forced	if the
	       user was	idle for more then x amount of time.

	   EVERY
	       If this value is	set, a re-authentication will be forced	every
	       x amount	of time.

	   CUSTOM
	       This value can be set to	a subroutine reference that returns
	       true if the session should be timed out,	and false if it	is
	       still active.  This can allow you to be very selective about
	       how the timeout system works.  The authen object	will be	passed
	       in as the only parameter.

	   Time	values are specified in	seconds. You can also specify the time
	   by using a number with the following	suffixes (m h d	w), which
	   represent minutes, hours, days and weeks.  The default is 0 which
	   means the login will	never timeout.

	   Note	that the login is also dependent on the	type of	STORE that is
	   used.  If the Session store is used,	and the	session	expires, then
	   the login will also automatically expire.  The same goes for	the
	   Cookie store.

	   For backwards compatibility,	if you set LOGIN_SESSION_TIMEOUT to a
	   time	value instead of a hashref, it will be treated as an IDLE_FOR
	   time	out.

	     # force re-authentication if idle for more	than 15	minutes
	     LOGIN_SESSION_TIMEOUT => '15m'

	     # Everyone	must re-authentication if idle for more	than 30	minutes
	     # also, everyone must re-authentication at	least once a day
	     # and root	must re-authentication if idle for more	than 5 minutes
	     LOGIN_SESSION_TIMEOUT => {
		   IDLE_FOR => '30m',
		   EVERY    => '1d',
		   CUSTOM   => sub {
		     my	$authen	= shift;
		     return ($authen->username eq 'root' && (time() - $authen->last_access) > 300) ? 1 : 0;
		   }
	     }

       RENDER_LOGIN
	   This	value can be set to a subroutine reference that	returns	the
	   HTML	of a login form. The subroutine	reference overrides the
	   default call	to login_box.  The subroutine is normally a method in
	   your	CGI::Application application and as such the CGI::Application
	   object is passed as the first parameter.

	     RENDER_LOGIN => \&login_form

	   and later in	your code:

	     sub login_form {
	       my $self	= shift;

	       ...
	       return $html
	     }

       LOGIN_FORM
	   You can set this option to customize	the login form that is created
	   when	a user needs to	be authenticated.  If you wish to replace the
	   entire login	form with a completely custom version, then just set
	   LOGIN_RUNMODE to point to your custom runmode.

	   All of the parameters listed	below are optional, and	a reasonable
	   default will	be used	if left	blank:

	   DISPLAY_CLASS (default: Classic)
	       the class used to display the login form. The alternative is
	       "Basic" which aims for XHTML compliance and leaving style to
	       CSS. See	CGI::Application::Plugin::Authentication::Display for
	       more details.

	   TITLE (default: Sign	In)
	       the heading at the top of the login box

	   USERNAME_LABEL (default: User Name)
	       the label for the user name input

	   PASSWORD_LABEL (default: Password)
	       the label for the password input

	   SUBMIT_LABEL	(default: Sign In)
	       the label for the submit	button

	   COMMENT (default: Please enter your username	and password in	the
	   fields below.)
	       a message provided on the first login attempt

	   REMEMBERUSER_OPTION (default: 1)
	       provide a checkbox to offer to remember the users name in a
	       cookie so that their user name will be pre-filled the next time
	       they log	in

	   REMEMBERUSER_LABEL (default:	Remember User Name)
	       the label for the remember user name checkbox

	   REMEMBERUSER_COOKIENAME (default: CAPAUTHTOKEN)
	       the name	of the cookie where the	user name will be saved

	   REGISTER_URL	(default: <none>)
	       the URL for the register	new account link

	   REGISTER_LABEL (default: Register Now!)
	       the label for the register new account link

	   FORGOTPASSWORD_URL (default:	<none>)
	       the URL for the forgot password link

	   FORGOTPASSWORD_LABEL	(default: Forgot Password?)
	       the label for the forgot	password link

	   INVALIDPASSWORD_MESSAGE (default: Invalid username or password<br
	   />(login attempt %d)
	       a message given when a login failed

	   INCLUDE_STYLESHEET (default:	1)
	       use this	to disable the built in	style-sheet for	the login box
	       so you can provide your own custom styles

	   FORM_SUBMIT_METHOD (default:	post)
	       use this	to get the form	to submit using	'get' instead of
	       'post'

	   FOCUS_FORM_ONLOAD (default: 1)
	       use this	to automatically focus the login form when the page
	       loads so	a user can start typing	right away.

	   BASE_COLOUR (default: #445588)
	       This is the base	colour that will be used in the	included login
	       box.  All other colours are automatically calculated based on
	       this colour (unless you hardcode	the colour values).  In	order
	       to calculate other colours, you will need the Color::Calc
	       module.	If you do not have the Color::Calc module, then	you
	       will need to use	fixed values for all of	the colour options.
	       All colour values besides the BASE_COLOUR can be	simple
	       percentage values (including the	% sign).  For example if you
	       set the LIGHTER_COLOUR option to	80%, then the calculated
	       colour will be 80% lighter than the BASE_COLOUR.

	   LIGHT_COLOUR	(default: 50% or #a2aac4)
	       A colour	that is	lighter	than the base colour.

	   LIGHTER_COLOUR (default: 75%	or #d0d5e1)
	       A colour	that is	another	step lighter than the light colour.

	   DARK_COLOUR (default: 30% or	#303c5f)
	       A colour	that is	darker than the	base colour.

	   DARKER_COLOUR (default: 60% or #1b2236)
	       A colour	that is	another	step darker than the dark colour.

	   GREY_COLOUR (default: #565656)
	       A grey colour that is calculated	by desaturating	the base
	       colour.

   protected_runmodes
       This method takes a list	of runmodes that are to	be protected by
       authentication.	If a user tries	to access one of these runmodes, then
       they will be redirected to a login page unless they are properly	logged
       in.  The	runmode	names can be a list of simple strings, regular
       expressions, or special directives that start with a colon.  This
       method is cumulative, so	if it is called	multiple times,	the new	values
       are added to existing entries.  It returns a list of all	entries	that
       have been saved so far.	Calling	this function, will not	itself
       generate	cookies	or session ids.

       :all - All runmodes in this module will require authentication

	 # match all runmodes
	 __PACKAGE__->authen->protected_runmodes(':all');

	 # only	protect	runmodes one two and three
	 __PACKAGE__->authen->protected_runmodes(qw(one	two three));

	 # protect only	runmodes that start with auth_
	 __PACKAGE__->authen->protected_runmodes(qr/^auth_/);

	 # protect all runmodes	that *do not* start with public_
	 __PACKAGE__->authen->protected_runmodes(qr/^(?!public_)/);

   is_protected_runmode
       This method accepts the name of a runmode, and will tell	you if that
       runmode is a protected runmode (i.e. does a user	need to	be
       authenticated to	access this runmode).  Calling this function, will not
       itself generate cookies or session ids.

   redirect_after_login
       This method is be called	during the prerun stage	to redirect the	user
       to the page that	has been configured as the destination after a
       successful login.  The location is determined as	follows:

       POST_LOGIN_RUNMODE
	   If the POST_LOGIN_RUNMODE config parameter is set, that run mode
	   will	be the chosen location.

       POST_LOGIN_URL
	   If the above	fails and the POST_LOGIN_URL config parameter is set,
	   then	there will be a	302 redirection	to that	location.

       destination
	   If the above	fails and there	is a destination query parameter,
	   which must a	taint check against the	DETAINT_URL_REGEXP config
	   parameter, then there will be a 302 redirection to that location.

       original	destination
	   If all the above fail then there the	originally requested page will
	   be delivered.

   redirect_to_login
       This method is be called	during the prerun stage	if the current user is
       not logged in, and they are trying to access a protected	runmode.  It
       will redirect to	the page that has been configured as the login page,
       based on	the value of LOGIN_RUNMODE or LOGIN_URL	 If nothing is
       configured a simple login page will be automatically provided.

   redirect_to_logout
       This method is called during the	prerun stage if	the user has requested
       to be logged out.  It will redirect to the page that has	been
       configured as the logout	page, based on the value of LOGOUT_RUNMODE or
       LOGOUT_URL  If nothing is configured, the page will redirect to the
       website homepage.

   setup_runmodes
       This method is called during the	prerun stage to	register some custom
       runmodes	that the Authentication	plugin requires	in order to function.
       Calling this function, will not itself generate cookies or session ids.

   last_login
       This will return	return the time	of the last login for this user

	 my $last_login	= $self->authen->last_login;

       This function will initiate a session or	cookie if one has not been
       created already.

   last_access
       This will return	return the time	of the last access for this user

	 my $last_access = $self->authen->last_access;

       This function will initiate a session or	cookie if one has not been
       created already.

   is_login_timeout
       This will return	true or	false depending	on whether the users login
       status just timed out

	 $self->add_message('login session timed out') if $self->authen->is_login_timeout;

       This function will initiate a session or	cookie if one has not been
       created already.

   is_authenticated
       This will return	true or	false depending	on the login status of this
       user

	 assert($self->authen->is_authenticated); # The	user should be logged in if we got here

       This function will initiate a session or	cookie if one has not been
       created already.

   login_attempts
       This method will	return the number of failed login attempts have	been
       made by this user since the last	successful login.  This	is not a
       number that can be trusted, as it is dependent on the underlying	store
       to be able to return the	correct	value for this user.  For example, if
       the store uses a	cookie based session, the user trying to login could
       delete their cookies, and hence get a new session which will not	have
       any login attempts listed.  The number will be cleared upon a
       successful login.  This function	will initiate a	session	or cookie if
       one has not been	created	already.

   username
       This will return	the username of	the currently logged in	user, or undef
       if no user is currently logged in.

	 my $username =	$self->authen->username;

       This function will initiate a session or	cookie if one has not been
       created already.

   is_new_login
       This will return	true or	false depending	on if this is a	fresh login

	 $self->log->info("New Login") if $self->authen->is_new_login;

       This function will initiate a session or	cookie if one has not been
       created already.

   credentials
       This method will	return the names of the	form parameters	that will be
       looked for during a login.  By default they are authen_username and
       authen_password,	but these values can be	changed	by supplying the
       CREDENTIALS parameters in the configuration. Calling this function,
       will not	itself generate	cookies	or session ids.

   logout
       This will attempt to logout the user.  If during	a request the
       Authentication module sees a parameter called 'authen_logout', it will
       automatically call this method to log out the user.

	 $self->authen->logout();

       This function will initiate a session or	cookie if one has not been
       created already.

   drivers
       This method will	return a list of driver	objects	that are used for
       verifying the login credentials.	Calling	this function, will not	itself
       generate	cookies	or session ids.

   store
       This method will	return a store object that is used to store
       information about the status of the authentication across multiple
       requests.  This function	will initiate a	session	or cookie if one has
       not been	created	already.

   initialize
       This does most of the heavy lifting for the Authentication plugin.  It
       will check to see if the	user is	currently attempting to	login by
       looking for the credential form fields in the query object.  It will
       load the	required driver	objects	and authenticate the user.  It is OK
       to call this method multiple times as it	checks to see if it has
       already been executed and will just return without doing	anything if
       called multiple times.  This allows us to call initialize as late as
       possible	in the request so that no unnecessary work is done.

       The user	will be	logged out by calling the "logout()" method if the
       login session has been idle for too long, if it has been	too long since
       the last	login, or if the login has timed out.  If you need to know if
       a user was logged out because of	a time out, you	can call the
       "is_login_timeout" method.

       If all goes well, a true	value will be returned,	although it is usually
       not necessary to	check.

       This function will initiate a session or	cookie if one has not been
       created already.

   display
       This method will	return the
       CGI::Application::Plugin::Authentication::Display object, creating and
       caching it if necessary.

   login_box
       This method will	return the HTML	for a login box	that can be embedded
       into another page.  This	is the same login box that is used in the
       default authen_login runmode that the plugin provides.

       This function will initiate a session or	cookie if one has not been
       created already.

   new
       This method creates a new CGI::Application::Plugin::Authentication
       object.	It requires as it's only parameter a CGI::Application object.
       This method should never	be called directly, since the 'authen' method
       that is imported	into the CGI::Application module will take care	of
       creating	the CGI::Application::Plugin::Authentication object when it is
       required. Calling this function,	will not itself	generate cookies or
       session ids.

   instance
       This method works the same way as 'new',	except that it returns the
       same Authentication object for the duration of the request.  This
       method should never be called directly, since the 'authen' method that
       is imported into	the CGI::Application module will take care of creating
       the CGI::Application::Plugin::Authentication object when	it is
       required. Calling this function,	will not itself	generate cookies or
       session ids.

CGI::Application CALLBACKS
   prerun_callback
       This method is a	CGI::Application prerun	callback that will be
       automatically registered	for you	if you are using CGI::Application 4.0
       or greater.  If you are using an	older version of CGI::Application you
       will have to create your	own cgiapp_prerun method and make sure you
       call this method	from there.

	sub cgiapp_prerun {
	   my $self = shift;

	   $self->CGI::Application::Plugin::Authentication::prerun_callback();
	}

CGI::Application RUNMODES
   authen_login_runmode
       This runmode is provided	if you do not want to create your own login
       runmode.	 It will display a simple login	form for the user, which can
       be replaced by assigning	RENDER_LOGIN a coderef that returns the	HTML.

   authen_dummy_redirect
       This runmode is provided	for convenience	when an	external redirect
       needs to	be done.  It just returns an empty string.

EXAMPLE
       In a CGI::Application module:

	 use base qw(CGI::Application);
	 use CGI::Application::Plugin::AutoRunmode;
	 use CGI::Application::Plugin::Session;
	 use CGI::Application::Plugin::Authentication;

	 __PACKAGE__->authen->config(
	       DRIVER	      => [ 'Generic', {	user1 => '123' } ],
	       STORE	      => 'Session',
	       LOGOUT_RUNMODE => 'start',
	 );
	 __PACKAGE__->authen->protected_runmodes(qr/^auth_/, 'one');

	 sub start : RunMode {
	   my $self = shift;

	 }

	 sub one : RunMode {
	   my $self = shift;

	   # The user will only	get here if they are logged in
	 }

	 sub auth_two :	RunMode	{
	   my $self = shift;

	   # This is also protected because of the
	   # regexp call to protected_runmodes above
	 }

COMPATIBILITY WITH CGI::Application::Plugin::ActionDispatch
       The prerun callback has been modified so	that it	will check for the
       presence	of a prerun mode.  This	is for compatibility with
       CGI::Application::Plugin::ActionDispatch. This change should be
       considered experimental.	It is necessary	to load	the ActionDispatch
       module so that the two prerun callbacks will be called in the correct
       order.

RECOMMENDED USAGE
       CSS The best practice nowadays is generally considered to be to not
	   have	CSS embedded in	HTML. Thus it should be	best to	set LOGIN_FORM
	   -> DISPLAY_CLASS to 'Basic'.

       Post login destination
	   Of the various means	of selecting a post login destination the most
	   secure would	seem to	be POST_LOGIN_URL. The "destination" parameter
	   could potentially be	hijacked by hackers.  The POST_LOGIN_RUNMODE
	   parameter requires a	hidden parameter that could potentially	be
	   hijacked.

       Taint mode
	   Do run your code under taint	mode. It should	help protect your
	   application against a number	of attacks.

       URL and username	checking
	   Please set the "DETAINT_URL_REGEXP" and "DETAINT_USERNAME_REGEXP"
	   parameters as tightly as possible. In particular you	should prevent
	   the destination parameter being used	to redirect authenticated
	   users to external sites; unless of course that is what you want in
	   which case that site	should be the only possible external site.

       The login form
	   The HTML currently generated	does not seem to be standards
	   compliant as	per RT bug 58023. Also the default login form includes
	   hidden forms	which could conceivably	be hijacked.  Set LOGIN_FORM
	   -> DISPLAY_CLASS to 'Basic' to fix this.

TODO
       There are lots of things	that can still be done to improve this plugin.
       If anyone else is interested in helping out feel	free to	dig right in.
       Many of these things don't need my input, but if	you want to avoid
       duplicated efforts, send	me a note, and I'll let	you know of anyone
       else is working in the same area.

       review the code for security bugs and report
       complete	the separation of presentation and logic
       write a tutorial
       build more Drivers (Class::DBI, LDAP, Radius, etc...)
       Add support for method attributes to identify runmodes that require
       authentication
       finish the test suite
       provide more example code
       clean up	the documentation
       build a DB driver that builds it's own table structure.	This can be
       used by people that don't have their own	user database to work with,
       and could include a simple user management application.

BUGS
       This is alpha software and as such, the features	and interface are
       subject to change.  So please check the Changes file when upgrading.

       Some of the test	scripts	appear to be incompatible with versions	of
       Devel::Cover later than 0.65.

SEE ALSO
       CGI::Application, perl(1)

AUTHOR
       Author: Cees Hek	<ceeshek@gmail.com>; Co-maintainer: Nicholas Bamber
       <nicholas@periapt.co.uk>.

CREDITS
       Thanks to SiteSuite <http://www.sitesuite.com.au> for funding the
       development of this plugin and for releasing it to the world.

       Thanks to Christian Walde for suggesting	changes	to fix the
       incompatibility with CGI::Application::Plugin::ActionDispatch and for
       help with github.

       Thanks to Alexandr Ciornii for pointing out some	typos.

LICENCE	AND COPYRIGHT
       Copyright (c) 2005, SiteSuite. All rights reserved.  Copyright (c)
       2010, Nicholas Bamber. (Portions	of the code).

       This module is free software; you can redistribute it and/or modify it
       under the same terms as Perl itself.

       The background images in	the default login forms	are used courtesy of
       www.famfamfam.com <http://www.famfamfam.com/lab/icons/silk/>. Those
       icons are issued	under the Creative Commons Attribution 3.0 License
       <http://creativecommons.org/licenses/by/3.0/>.  Those icons are
       copyrighted 2006	by Mark	James <mjames at gmail dot com>

DISCLAIMER OF WARRANTY
       BECAUSE THIS SOFTWARE IS	LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
       FOR THE SOFTWARE, TO THE	EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT
       WHEN OTHERWISE STATED IN	WRITING	THE COPYRIGHT HOLDERS AND/OR OTHER
       PARTIES PROVIDE THE SOFTWARE "AS	IS" WITHOUT WARRANTY OF	ANY KIND,
       EITHER EXPRESSED	OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
       ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF	THE SOFTWARE IS	WITH
       YOU. SHOULD THE SOFTWARE	PROVE DEFECTIVE, YOU ASSUME THE	COST OF	ALL
       NECESSARY SERVICING, REPAIR, OR CORRECTION.

       IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR	AGREED TO IN WRITING
       WILL ANY	COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
       REDISTRIBUTE THE	SOFTWARE AS PERMITTED BY THE ABOVE LICENCE, BE LIABLE
       TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL, OR
       CONSEQUENTIAL DAMAGES ARISING OUT OF THE	USE OR INABILITY TO USE	THE
       SOFTWARE	(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
       RENDERED	INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
       FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
       SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
       DAMAGES.

perl v5.24.1			  2CGI::Application::Plugin::Authentication(3)

NAME | SYNOPSIS | DESCRIPTION | EXPORTED METHODS | METHODS | CGI::Application CALLBACKS | CGI::Application RUNMODES | EXAMPLE | COMPATIBILITY WITH CGI::Application::Plugin::ActionDispatch | RECOMMENDED USAGE | TODO | BUGS | SEE ALSO | AUTHOR | CREDITS | LICENCE AND COPYRIGHT | DISCLAIMER OF WARRANTY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=CGI::Application::Plugin::Authentication&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help