Apache2-AuthCookieDBImg
view release on metacpan or search on metacpan
Revision history for Perl extension Apache2::AuthCookieDBImg
See the pod for more revision details.
2.1 Feb 2006
Initial release based on Apache2::AuthCookieDBI v2.03
by Lance P. Cleveland, Charleston Software Associates
Changes
lib/Apache2/AuthCookieDBImg.pm
Makefile.PL
MANIFEST
README
t/Handler.t
t/test.t
META.yml Module meta-data (added by MakeMaker)
# http://module-build.sourceforge.net/META-spec.html
#XXXXXXX This is a prototype!!! It will change in the future!!! XXXXX#
name: Apache2-AuthCookieDBImg
version: 2.2
version_from: lib/Apache2/AuthCookieDBImg.pm
installdirs: site
requires:
Apache2::AuthCookie: 0
Apache2::Const: 0
Apache2::ServerUtil: 0
Apache::DBI: 0
Date::Calc: 0
Digest::MD5: 0
distribution_type: module
generated_by: ExtUtils::MakeMaker version 6.17
Makefile.PL view on Meta::CPAN
use 5.00;
use ExtUtils::MakeMaker;
# See lib/ExtUtils/MakeMaker.pm for details of how to influence
# the contents of the Makefile that is written.
WriteMakefile(
NAME => 'Apache2::AuthCookieDBImg',
VERSION_FROM => 'lib/Apache2/AuthCookieDBImg.pm', # finds $VERSION
PREREQ_PM => {
Apache::DBI => 0,
Apache2::AuthCookie => 0,
Apache2::Const => 0,
Apache2::ServerUtil => 0,
Date::Calc => 0,
Digest::MD5 => 0,
},
($] >= 5.005 ? ## Add these new keywords supported since 5.005
(ABSTRACT_FROM => 'lib/Apache2/AuthCookieDBImg.pm',
AUTHOR => 'Charleston Software Associates <info@charlestonsw.com>') : ()),
);
Apache2::AuthCookieDBImg
========================
NAME
Apache2::AuthCookieDBImg (perl extension)
DESCRIPTION
An AuthCookie module backed by a DBI database with second levelauthentication via image matching. This is very simple imageauthentication scheme that is only meant to prevent robotic logins to a web page by adding a 2nd level of authentication.
REQUIRES
Apache::DBI
Apache2::AuthCookie
Apache2::Const
Apache2::ServerUtil
Date::Calc
Digest::MD5
Apache2::Session (if using sessions)
Cipher::CBC (if using CBC Ciphers)
INSTALLATION
perl Makefile.PL
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
#===============================================================================
=head1 NAME
Apache2::AuthCookieDBImg
=head1 PURPOSE
An AuthCookie module backed by a DBI database with second level
authentication via image matching. This is very simple image
authentication scheme that is only meant to prevent robotic
logins to a web page by adding a 2nd level of authentication.
=head1 SYNOPSIS
# In httpd.conf or .htaccess
PerlModule Apache2::AuthCookieDBImg
PerlSetVar WhatEverPath /
PerlSetVar WhatEverLoginScript /login.pl
# Optional, to share tickets between servers.
PerlSetVar WhatEverDomain .domain.com
# These must be set
PerlSetVar WhatEverDBI_DSN "DBI:mysql:database=test"
PerlSetVar WhatEverDBI_SecretKey "489e5eaad8b3208f9ad8792ef4afca73598ae666b0206a9c92ac877e73ce835c"
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
# The word is passed in via credential_2
# The key is passed in via credential_3
#
PerlSetVar WhatEverDBI_ImgTable "images"
PerlSetVar WhatEverDBI_ImgWordField "imageword"
PerlSetVar WhatEverDBI_ImgKeyField "imagekey"
PerlSetVar WhatEverDBI_EncryptionType "none"
PerlSetVar WhatEverDBI_SessionLifetime 00-24-00-00
# Protected by AuthCookieDBImg.
<Directory /www/domain.com/authcookiedbimg>
AuthType Apache2::AuthCookieDBImg
AuthName WhatEver
PerlAuthenHandler Apache2::AuthCookieDBImg->authenticate
PerlAuthzHandler Apache2::AuthCookieDBImg->authorize
require valid-user
# or you can require users:
require user jacob
# You can optionally require groups.
require group system
</Directory>
# Login location.
<Files LOGIN>
AuthType Apache2::AuthCookieDBImg
AuthName WhatEver
SetHandler perl-script
PerlHandler Apache2::AuthCookieDBImg->login
</Files>
=head1 DESCRIPTION
This module is an authentication handler that uses the basic mechanism provided
by Apache2::AuthCookie with a DBI database for ticket-based protection. It
is based on two tokens being provided, a username and password, which can
be any strings (there are no illegal characters for either). The username is
used to set the remote user as if Basic Authentication was used.
On an attempt to access a protected location without a valid cookie being
provided, the module prints an HTML login form (produced by a CGI or any
other handler; this can be a static file if you want to always send people
to the same entry page when they log in). This login form has fields for
username and password. On submitting it, the username and password are looked
up in the DBI database. The supplied password is checked against the password
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
The image matching only occurs if all 3 of the following directives appear
in the Apache configuration file:
PerlSetVar WhatEverDBI_ImgTable "images"
PerlSetVar WhatEverDBI_ImgWordField "imageword"
PerlSetVar WhatEverDBI_ImgKeyField "imagekey"
The first ImgTable var is the DBI table that we will use to store our
image key + word pairs. The key field is set by the second var, the word
is the third var.
Your login form should set the 2 required fields for ALL AuthCookieDBI
login forms:
Your login ID: <input type="text" name="credential_0" value="">
Your password: <input type="password" name="credential_1" value="">
PLUS two additional fields for image processing:
The image says: <input type="text" name="credential_2" value="">
<input type="hidden" name="credential_3" value="a_random_key">
The login form should also have an image displayed that shows the word
that we are expecting to receive via credential_2 as semi-obscured text.
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
like this:
create table images ( imagekey serial, imageurl char(128), imageword char(20));
And load it up like this:
inssert into images (imageurl,imageword) values ('/images/dbimg/junk.png','saywhat?');
Then create an image named junk.png and put it in my web server /images/dbimg folder.
The text on the image has a background picture plus the word "saywhat?" across the front.
The randomizer just looks up the imageurl and imagekey in the database and spits out
the appropriate HTML code. ApacheCookieDBImg then does a reverse operation, looking
up the imageword based on the key.
=head1 CAVEATS
This is not a truly random image, so it is not overly secure. The initial idea is just
to thwart stupid bots. Someone could easily visit the site and build a map of image
sources and the matching words. i.e. when credential_3 == 1 the word is always "saywhat?".
Not fool-proof, just and extra level of bot protection.
=cut
#===============================================================================
#===============================================================================
package Apache2::AuthCookieDBImg;
use strict;
use 5.004;
use vars qw( $VERSION );
$VERSION = '2.2';
use Apache2::AuthCookie;
use vars qw( @ISA );
@ISA = qw( Apache2::AuthCookie );
use Apache2::RequestRec;
use Apache::DBI;
use Apache2::Const -compile => qw( OK HTTP_FORBIDDEN );
use Apache2::ServerUtil;
use Digest::MD5 qw( md5_hex );
use Date::Calc qw( Today_and_Now Add_Delta_DHMS );
# Also uses Crypt::CBC if you're using encrypted cookies.
# Also uses Apache2::Session if you're using sessions.
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
#===============================================================================
# P R I V A T E F U N C T I O N S
#===============================================================================
#-------------------------------------------------------------------------------
# _log_not_set -- Log that a particular authentication variable was not set.
sub _log_not_set($$) {
my( $r, $variable ) = @_;
my $auth_name = $r->auth_name;
$r->log_error( "Apache2::AuthCookieDBImg: $variable not set for auth realm $auth_name", $r->uri );
}
#-------------------------------------------------------------------------------
# _dir_config_var -- Get a particular authentication variable.
sub _dir_config_var($$) {
my( $r, $variable ) = @_;
my $auth_name = $r->auth_name;
return $r->dir_config( "$auth_name$variable" );
}
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
=head1 APACHE CONFIGURATION DIRECTIVES
All configuration directives for this module are passed in PerlSetVars. These
PerlSetVars must begin with the AuthName that you are describing, so if your
AuthName is PrivateBankingSystem they will look like:
PerlSetVar PrivateBankingSystemDBI_DSN "DBI:mysql:database=banking"
See also L<Apache2::Authcookie> for the directives required for any kind
of Apache2::AuthCookie-based authentication system.
In the following descriptions, replace "WhatEver" with your particular
AuthName. The available configuration directives are as follows:
=over 4
=item C<WhatEverDBI_DSN>
Specifies the DSN for DBI for the database you wish to connect to retrieve
user information. This is required and has no default value.
=item C<WhateverDBI_SecretKey>
Specifies the secret key for this auth scheme. This should be a long
random string. This should be secret; either make the httpd.conf file
only readable by root, or put the PerlSetVar in a file only readable by
root and include it.
This is required and has no default value.
(NOTE: In AuthCookieDBImg versions 1.22 and earlier the secret key either could be
or was required to be in a seperate file with the path configured with
PerlSetVar WhateverDBI_SecretKeyFile, as of version 2.0 this is not possible, you
must put the secret key in the Apache configuration directly, either in the main
httpd.conf file or in an included file. You might wish to make the file not
world-readable. Also, make sure that the Perl environment variables are
not publically available, for example via the /perl-status handler.)
See also L</"COMPATIBILITY"> in this man page.
=item C<WhatEverDBI_User>
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
in the ticket we give them. This is almost completely useless, so don''t
switch it on unless you really know you need it. It does not provide any
protection of the password in transport; use SSL for that. It can be 'none',
'des', 'idea', 'blowfish', or 'blowfish_pp'.
This is not required and defaults to 'none'.
=item C<WhatEverDBI_SessionLifetime>
How long tickets are good for after being issued. Note that presently
Apache2::AuthCookie does not set a client-side expire time, which means that
most clients will only keep the cookie until the user quits the browser.
However, if you wish to force people to log in again sooner than that, set
this value. This can be 'forever' or a life time specified as:
DD-hh-mm-ss -- Days, hours, minute and seconds to live.
This is not required and defaults to '00-24-00-00' or 24 hours.
=item C<WhatEverDBI_SessionModule>
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
sub authen_cred($$\@)
{
my( $self, $r, @credentials ) = @_;
my $auth_name = $r->auth_name;
# Username goes in credential_0
my $user = shift @credentials;
unless ( $user =~ /^.+$/ ) {
$r->log_error( "Apache2::AuthCookieDBI: no username supplied for auth realm $auth_name", $r->uri );
return undef;
}
# Password goes in credential_1
my $password = shift @credentials;
unless ( $password =~ /^.+$/ ) {
$r->log_error( "Apache2::AuthCookieDBI: no password supplied for auth realm $auth_name", $r->uri );
return undef;
}
# CSA Patch - Use global var
# needed later for authen_sess_key
# to keep cookie alive
#
# Extra data can be put in credential_2, _3, etc.
# my @extra_data = @credentials;
@Extra_Data = @credentials;
# get the configuration information.
my %c = _dbi_config_vars $r;
# get the crypted password from the users database for this user.
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_error( "Apache2::AuthCookieDBI: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
my $sth = $dbh->prepare( <<"EOS" );
SELECT $c{ DBI_passwordfield }
FROM $c{ DBI_userstable }
WHERE $c{ DBI_userfield } = ?
EOS
$sth->execute( $user );
# CSA Patch - No need to add array overhead when fetching a single field
# my( $crypted_password ) = $sth->fetchrow_array;
my $crypted_password = $sth->fetchrow;
unless ( defined $crypted_password ) {
$r->log_error( "Apache2::AuthCookieDBI: couldn't select password from $c{ DBI_DSN }, $c{ DBI_userstable }, $c{ DBI_userfield } for user $user for auth realm $auth_name", $r->uri );
return undef;
}
# now return unless the passwords match.
if ( lc $c{ DBI_crypttype } eq 'none' ) {
unless ( $password eq $crypted_password ) {
$r->log_error( "Apache2::AuthCookieDBI: plaintext passwords didn't match for user $user for auth realm $auth_name", $r->uri );
return undef;
}
} elsif ( lc $c{ DBI_crypttype } eq 'crypt' ) {
my $salt = substr $crypted_password, 0, 2;
unless ( crypt( $password, $salt ) eq $crypted_password ) {
$r->log_error( "Apache2::AuthCookieDBI: crypted passwords didn't match for user $user for auth realm $auth_name", $r->uri );
return undef;
}
} elsif ( lc $c{ DBI_crypttype } eq 'md5' ) {
unless ( md5_hex( $password ) eq $crypted_password ) {
$r->log_error( "Apache2::AuthCookieDBI: MD5 passwords didn't match for user $user for auth realm $auth_name", $r->uri );
return undef;
}
}
# CSA Patch - New gen_key function for activity reset
# on cookies
#
return $self->gen_key($r, $user, \@Extra_Data);
}
#-------------------------------------------------------------------------------
# Take a session key and check that it is still valid; if so, return the user.
sub authen_ses_key($$$)
{
my( $self, $r, $encrypted_session_key ) = @_;
my $auth_name = $r->auth_name;
# Enable Debugging In Here
my $debug = $r->dir_config("AuthCookieDebug") || 0;
# Get the configuration information.
my %c = _dbi_config_vars $r;
# Get the secret key.
my $secretkey = $c{ DBI_secretkey };
unless ( defined $secretkey ) {
$r->log_error( "Apache2::AuthCookieDBImg: didn't have the secret key from for auth realm $auth_name", $r->uri );
return undef;
}
# Decrypt the session key.
my $session_key;
if ( $c{ DBI_encryptiontype } eq 'none' ) {
$session_key = $encrypted_session_key;
} else {
# Check that this looks like an encrypted hex-encoded string.
unless ( $encrypted_session_key =~ /^[0-9a-fA-F]+$/ ) {
$r->log_error( "Apache2::AuthCookieDBImg: encrypted session key $encrypted_session_key doesn't look like it's properly hex-encoded for auth realm $auth_name", $r->uri );
return undef;
}
# Get the cipher from the cache, or create a new one if the
# cached cipher hasn't been created, & decrypt the session key.
my $cipher;
if ( lc $c{ DBI_encryptiontype } eq 'des' ) {
$cipher = $CIPHERS{ "des:$auth_name" }
||= Crypt::CBC->new( $secretkey, 'DES' );
} elsif ( lc $c{ DBI_encryptiontype } eq 'idea' ) {
$cipher = $CIPHERS{ "idea:$auth_name" }
||= Crypt::CBC->new( $secretkey, 'IDEA' );
} elsif ( lc $c{ DBI_encryptiontype } eq 'blowfish' ) {
$cipher = $CIPHERS{ "blowfish:$auth_name" }
||= Crypt::CBC->new( $secretkey, 'Blowfish' );
} elsif ( lc $c{ DBI_encryptiontype } eq 'blowfish_pp' ) {
$cipher = $CIPHERS{ "blowfish_pp:$auth_name" }
||= Crypt::CBC->new( $secretkey, 'Blowfish_PP' );
} else {
$r->log_error( "Apache2::AuthCookieDBImg: unknown encryption type $c{ DBI_encryptiontype } for auth realm $auth_name", $r->uri );
return undef;
}
$session_key = $cipher->decrypt_hex( $encrypted_session_key );
}
# Break up the session key.
my( $enc_user, $issue_time, $expire_time, $session_id,
$supplied_hash, @rest ) = split /:/, $session_key;
# Let's check that we got passed sensible values in the cookie.
unless ( $enc_user =~ /^[a-zA-Z0-9_\%]+$/ ) {
$r->log_error( "Apache2::AuthCookieDBImg: bad percent-encoded user $enc_user recovered from session ticket for auth_realm $auth_name", $r->uri );
return undef;
}
# decode the user
my $user = _percent_decode $enc_user;
unless ( $issue_time =~ /^\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}$/ ) {
$r->log_error( "Apache2::AuthCookieDBImg: bad issue time $issue_time recovered from ticket for user $user for auth_realm $auth_name", $r->uri );
return undef;
}
unless ( $expire_time =~ /^\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}$/ ) {
$r->log_error( "Apache2::AuthCookieDBImg: bad expire time $expire_time recovered from ticket for user $user for auth_realm $auth_name", $r->uri );
return undef;
}
unless ( $supplied_hash =~ /^[0-9a-fA-F]{32}$/ ) {
$r->log_error( "Apache2::AuthCookieDBImg: bad hash $supplied_hash recovered from ticket for user $user for auth_realm $auth_name", $r->uri );
return undef;
}
# If we're using a session module, check that their session exist.
if ( defined $c{ DBI_sessionmodule } ) {
my %session;
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_error( "Apache2::AuthCookieDBImg: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
eval {
tie %session, $c{ DBI_sessionmodule }, $session_id, +{
Handle => $dbh,
LockHandle => $dbh,
};
};
if ( $@ ) {
$r->log_error( "Apache2::AuthCookieDBImg: failed to tie session hash using session id $session_id for user $user for auth_realm $auth_name, error was $@", $r->uri );
return undef;
}
# Update a timestamp at the top level to make sure we sync.
$session{ timestamp } = _now_year_month_day_hour_minute_second;
$r->pnotes( $auth_name, \%session );
}
# Calculate the hash of the user, issue time, expire_time and
# the secret key and the session_id and then the hash of that
# and the secret key again.
my $hash = md5_hex( join ':', $secretkey, md5_hex( join ':',
$enc_user, $issue_time, $expire_time, $session_id, @rest, $secretkey
) );
# Compare it to the hash they gave us.
unless ( $hash eq $supplied_hash ) {
$r->log_error( "Apache2::AuthCookieDBImg: hash in cookie did not match calculated hash of contents for user $user for auth realm $auth_name", $r->uri );
return undef;
}
# Check that their session hasn't timed out.
if ( _now_year_month_day_hour_minute_second gt $expire_time ) {
$r->log_error( "Apache:AuthCookieDBImg: expire time $expire_time has passed for user $user for auth realm $auth_name", $r->uri );
return undef;
}
# If we're being paranoid about timing-out long-lived sessions,
# check that the issue time + the current (server-set) session lifetime
# hasn't passed too (in case we issued long-lived session tickets
# in the past that we want to get rid of). *** TODO ***
# if ( lc $c{ DBI_AlwaysUseCurrentSessionLifetime } eq 'on' ) {
# Expire Time Update (Inactivity Timer vs. Hard Time)
# If SessionActiveReset Flag Is On
#
if ($c{ DBI_SessionActiveReset}) {
my $ses_key = $self->gen_key($r, $user, \@Extra_Data);
$self->send_cookie($r, $ses_key);
$r->server->warn('Apache2:AuthCookieDBI: extended() '.$ses_key) if $debug >= 3;
}
# They must be okay, so return the user.
return $user;
}
#-------------------------------------------------------------------------------
#
# Separated gen_key from authen_cred
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
# can stick it in the cookie safely.
my $enc_user = _percent_encode $user;
#---- CSA :: NEW 2.03 Session Stuff
# If we are using sessions, we create a new session for this login.
my $session_id = '';
if ( defined $c{ DBI_sessionmodule } ) {
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_error( "Apache2::AuthCookieDBI: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
my %session;
tie %session, $c{ DBI_sessionmodule }, undef, +{
Handle => $dbh,
LockHandle => $dbh,
};
$session_id = $session{ _session_id };
$r->pnotes( $auth_name, \%session );
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
# time and the session id (if any) together to make the public part
# of the session key:
my $current_time = _now_year_month_day_hour_minute_second;
my $public_part = "$enc_user:$current_time:$expire_time:$session_id";
$public_part .= $self->extra_session_info($r,@Extra_Data);
# Now we calculate the hash of this and the secret key and then
# calculate the hash of *that* and the secret key again.
my $secretkey = $c{DBI_secretkey};
unless ( defined $secretkey ) {
$r->log_error( "Apache2::AuthCookieDBI: didn't have the secret key for auth realm $auth_name", $r->uri );
return undef;
}
my $hash = md5_hex( join ':', $secretkey, md5_hex(
join ':', $public_part, $secretkey
) );
# Now we add this hash to the end of the public part.
my $session_key = "$public_part:$hash";
# Now we encrypt this and return it.
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
# Get the configuration information.
my %c = _dbi_config_vars $r;
my $user = $r->user;
# See if we have a row in the groups table for this user/group.
my $dbh = DBI->connect( $c{ DBI_DSN },
$c{ DBI_user }, $c{ DBI_password } );
unless ( defined $dbh ) {
$r->log_error( "Apache2::AuthCookieDBImg: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri );
return undef;
}
# Now loop through all the groups to see if we're a member of any:
my $sth = $dbh->prepare( <<"EOS" );
SELECT $c{ DBI_groupuserfield }
FROM $c{ DBI_groupstable }
WHERE $c{ DBI_groupfield } = ?
AND $c{ DBI_groupuserfield } = ?
EOS
foreach my $group ( @groups ) {
$sth->execute( $group, $user );
return Apache2::Const::OK if ( $sth->fetchrow_array );
}
$r->log_error( "Apache2::AuthCookieDBImg: user $user was not a member of any of the required groups @groups for auth realm $auth_name", $r->uri );
return Apache2::Const::HTTP_FORBIDDEN;
}
1;
__END__
=back
=head1 DATABASE SCHEMAS
lib/Apache2/AuthCookieDBImg.pm view on Meta::CPAN
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
=head1 AUTHOR
Lance Cleveland, Charleston Software Associates <info@charlestonsw.com>
=head1 HISTORY
v2.1 - February 2006
Significant portions based on AuthCookieDBI v2.03
v2.2 - April 2006
Added SessionActiveReset configuration variable (reset logout timer)
=head1 REQUIRES
Apache::DBI
Apache2::AuthCookie
Apache2::Const
Apache2::ServerUtil
Date::Calc
Digest::MD5
Apache2::Session (if using sessions)
Cipher::CBC (if using CBC Ciphers)
=head1 SEE ALSO
Latest version: http://search.cpan.org/search?query=Apache%3A%3AAuthCookieDBImg&mode=all
Apache2::AuthCookieDBI(1)
Apache2::AuthCookie(1)
Apache2::Session(1)
=cut
t/Handler.t view on Meta::CPAN
# Before `make install' is performed this script should be runnable with
# `make test'. After `make install' it should work as `perl PGHandler.t'
#########################
# change 'tests => 1' to 'tests => last_test_to_print';
use Test::More tests => 6;
BEGIN {
use_ok('Apache::DBI');
use_ok('Apache2::AuthCookie');
use_ok('Apache2::Const');
use_ok('Date::Calc');
use_ok('Digest::MD5');
};
#########################
# Insert your test code below, the Test::More module is use()ed here so read
# its man page ( perldoc Test::More ) for help writing this test script.
( run in 0.753 second using v1.01-cache-2.11-cpan-e9199f4ba4c )