Apache-AppSamurai
view release on metacpan or search on metacpan
examples/conf/appsamurai-owa.conf view on Meta::CPAN
PerlSetVar OwaAuthRadiusConnect "__RADIUS_SERVER_IP__:__RADIUS_PORT__"
# Set the RADIUS key to use
PerlSetVar OwaAuthRadiusSecret "__RADIUS_PASSWORD__"
## Session storage options
#
# Inactivity timeout (in seconds) for normal (form based) OWA sessions
# (Default: 3600)
PerlSetVar OwaSessionTimeout 3600
# This is the AppSamurai instance's password. Set it to something long.
# All AppSamurai servers in a cluster (sharing the same auth name), and
# using a common storage area (central session database server), must
# use the same ServerPass.
# (Note - ServerKey is only used with HMAC session generators and
# encrypting session serializers: Both are on by default)
PerlSetVar OwaSessionServerPass "__APPSAMURAI_SERVER_PASSWORD__"
# If using th default File session store, you must point to a filesystem
examples/conf/appsamurai-owa.conf view on Meta::CPAN
# !!! OF MOD_PERL !!!
<IfDefine !MODPERL2>
<Directory proxy:https://__OWA_SERVER_FQDN__/Microsoft-Server-ActiveSync*>
# Set hard expiration (no matter what, the session is killed after this
# many seconds)
PerlSetVar OwaSessionExpire 86400
# Override the previously configured inactivity timer (only applies to this
# directory) 0 disables the timer
PerlSetVar OwaSessionTimeout 0
# ActiveSync does not maintain session cookies. This sets up a "custom
# keysource" to compute the session authentication key based on a set of
# headers and arguments. (Sort of a pseudo-cookie). This avoids losing
# sessions with ActiveSync. It is MUCH less secure, though! Only
# use this in conjuction with at least one token or OTP based authentication
# module. (SecurID, SafeWord, etc....) This custom keysource uses:
# 1) The "Authorization" header value
# 2) The "User-agent" header value
# 3) The "User" argument (ActiveSync devices add this to each request)
examples/conf/appsamurai-owa.conf view on Meta::CPAN
Allow from all
require valid-user
</Directory>
</IfDefine>
<IfDefine MODPERL2>
# (See !MODPERL2 section directly above for comments)
<Proxy https://__OWA_SERVER_FQDN__/Microsoft-Server-ActiveSync*>
PerlSetVar OwaSessionExpire 86400
PerlSetVar OwaSessionTimeout 0
PerlAddVar OwaKeysource header:Authorization
PerlAddVar OwaKeysource header:User-agent
PerlAddVar OwaKeysource arg:User
PerlAddVar OwaKeysource arg:DeviceId
AuthType Basic
AuthName "Owa"
PerlAuthenHandler Apache::AppSamurai->authenticate
PerlAuthzHandler Apache::AppSamurai->authorize
Order deny,allow
Allow from all
lib/Apache/AppSamurai.pm view on Meta::CPAN
# Use CryptBase64 cipher detection utility (Slower)
unless ($sessconfig->{SerializeCipher} = &Apache::AppSamurai::Session::Serialize::CryptBase64::find_cipher()) {
# None found. (Note - Check @allowedciphers in CryptBase64.pm
# for supported ciphers)
$self->Log($r, ('error', "GetSessionConfig(): Could not auto-detect a suitable ${auth_name}SerializeCipher value (Please configure manualy): $!"));
return undef;
}
}
}
# Set a 1hr Timeout if neither Timeout or Expire are set
unless ($sessconfig->{Timeout} || $sessconfig->{Expire}) {
$sessconfig->{Timeout} = 3600;
}
return $sessconfig;
}
# Compute/check server key from server pass, returning key.
sub GetServerKey {
my ($self, $r) = @_;
my $auth_name = ($r->auth_name()) || (die("GetServerKey(): No auth name defined!\n"));
lib/Apache/AppSamurai.pm view on Meta::CPAN
$sid = $sess{_session_id};
# Make sure we received a good session ID.
(CheckSidFormat($sid)) || (($self->Log($r, ('error', 'CreateSession(): Invalid Session ID Format on new Session'))) && (return undef));
$self->Log($r, ('notice', "LOGIN: username=\"$username\", session=\"$sid\""));
# Store some basics
$sess{'username'} = $username;
$sess{'ctime'} = time();
# Track last access time if Timeout is set
if ($sessconfig->{Timeout}) {
$sess{'atime'} = $sess{'ctime'};
$sess{'Timeout'} = $sessconfig->{Timeout};
}
# Set hard expiration time if Expire is set
if ($sessconfig->{Expire}) {
$sess{'etime'} = $sess{'ctime'} + $sessconfig->{Expire};
$sess{'Expire'} = $sessconfig->{Expire};
}
# Apply passback cookies to response, and pull in updated alterlist
if (defined($alterlist->{cookie})) {
lib/Apache/AppSamurai.pm view on Meta::CPAN
if ($sess->{etime}) {
if ($time >= $sess->{etime}) {
return undef;
} else {
$ret = $sess->{etime};
}
}
if ($sess->{atime}) {
$tdiff = $time - $sess->{atime};
if ($tdiff < $sess->{Timeout}) {
# We are still valid. Update the time if we are over 60 seconds
# stale.
if ($tdiff >= 60) {
$sess->{atime} = $time;
}
$ret = $sess->{atime};
} else {
return undef;
}
}
lib/Apache/AppSamurai.pm view on Meta::CPAN
the L<Apache::AppSamurai::Session|Apache::AppSamurai::Session> and
L<Apache::Session|Apache::Session> documentation, "Session" is omitted.
=head3 SessionI<Expire> C<SECONDS>
(Default: 0)
The maximum session lifetime in seconds. After a user has been logged in this
long, they are logged out. (Ignores weather the user is idle or not.)
=head3 SessionI<Timeout> C<SECONDS>
(Default: 3600 (1 hour)).
The maximum time a session can be idle before being removed. After a user has
not accessed the protected application for this many seconds, they are logged
out.
=head3 SessionI<Store> C<NAME>
(Default: File)
The session storage module name. "File" is the default, which maps to
lib/Apache/AppSamurai.pm view on Meta::CPAN
# Pass the named header directly through to the AuthBasic server
PerlSetVar ExampleAuthBasicUserAgent "header:User-Agent"
## Session storage options ##
# (Note - See L<Apache::AppSamurai::Session> and L<Apache::Session> for
# more information.)
# Inactivity timeout (in seconds)
PerlSetVar ExampleSessionTimeout 1800
# Use the File storage and lock types from Apache::Session
PerlSetVar ExampleSessionStore "File"
PerlSetVar ExampleSessionLock "File"
# File storage options (Relevant only to File storage and lock types)
PerlSetVar ExampleSessionDirectory "/var/www/session/sessions"
PerlSetVar ExampleSessionLockDirectory "/var/www/session/slock"
# Use the Apache::AppSamurai::Session::Generate::HMAC_SHA generator
lib/Apache/AppSamurai.pm view on Meta::CPAN
AuthType Basic
AuthName "Example"
PerlAuthenHandler Apache::AppSamurai->authenticate
PerlAuthzHandler Apache::AppSamurai->authorize
# Add some local overrides to this directory. (Has
# no affect on other directories/locations)
# Switch from an inactivity timeout to a hard expiration
PerlSetVar ExampleSessionExpire 3600
PerlSetVar ExampleSessionTimeout 0
# In lieu of cookies, calculate the session key using the
# basic auth header from the client, and an argument called
# "Sessionthing" from the request URL. (NOTE - Keysource
# should be used with care! Do not use it unless you are
# sure of what you are doing!!!)
PerlAddVar ExampleKeysource header:Authorization
PerlAddVar ExampleKeysource arg:Sessionthing
Order deny,allow
lib/Apache/AppSamurai/AuthBasic.pm view on Meta::CPAN
# servers. BE CAREFUL!
PassBackCookies => 0, # Pass all Set-Cookies back to
# client browser
AllowRedirect => 0, # Follow redirects (Keep off and get
# the URL right!)
UserAgent => '', # The User-Agent: header to report
RequireRealm => '', # If set, this realm must match that
# returned by the backend server
SuccessCode => 200, # Auth considered a failure unless
# this code is returned after login
Timeout => 10, # Timeout for connecting to auth server
PassMin => 3,
PassChars => '\w\d !\@\#\$\%\^\&\*,\.\?\-_=\+', # NOTE:
# No : since that perplexes Mr.
# Basic Auth
@_,
};
return 1;
}
sub Initialize {
my $self = shift;
# Holding space for alterlist items
$self->{alterlist} = {};
# Create LWP client and empty request
$self->{client} = new LWP::UserAgent(timeout => $self->{conf}{Timeout});
($self->{client}) || ($self->AddError("Initialization of LWP::UserAgent failed: $!") && return 0);
$self->{request} = new HTTP::Request("GET", $self->{conf}{LoginUrl});
($self->{request}) || ($self->AddError("Initialization of HTTP::Request failed: $!") && return 0);
# Turn off all redirects if configured
($self->{conf}{AllowRedirect} == 1) || ($self->{client}->requests_redirectable([]));
# Set the User-Agent for the request (You may want to use
# "HEADER:User-Agent" as the value in your Apache config. AppSamurai.pm
# will fill in the client's User-Agent: header value per-request, then.)
lib/Apache/AppSamurai/AuthBasic.pm view on Meta::CPAN
(Default: 200)
This is the numerical HTTP response code the auth module should expect from
the auth server if the login was a success. 200 is usually correct.
B<Verifying this code is highly recommended!> Some servers and apps return
a 200 on various failures. (In part, thanks to Internet Explorer's "helpful"
error handling feature that displays its usual generic "Uh, something
happened!" error message on code 500 and other errors that return a page
under a certain length.)
=head2 I<Timeout> C<SECONDS>
(Default: 10)
The number of seconds to wait for the auth server to respond.
=head2 I<PassChars> C<REGEX-CHARS>
(Default: C<< \w\d !\@\#\$\%\^\&\*,\.\?\-_=\+ >>)
This is actually a configuration item included in Apache::AppSamurai::AuthBase.
It is mentioned here because the AuthBasic version overrides the usual
default by removing the C<:> character. (C<:> is used to split the username
lib/Apache/AppSamurai/AuthRadius.pm view on Meta::CPAN
# Pull defaults from AuthBase and save.
$self->SUPER::Configure();
my $conft = $self->{conf};
# Initial configuration. Put defaults here before the @_ args are
# pulled in.
$self->{conf} = { %{$conft},
Connect => '127.0.0.1:1812', # IP:port of RADIUS server
Secret => 'defaultisstupid', # RADIUS secret for this
# client
Timeout => 5, # Timeout for RADIUS auth to return
@_,
};
return 1;
}
sub Initialize {
my $self = shift;
# Create our Authen::Radius instance
$self->{radius} = new Authen::Radius(Host => $self->{conf}{Connect},
Secret => $self->{conf}{Secret},
TimeOut => $self->{conf}{Timeout}
);
($self->{radius}) || ($self->AddError("Initialization of Authen::Radius failed: $!") && return 0);
$self->{init} = 1;
return 1;
}
# Query the Radius server
sub Authenticator {
lib/Apache/AppSamurai/AuthRadius.pm view on Meta::CPAN
# Configure as an authentication method
PerlSetVar fredAuthMethods "AuthRadius"
# Set the IP and port to send Radius requests to
PerlSetVar fredAuthRadiusConnect "10.10.10.10:1812"
# Set the RADIUS key to use
PerlSetVar fredAuthRadiusSecret "ThePasswordJustBetterNotBePASSWORD"
# Set the timeout for the RADIUS connection
PerlSetVar fredAuthRadiusTimeout 5
=head1 DESCRIPTION
This L<Apache::AppSamurai|Apache::AppSamurai> authentication module checks a
username and password against a backend RADIUS service.
This module is one way to access strong authentication systems, like RSA
SecurID. Note that features like "Next Tokencode" are not supported by
this module at this time, so Apache::AppSamurai can not help users
re-synchronize their tokens.
lib/Apache/AppSamurai/AuthRadius.pm view on Meta::CPAN
(Default: C<defaultisstupid>)
Set the RADIUS secret (password) used for communication between the
Apache::AppSamurai server and the RADIUS server. If possible, use a
unique RADIUS secret for different devices to reduce the risk of
attack from other devices, and the risk of capturing authentication
information in transit.
Oh, and B<don't use I<defaultisstupid> as your RADIUS secret!>
=head2 I<Timeout> C<SECONDS>
(Default: 5)
The number of seconds to wait for a response from the RADIUS server.
The default should usually be fine.
=head2 OTHERS
All other configuration items are inherited from
L<Apache::AppSamurai::AuthBase|Apache::AppSamurai::AuthBase>. Consult
its documentation for more information.
t/conf/extra.conf.in view on Meta::CPAN
PerlSetVar WhatEverSatisfy All
AuthType Apache::AppSamurai
AuthName WhatEver
PerlAuthenHandler Apache::AppSamurai->authenticate
PerlAuthzHandler Apache::AppSamurai->authorize
Require user some-user
Require user programmer
</Location>
<Location /docs/stimeout>
PerlSetVar WhatEverSessionTimeout +10m
AuthType Apache::AppSamurai
AuthName WhatEver
PerlAuthenHandler Apache::AppSamurai->authenticate
PerlAuthzHandler Apache::AppSamurai->authorize
Require user some-user
Require user programmer
</Location>
# These documents don't require logging in, but allow it.
<FilesMatch "\.cgi$">
( run in 0.373 second using v1.01-cache-2.11-cpan-a5abf4f5562 )