Apache-AuthenSecurID
view release on metacpan or search on metacpan
Auth/Auth.pm view on Meta::CPAN
my $username = $params {'username'};
my $passcode = $params{'passcode'};
my $type = $params{'type'};
my $uri = $params{'a'};
# get ace_initd config directives
my $ace_initd_server = $r->dir_config("ace_initd_server") || "localhost";
my $ace_initd_port = $r->dir_config("ace_initd_port") || 1969;
# grab apache session cookie
my ( $session_id ) = ( ($r->header_in("Cookie") || "") =~
/Apache=([^;]+)/);
my $client = IO::Socket::INET->new ( PeerAddr => $ace_initd_server,
PeerPort => $ace_initd_port,
Proto => 'udp' );
my %ACE;
my $request;
my $message;
my $extra_input;
Auth/Auth.pm view on Meta::CPAN
sub Ace_Result {
my ( $result, $info, $r, $crypt, $params,$username ) = @_;
my $message;
my $extra_input;
my $uri = $$params{'a'};
my $time = time ();
if ( $result == 0 ) {
my $auth_cookie = $r->dir_config("AuthCookie") || "SecurID";
my $auth_user_cookie = $r->dir_config("AuthUserCookie") || "SecurID_User";
my $crypt_cookie = $crypt->encrypt_hex ( "$time:$username" );
$r->headers_out->add("Set-Cookie" => $auth_user_cookie . "=" .
$username . "; path=" . "/");
$r->headers_out->add("Set-Cookie" => $auth_cookie . "=" .
$crypt_cookie . "; path=" . "/");
$uri = $crypt->decrypt_hex ( $uri );
# success
$message = qq{
<b>User Authenticated</b><p>
<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
window.location="$uri";
Auth/Auth.pm view on Meta::CPAN
=head1 SYNOPSIS
# Configuration in httpd.conf
<Location /path/of/authentication/handler>
SetHandler perl-script
PerlHandler Apache::AuthenSecurID::Auth
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthApacheCookie Apache_Cookie
PerlSetVar ace_initd_server name.of.ace.handler.server.com
PerlSetVar ace_initd_port 1969
</Location>
=head1 DESCRIPTION
This module allows authentication against a SecurID server. A request
is redirected to this handler if the authentication cookie does not
exist or is no longer valid. The handler will prompt for username and
passcode. It will then construct and encrypt a UDP packet and send it to
the Ace request daemon. This is necessary since libsdiclient.a needs to
persist for NEXT TOKEN MODE and SET PIN MODE. If the authentication is
valid an encrypted Authentication Cookie is set and the request is redirected
to the originating URI. If the user needs to enter NEXT TOKEN or set their
PIN they will be prompted to do so and if valid the request is then redirected
to the originating URI.
=head1 LIST OF TOKENS
=item *
AuthCryptKey
The Blowfish key used to encrypt and decrypt the authentication cookie.
It defaults to F<my secret> if this variable is not set.
=item *
AuthCookie
The name of the of cookie to be set for the authentication token.
It defaults to F<SecurID> if this variable is not set.
=item *
AuthUserCookie
The name of the of cookie that contains the value of the persons username
in plain text. This is checked against the contents of the encrypted cookie
to verify user. The cookie is set of other applications can identify
authorized users. It defaults to F<SecurID_User> if this variable is not set.
=item *
AuthCookiePath
The path of the of cookie to be set for the authentication token.
It defaults to F</> if this variable is not set.
=item *
AuthApacheCookie
The name of the mod_usertrack cookie. The mod_usertrack module must be
compile and enabled in order to track user sessions. This is set by the
CookieName directive in httpd.conf. It defaults to F<Apache> if this variable
is not set.
=item *
ace_initd_server
The name of the server running the ACE request daemon. This daemon is the
actual process that communicates with the ACE Server. If the user is in
NEXT TOKEN MODE due to repeated failures or SET PIN MODE the Authen::ACE
object must persist beyond the initial request. A request packet is
constructed with a random number, type of transaction, username, passcode
Auth/RCS/Auth.pm,v view on Meta::CPAN
my $username = $params {'username'};
my $passcode = $params{'passcode'};
my $type = $params{'type'};
my $uri = $params{'a'};
# get ace_initd config directives
my $ace_initd_server = $r->dir_config("ace_initd_server") || "localhost";
my $ace_initd_port = $r->dir_config("ace_initd_port") || 1969;
# grab apache session cookie
my ( $session_id ) = ( ($r->header_in("Cookie") || "") =~
/Apache=([^;]+)/);
my $client = IO::Socket::INET->new ( PeerAddr => $ace_initd_server,
PeerPort => $ace_initd_port,
Proto => 'udp' );
my %ACE;
my $request;
my $message;
my $extra_input;
Auth/RCS/Auth.pm,v view on Meta::CPAN
sub Ace_Result {
my ( $result, $info, $r, $crypt, $params,$username ) = @@_;
my $message;
my $extra_input;
my $uri = $$params{'a'};
my $time = time ();
if ( $result == 0 ) {
my $auth_cookie = $r->dir_config("AuthCookie") || "SecurID";
my $auth_user_cookie = $r->dir_config("AuthUserCookie") || "SecurID_User";
my $crypt_cookie = $crypt->encrypt_hex ( "$time:$username" );
$r->headers_out->add("Set-Cookie" => $auth_user_cookie . "=" .
$username . "; path=" . "/");
$r->headers_out->add("Set-Cookie" => $auth_cookie . "=" .
$crypt_cookie . "; path=" . "/");
$uri = $crypt->decrypt_hex ( $uri );
# success
$message = qq{
<b>User Authenticated</b><p>
<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
window.location="$uri";
Auth/RCS/Auth.pm,v view on Meta::CPAN
=head1 SYNOPSIS
# Configuration in httpd.conf
<Location /path/of/authentication/handler>
SetHandler perl-script
PerlHandler Apache::AuthenSecurID::Auth
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthApacheCookie Apache_Cookie
PerlSetVar ace_initd_server name.of.ace.handler.server.com
PerlSetVar ace_initd_port 1969
</Location>
=head1 DESCRIPTION
This module allows authentication against a SecurID server. A request
is redirected to this handler if the authentication cookie does not
exist or is no longer valid. The handler will prompt for username and
passcode. It will then construct and encrypt a UDP packet and send it to
the Ace request daemon. This is necessary since libsdiclient.a needs to
persist for NEXT TOKEN MODE and SET PIN MODE. If the authentication is
valid an encrypted Authentication Cookie is set and the request is redirected
to the originating URI. If the user needs to enter NEXT TOKEN or set their
PIN they will be prompted to do so and if valid the request is then redirected
to the originating URI.
=head1 LIST OF TOKENS
=item *
AuthCryptKey
The Blowfish key used to encrypt and decrypt the authentication cookie.
It defaults to F<my secret> if this variable is not set.
=item *
AuthCookie
The name of the of cookie to be set for the authentication token.
It defaults to F<SecurID> if this variable is not set.
=item *
AuthUserCookie
The name of the of cookie that contains the value of the persons username
in plain text. This is checked against the contents of the encrypted cookie
to verify user. The cookie is set of other applications can identify
authorized users. It defaults to F<SecurID_User> if this variable is not set.
=item *
AuthCookiePath
The path of the of cookie to be set for the authentication token.
It defaults to F</> if this variable is not set.
=item *
AuthApacheCookie
The name of the mod_usertrack cookie. The mod_usertrack module must be
compile and enabled in order to track user sessions. This is set by the
CookieName directive in httpd.conf. It defaults to F<Apache> if this variable
is not set.
=item *
ace_initd_server
The name of the server running the ACE request daemon. This daemon is the
actual process that communicates with the ACE Server. If the user is in
NEXT TOKEN MODE due to repeated failures or SET PIN MODE the Authen::ACE
object must persist beyond the initial request. A request packet is
constructed with a random number, type of transaction, username, passcode
Auth/RCS/Auth.pm,v view on Meta::CPAN
d276 1
a276 1
my ($message,$extra_input)=Ace_Result($result,\%info,$r,$crypt,$params);
d284 1
a284 1
my ( $result, $info, $r, $crypt, $params ) = @@_;
d288 1
d293 5
a297 2
my $crypt_cookie = $crypt->encrypt_hex ( "hello:hello" );
$r->err_header_out("Set-Cookie" => $auth_cookie . "=" .
d529 137
@
1.3
log
@*** empty log message ***
@
text
@d1 1
AuthenSecurID.pm view on Meta::CPAN
# $Id: AuthenSecurID.pm,v 1.6 2002/07/31 16:43:44 Administrator Exp $
package Apache::AuthenSecurID;
use strict;
use Apache ();
use Apache::Registry;
use Apache::Log;
use Apache::Constants qw(OK AUTH_REQUIRED DECLINED REDIRECT SERVER_ERROR);
use Apache::Cookie;
use Crypt::CBC;
use CGI::Carp;
use vars qw($VERSION);
$VERSION = '0.4';
sub handler {
my $r = shift;
# get configuration directives
my $auth_cookie = $r->dir_config("AuthCookie") || "SecurID";
my $auth_user_cookie = $r->dir_config("AuthUserCookie")||"SecurID_User";
my $crypt_key = $r->dir_config("AuthCryptKey") || "my secret";
my $cookie_timeout = $r->dir_config("AuthCookieTimeOut") || 30;
my $cookie_path = $r->dir_config("AuthCookiePath") || "/";
my $auth_handler = $r->dir_config("Auth_Handler") || "/ace_init";
# get cookies
my ( $session_key ) = ( ($r->header_in("Cookie") || "") =~
/${auth_cookie}=([^;]+)/);
my ( $session_user ) = ( ($r->header_in("Cookie") || "") =~
/${auth_user_cookie}=([^;]+)/);
my $username;
my $session_time;
# decrypt cookie
my $cipher = new Crypt::CBC($crypt_key,"Blowfish") || warn ( $! );
if ( $session_key ) {
my $plaintext_cookie = $cipher->decrypt_hex($session_key);
AuthenSecurID.pm view on Meta::CPAN
my $timeout = $time - 60 * $cookie_timeout;
my $uri = $r->uri;
# check cookie
if ( $session_key && $username eq $session_user &&
$timeout <= $session_time ) {
$r->no_cache(1);
$r->err_headers_out->add("Pragma" => "no-cache" );
#reset timestamp
my $crypt_cookie = $cipher->encrypt_hex ("$time:$username");
$r->err_headers_out->add("Set-Cookie" => $auth_cookie . "=" .
$crypt_cookie . "; path=" . $cookie_path );
return OK;
} else {
# redirect to authentication handler
my $uri = $cipher->encrypt_hex ( $uri );
$r->no_cache(1);
$r->err_header_out("Pragma" => "no-cache");
$r->header_out("Location" => "$auth_handler?a=" . $uri );
return REDIRECT;
}
AuthenSecurID.pm view on Meta::CPAN
PerlModule Apache::AuthenSecurID
<Location /secure/directory>
AuthName SecurID
AuthType Basic
PerlAuthenHandler Apache::AuthenSecurID
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthCookieTimeOut 30
PerlSetVar Auth_Handler /path/of/authentication/handler
require valid-user
</Location>
=head1 DESCRIPTION
This module allows authentication against a SecurID server. It
detects whether a user has a valid encrypted cookie containing their
username and last activity time stamp. If the cookie is valid the module
AuthenSecurID.pm view on Meta::CPAN
=head1 LIST OF TOKENS
=item *
AuthCryptKey
The Blowfish key used to encrypt and decrypt the authentication cookie.
It defaults to F<my secret> if this variable is not set.
=item *
AuthCookie
The name of the of cookie to be set for the authentication token.
It defaults to F<SecurID> if this variable is not set.
=item *
AuthUserCookie
The name of the of cookie that contains the value of the persons username
in plain text. This is checked against the contents of the encrypted cookie
to verify user. The cookie is set of other applications can identify
authorized users. It defaults to F<SecurID_User> if this variable is not set.
=item *
AuthCookiePath
The path of the of cookie to be set for the authentication token.
It defaults to F</> if this variable is not set.
=item *
AuthCookieTimeOut
The time in minute a cookie is valid for. It is not recommended to set
below 5. It defaults to F<30> if this variable is not set.
=item *
Auth_Handler
The path of authentication handler. This is the URL which request with
invalid cookie are redirected to. The handler will prompt for username
and passcode. It does the actual authentication and sets the initial
RCS/AuthenSecurID.pm,v view on Meta::CPAN
text
@# $Id: AuthenSecurID.pm,v 1.5 2002/07/30 20:15:39 Administrator Exp $
package Apache::AuthenSecurID;
use strict;
use Apache ();
use Apache::Registry;
use Apache::Log;
use Apache::Constants qw(OK AUTH_REQUIRED DECLINED REDIRECT SERVER_ERROR);
use Apache::Cookie;
use Crypt::CBC;
use CGI::Carp;
use vars qw($VERSION);
$VERSION = '0.4';
sub handler {
my $r = shift;
# get configuration directives
my $auth_cookie = $r->dir_config("AuthCookie") || "SecurID";
my $auth_user_cookie = $r->dir_config("AuthUserCookie")||"SecurID_User";
my $crypt_key = $r->dir_config("AuthCryptKey") || "my secret";
my $cookie_timeout = $r->dir_config("AuthCookieTimeOut") || 30;
my $cookie_path = $r->dir_config("AuthCookiePath") || "/";
my $auth_handler = $r->dir_config("Auth_Handler") || "/ace_init";
# get cookies
my ( $session_key ) = ( ($r->header_in("Cookie") || "") =~
/${auth_cookie}=([^;]+)/);
my ( $session_user ) = ( ($r->header_in("Cookie") || "") =~
/${auth_user_cookie}=([^;]+)/);
my $username;
my $session_time;
# decrypt cookie
my $cipher = new Crypt::CBC($crypt_key,"Blowfish") || warn ( $! );
if ( $session_key ) {
my $plaintext_cookie = $cipher->decrypt_hex($session_key);
RCS/AuthenSecurID.pm,v view on Meta::CPAN
my $timeout = $time - 60 * $cookie_timeout;
my $uri = $r->uri;
# check cookie
if ( $session_key && $username eq $session_user &&
$timeout <= $session_time ) {
$r->no_cache(1);
$r->err_headers_out->add("Pragma" => "no-cache" );
#reset timestamp
my $crypt_cookie = $cipher->encrypt_hex ("$time:$username");
$r->err_headers_out->add("Set-Cookie" => $auth_cookie . "=" .
$crypt_cookie . "; path=" . $cookie_path );
return OK;
} else {
# redirect to authentication handler
my $uri = $cipher->encrypt_hex ( $uri );
$r->no_cache(1);
$r->err_header_out("Pragma" => "no-cache");
$r->header_out("Location" => "$auth_handler?a=" . $uri );
return REDIRECT;
}
RCS/AuthenSecurID.pm,v view on Meta::CPAN
PerlModule Apache::AuthenSecurID
<Location /secure/directory>
AuthName SecurID
AuthType Basic
PerlAuthenHandler Apache::AuthenSecurID
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthCookieTimeOut 30
PerlSetVar Auth_Handler /path/of/authentication/handler
require valid-user
</Location>
=head1 DESCRIPTION
This module allows authentication against a SecurID server. It
detects whether a user has a valid encrypted cookie containing their
username and last activity time stamp. If the cookie is valid the module
RCS/AuthenSecurID.pm,v view on Meta::CPAN
=head1 LIST OF TOKENS
=item *
AuthCryptKey
The Blowfish key used to encrypt and decrypt the authentication cookie.
It defaults to F<my secret> if this variable is not set.
=item *
AuthCookie
The name of the of cookie to be set for the authentication token.
It defaults to F<SecurID> if this variable is not set.
=item *
AuthUserCookie
The name of the of cookie that contains the value of the persons username
in plain text. This is checked against the contents of the encrypted cookie
to verify user. The cookie is set of other applications can identify
authorized users. It defaults to F<SecurID_User> if this variable is not set.
=item *
AuthCookiePath
The path of the of cookie to be set for the authentication token.
It defaults to F</> if this variable is not set.
=item *
AuthCookieTimeOut
The time in minute a cookie is valid for. It is not recommended to set
below 5. It defaults to F<30> if this variable is not set.
=item *
Auth_Handler
The path of authentication handler. This is the URL which request with
invalid cookie are redirected to. The handler will prompt for username
and passcode. It does the actual authentication and sets the initial
RCS/AuthenSecurID.pm,v view on Meta::CPAN
1.4
log
@documentation
@
text
@d1 1
a1 1
# $Id: AuthenSecurID.pm,v 1.3 2001/06/21 14:50:24 root Exp root $
d96 1
a96 1
PerlSetVar AuthCookieHandler /path/of/authentication/handler
d146 1
a146 1
AuthCookieHandler
@
1.3
log
@many fixes
@
text
@d1 1
a1 1
RCS/AuthenSecurID.pm,v view on Meta::CPAN
d14 1
a14 1
$VERSION = '0.3';
a26 3
my($res,$pass) = $r->get_basic_auth_pw;
$r->log_reason("$res $pass", $r->uri);
$log->debug("$res $pass");
a27 3
return $res if $res != OK;
# Handle Cookie
a28 4
$log->debug("$auth_cookie");
my $cookie_path = $r->dir_config("AuthCookiePath") || "/";
$log->debug("$cookie_path");
a30 1
$log->debug("$crypt_key");
d33 2
a34 1
$log->debug("$cookie_timeout");
a39 1
my $user = $r->connection->user;
d54 1
a54 11
if ( $session_key
&& $user eq $username
&& ($session_time+($cookie_timeout * 60) >= $time) ) {
# OK set cookie
# my $auth_cookie = $cipher->encrypt_hex ( "$user:$time" );
# $r->err_header_out("Set-Cookie" => $auth_cookie . "=" .
# $auth_cookie . "; path=" . $cookie_path);
# $r->no_cache(1);
# $r->err_header_out("Pragma", "no-cache");
# $r->header_out("Location" => $r->uri);
a55 51
}
# SecurID Config Directory
my $VAR_ACE = $r->dir_config("Auth_SecurID_VAR_ACE") || "/var/ace";
RCS/AuthenSecurID.pm,v view on Meta::CPAN
."init",$r->uri);
return SERVER_ERROR;
}
# Do the actual check.
my ( $result, $info ) = $ace->Check ( $pass, $user );
if ($result == ACM_OK) {
$r->log_reason("Apache::AuthenSecurID succeed auth user"
. "$user" ,$r->uri);
my $auth_cookie = $cipher->encrypt_hex ( "$user:$time" );
$r->err_header_out("Set-Cookie" => $auth_cookie . "=" .
$auth_cookie . "; path=" . $cookie_path);
$r->no_cache(1);
$r->err_header_out("Pragma", "no-cache");
$r->header_out("Location" => $r->uri);
return OK;
#return REDIRECT;
d57 4
a60 4
$r->log_reason("Apache::AuthenSecurID failed for user $user $res $VAR_ACE",
$r->uri);
RCS/README,v view on Meta::CPAN
PerlModule Apache::AuthenSecurID
<Location /secure/directory>
AuthName SecurID
AuthType Basic
PerlAuthenHandler Apache::AuthenSecurID
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthCookieTimeOut 30
PerlSetVar Auth_Handler /path/of/authentication/handler
require valid-user
</Location>
DESCRIPTION
This module allows authentication against a SecurID
server. It detects whether a user has a valid encrypted
cookie containing their username and last activity time
RCS/README,v view on Meta::CPAN
the cookie. If the cookie is not valid the module will
redirect to the authentication handler to prompt for
username and passcode.
LIST OF TOKENS
o AuthCryptKey
The Blowfish key used to encrypt and decrypt the
authentication cookie. It defaults to my secret if
this variable is not set.
o AuthCookie
The name of the of cookie to be set for the
authentication token. It defaults to SecurID if
this variable is not set.
o AuthUserCookie
The name of the of cookie that contains the value
of the persons username in plain text. This is
checked against the contents of the encrypted
cookie to verify user. The cookie is set of other
applications can identify authorized users. It
defaults to SecurID_User if this variable is not
set.
o AuthCookiePath
The path of the of cookie to be set for the
authentication token. It defaults to / if this
variable is not set.
o AuthCookieTimeOut
The time in minute a cookie is valid for. It is
not recommended to set below 5. It defaults to 30
if this variable is not set.
o Auth_Handler
The path of authentication handler. This is the
URL which request with invalid cookie are
redirected to. The handler will prompt for
username and passcode. It does the actual
authentication and sets the initial cookie. This
RCS/README,v view on Meta::CPAN
Apache::AuthenSecurID
SYNOPSIS
# Configuration in httpd.conf
<Location /path/of/authentication/handler>
SetHandler perl-script
PerlHandler Apache::AuthenSecurID::Auth
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthApacheCookie Apache_Cookie
PerlSetVar ace_initd_server name.of.ace.handler.server.com
PerlSetVar ace_initd_port 1969
</Location>
DESCRIPTION
This module allows authentication against a SecurID
server. A request is redirected to this handler if the
authentication cookie does not exist or is no longer
valid. The handler will prompt for username and passcode.
It will then construct and encrypt a UDP packet and send
it to the Ace request daemon. This is necessary since
libsdiclient.a needs to persist for NEXT TOKEN MODE and
SET PIN MODE. If the authentication is valid an encrypted
Authentication Cookie is set and the request is redirected
to the originating URI. If the user needs to enter NEXT
TOKEN or set their PIN they will be prompted to do so and
if valid the request is then redirected to the originating
URI.
LIST OF TOKENS
o AuthCryptKey
The Blowfish key used to encrypt and decrypt the
authentication cookie. It defaults to my secret if
this variable is not set.
o AuthCookie
The name of the of cookie to be set for the
authentication token. It defaults to SecurID if
this variable is not set.
o AuthUserCookie
The name of the of cookie that contains the value
of the persons username in plain text. This is
checked against the contents of the encrypted
cookie to verify user. The cookie is set of other
applications can identify authorized users. It
defaults to SecurID_User if this variable is not
set.
o AuthCookiePath
The path of the of cookie to be set for the
authentication token. It defaults to / if this
variable is not set.
o AuthApacheCookie
The name of the mod_usertrack cookie. The
mod_usertrack module must be compile and enabled in
order to track user sessions. This is set by the
CookieName directive in httpd.conf. It defaults to
Apache if this variable is not set.
o ace_initd_server
The name of the server running the ACE request
daemon. This daemon is the actual process that
communicates with the ACE Server. If the user is
in NEXT TOKEN MODE due to repeated failures or SET
PIN MODE the Authen::ACE object must persist beyond
the initial request. A request packet is
constructed with a random number, type of
RCS/README,v view on Meta::CPAN
1.2
log
@docs
@
text
@d1 1
a1 1
# $Id: README,v 1.1 2001/06/19 19:45:55 root Exp root $
d40 1
a40 1
PerlSetVar AuthCookieHandler /path/of/authentication/handler
d86 1
a86 1
o AuthCookieHandler
@
1.1
log
@Initial revision
@
text
@d1 1
a1 1
PerlModule Apache::AuthenSecurID
<Location /secure/directory>
AuthName SecurID
AuthType Basic
PerlAuthenHandler Apache::AuthenSecurID
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthCookieTimeOut 30
PerlSetVar Auth_Handler /path/of/authentication/handler
require valid-user
</Location>
DESCRIPTION
This module allows authentication against a SecurID
server. It detects whether a user has a valid encrypted
cookie containing their username and last activity time
the cookie. If the cookie is not valid the module will
redirect to the authentication handler to prompt for
username and passcode.
LIST OF TOKENS
o AuthCryptKey
The Blowfish key used to encrypt and decrypt the
authentication cookie. It defaults to my secret if
this variable is not set.
o AuthCookie
The name of the of cookie to be set for the
authentication token. It defaults to SecurID if
this variable is not set.
o AuthUserCookie
The name of the of cookie that contains the value
of the persons username in plain text. This is
checked against the contents of the encrypted
cookie to verify user. The cookie is set of other
applications can identify authorized users. It
defaults to SecurID_User if this variable is not
set.
o AuthCookiePath
The path of the of cookie to be set for the
authentication token. It defaults to / if this
variable is not set.
o AuthCookieTimeOut
The time in minute a cookie is valid for. It is
not recommended to set below 5. It defaults to 30
if this variable is not set.
o Auth_Handler
The path of authentication handler. This is the
URL which request with invalid cookie are
redirected to. The handler will prompt for
username and passcode. It does the actual
authentication and sets the initial cookie. This
Apache::AuthenSecurID
SYNOPSIS
# Configuration in httpd.conf
<Location /path/of/authentication/handler>
SetHandler perl-script
PerlHandler Apache::AuthenSecurID::Auth
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthApacheCookie Apache_Cookie
PerlSetVar ace_initd_server name.of.ace.handler.server.com
PerlSetVar ace_initd_port 1969
</Location>
DESCRIPTION
This module allows authentication against a SecurID
server. A request is redirected to this handler if the
authentication cookie does not exist or is no longer
valid. The handler will prompt for username and passcode.
It will then construct and encrypt a UDP packet and send
it to the Ace request daemon. This is necessary since
libsdiclient.a needs to persist for NEXT TOKEN MODE and
SET PIN MODE. If the authentication is valid an encrypted
Authentication Cookie is set and the request is redirected
to the originating URI. If the user needs to enter NEXT
TOKEN or set their PIN they will be prompted to do so and
if valid the request is then redirected to the originating
URI.
LIST OF TOKENS
o AuthCryptKey
The Blowfish key used to encrypt and decrypt the
authentication cookie. It defaults to my secret if
this variable is not set.
o AuthCookie
The name of the of cookie to be set for the
authentication token. It defaults to SecurID if
this variable is not set.
o AuthUserCookie
The name of the of cookie that contains the value
of the persons username in plain text. This is
checked against the contents of the encrypted
cookie to verify user. The cookie is set of other
applications can identify authorized users. It
defaults to SecurID_User if this variable is not
set.
o AuthCookiePath
The path of the of cookie to be set for the
authentication token. It defaults to / if this
variable is not set.
o AuthApacheCookie
The name of the mod_usertrack cookie. The
mod_usertrack module must be compile and enabled in
order to track user sessions. This is set by the
CookieName directive in httpd.conf. It defaults to
Apache if this variable is not set.
o ace_initd_server
The name of the server running the ACE request
daemon. This daemon is the actual process that
communicates with the ACE Server. If the user is
in NEXT TOKEN MODE due to repeated failures or SET
PIN MODE the Authen::ACE object must persist beyond
the initial request. A request packet is
constructed with a random number, type of
( run in 0.699 second using v1.01-cache-2.11-cpan-e9199f4ba4c )