Apache-AppSamurai
view release on metacpan or search on metacpan
the "LogLevel" setting for "ErrorLog" in your Apache config to debug.
Don't forget to turn OFF AppSamurai debugging for production! It logs
potentially sensitive information that you do not want sitting in a logfile
in your DMZ.
Auth Modules
------------
Q: How does the AuthBasic auth module work?
A: The AuthBasic auth module attempts to authenticate with a web server using
HTTP Basic Auth authentication. (This is the "old" style login where
a popup box appears asking for a username and password.) Since AppSamurai
is often used to protect backend servers that only have HTTP Basic Auth
enabled, the server used will usually be the same as AppSamurai is
protecting.
Q: "Basic", "Radius", and "Simple"... not a lot of auth choices...
A: Instead of writing 800 auth modules, AppSamurai comes with two basic auth
modules (that I personally use), plus the AuthSimple module which opens
up access to any Authen::Simple supported authentication adaptor.
(Authen::Simple::Kerberos, Authen::Simple::PAM, etc.) More AppSamurai
auth modules may appear in future releases. (Especially if anyone sends
examples/conf/appsamurai-owa.conf view on Meta::CPAN
# Must satisfy all authentication checks (Default: All)
PerlSetVar OwaSatisfy All
# Set the "secure" flag on the authentication cookie (Note - If you are not
# using SSL, well, USE SSL!!!)
PerlSetVar OwaSecure 1
# Set the silly Microsoft http-only cookie flag
PerlSetVar OwaHttpOnly 1
# Custom mapping of xxxxxx;yyyyyy Basic authentication password input
# to specific and separate individual credentials.
# Example: If the user logs into the basic auth popup with the password:
# myRockinPassword;1234123456
# The map below will set credential_1 as "1234123456" and credential_2
# as "myRockinPassword", then proceed as if the same were entered into
# a form login. (Default: undef)
#PerlSetVar OwaBasicAuthMap "2,1=(.+);([^;]+)"
# List the authentication methods (modules) you will be using, in order of
# credential number on the login form. (credential_1, credential_2, etc)
PerlSetVar OwaAuthMethods "AuthBasic"
examples/conf/appsamurai-owa.conf view on Meta::CPAN
# Set the RADIUS key to use
PerlSetVar OwaAuthRadiusSecret "__RADIUS_PASSWORD__"
## Session storage options
#
# Inactivity timeout (in seconds) for normal (form based) OWA sessions
# (Default: 3600)
PerlSetVar OwaSessionTimeout 3600
# This is the AppSamurai instance's password. Set it to something long.
# All AppSamurai servers in a cluster (sharing the same auth name), and
# using a common storage area (central session database server), must
# use the same ServerPass.
# (Note - ServerKey is only used with HMAC session generators and
# encrypting session serializers: Both are on by default)
PerlSetVar OwaSessionServerPass "__APPSAMURAI_SERVER_PASSWORD__"
# If using th default File session store, you must point to a filesystem
# directory to store sessions in. (Should be readable/writable only to
# the user httpd is running under)
examples/htdocs/login.html view on Meta::CPAN
</td>
<td>
<input type="text" name="credential_0" class="textbox" maxlength="256" value="__USERNAME__" />
</td>
</tr>
<tr>
<td align="right">
<span class="logintext">PASSWORD</span>
</td>
<td>
<input type="password" name="credential_2" class="textbox" maxlength="254" />
</td>
</tr>
<tr>
<td align="right">
<span class="logintext">PASSCODE</span>
</td>
<td>
<input type="password" name="credential_1" class="textbox" maxlength="32" />
</td>
</tr>
<tr align="right" valign="middle">
<td colspan="2">
<input type="hidden" name="destination" value="__URI__" />
<input type="hidden" name="nonce" value="__NONCE__" />
<input type="hidden" name="sig" value="__SIG__" />
<input type="submit" value="Log In" name="LOGIN" class="loginbutton" />
</td>
examples/htdocs/login.pl view on Meta::CPAN
# Note - Pulling session config code out of the main module would allow this
# to be much shorter/simpler. Strike 90834895345 against the giant module.
# TODO - This should be in a module!!!
my $auth_name = ($r->auth_name()) || (die("login.pl(): No auth name defined!\n"));
my $dirconfig = $r->dir_config;
my $serverkey = '';
if (exists($dirconfig->{$auth_name . "SessionServerPass"})) {
my $serverpass = $dirconfig->{$auth_name . "SessionServerPass"};
($serverpass =~ s/^\s*([[:print:]]{8,}?)\s*$/$1/s) ||
die('error', "login.pl(): Invalid ${auth_name}SessionServerPass (must be use at least 8 printable characters\n");
($serverpass =~ /^(password|serverkey|serverpass|12345678)$/i) &&
die("login.pl: ${auth_name}SessionServerPass is $1... That is too lousy\n");
($serverkey = HashPass($serverpass)) || die("login.pl: Problem computing server key hash for $auth_name");
} elsif (exists($dirconfig->{$auth_name . "SessionServerKey"})) {
$serverkey = $dirconfig->{$auth_name . "SessionServerKey"};
} else {
die("login.pl(): You must configure either ${auth_name}SessionServerPass or ${auth_name}SessionServerKey in your Apache configuration\n");
}
lib/Apache/AppSamurai.pm view on Meta::CPAN
my $serverkey = '';
if (exists($dirconfig->{$auth_name . "SessionServerPass"})) {
my $serverpass = $dirconfig->{$auth_name . "SessionServerPass"};
unless ($serverpass =~ s/^\s*([[:print:]]{8,}?)\s*$/$1/s) {
$self->Log($r, ('error', "GetServerKey(): Invalid ${auth_name}SessionServerPass (must be use at least 8 printable characters"));
return undef;
}
if ($serverpass =~ /^(password|serverkey|serverpass|12345678)$/i) {
$self->Log($r, ('error', "GetServerKey(): ${auth_name}SessionServerPass is $1... That is too lousy"));
return undef;
}
unless ($serverkey = HashPass($serverpass)) {
$self->Log($r, ('error', "GetServerKey(): Problem computing server key hash for ${auth_name}SessionServerPass"));
return undef;
}
} elsif (exists($dirconfig->{$auth_name . "SessionServerKey"})) {
lib/Apache/AppSamurai.pm view on Meta::CPAN
B<Unified mod_perl 1 and 2 support> - One module set supports both
Apache 1.x/mod_perl 1.x and Apache 2.x/mod_perl 2.x
=back
=head1 SESSION STORAGE SECURITY
Server side session data may include sensitive information, including the basic
authentication C<Authorization> header to be sent to the backend server.
(This is just a Base64 encoded value, revealing the username and password
if stolen.)
To protect the data on-disk, Apache::AppSamurai includes
its own HMAC based session ID generator and encrypting session serializer.
(L<Apache::AppSamurai::Session::Generate::HMAC_SHA|Apache::AppSamurai::Session::Generate::HMAC_SHA>
and
L<Apache::AppSamurai::Session::Serialize::CryptBase64|Apache::AppSamurai::Session::Serialize::CryptBase64>
, respectively.)
These modules are configured by default and may be used directly with
Apache::Session, or outside of Apache::AppSamurai if desired.
lib/Apache/AppSamurai.pm view on Meta::CPAN
(Default: undef)
A comma separated list of the authentication sub-modules to use. The order of
the list must match the order of the C<credentials_X> parameters in the login
form. (Note - C<credential_0> is always the username, and is passed as such to
all the authentication modules.)
=head3 I<BasicAuthMap> C<N1,N2,.. = REGEX>
(Default: undef)
Custom mapping of Basic authentication password input to specific and separate
individual credentials. This allows for AppSamurai to request basic
authentication for an area, then split the input into credentials that can be
checked against multiple targets, just like a form based login. This is very
useful for clients, like Windows Mobile ActiveSync, that only support basic
auth logins. Using this feature you can add SecurID or other additional
authentication factors without having to pick only one.
The syntax is a bit odd. First, specify a list of the credential numbers
you want mapped, in order they will be found within the input. Then
create a regular expression that will match the input, and group each item
you want mapped.
Example:
PerlSetVar BobAuthBasicAuthMap "2,1=(.+);([^;]+)"
If the user logs into the basic auth popup with the password:
C<myRockinPassword;1234123456> ,the map above will set credential_1 as
C<1234123456> and credential_2 as C<myRockinPassword>, then proceed as if
the same were entered into a form login.
=head3 ADDITIONAL AUTHENTICATION OPTIONS
Authentication submodules usually have one or more required settings. All
settings are passed using PerlSetVar directives with variable names prefixed
with the AuthName and the module's name.
lib/Apache/AppSamurai.pm view on Meta::CPAN
# Require secure sessions (default: 1)
#PerlSetVar ExampleSecure 1
# Set proprietary MS flag
PerlSetVar ExampleHttpOnly 1
# Define authentication sources, in order
PerlSetVar ExampleAuthMethods "AuthRadius,AuthBasic"
# Custom mapping of xxxxxx;yyyyyy Basic authentication password input
# to specific and separate individual credentials. (default: undef)
PerlSetVar ExampleBasicAuthMap "2,1=(.+);([^;]+)"
## Apache::AppSamurai::AuthRadius options ##
# (Note - See L<Apache::AppSamurai::AuthRadius> for more info)
PerlSetVar ExampleAuthRadiusConnect "192.168.168.168:1645"
PerlSetVar ExampleAuthRadiusSecret "radiuspassword"
## Apache::AppSamurai::AuthBasic options.##
# (Note - See L<Apache::AppSamurai::AuthBasic> for more info)
# Set the URL to send Basic auth checks to
PerlSetVar ExampleAuthBasicLoginUrl "https://ex.amp.le/thing/login"
# Always send Basic authentication header to backend server
PerlSetVar ExampleAuthBasicKeepAuth 1
lib/Apache/AppSamurai/AuthBase.pm view on Meta::CPAN
my $class = (ref($this) || ($this));
my $me = {};
bless($me, $class);
# Call Configure to fill out the $me->{conf} hash
$me->Configure(@_);
$me->{init} = 0;
$me->{errors} = [];
# If the username and password were passed with the new request,
# process and return immediately.
if (defined($me->{conf}{user}) && defined($me->{conf}{pass})) {
return $me->Authenticate($me->{conf}{user}, $me->{conf}{pass});
}
return $me;
}
#### OVERRIDE Configure(), Initialize(), and Authenticator() FOR NEW ####
#### AuthXXX MODULES ####
lib/Apache/AppSamurai/AuthBase.pm view on Meta::CPAN
(1 == 1) || ($self->AddError("Failed to initialize in " . __PACKAGE__ . "::Initialize") && return 0);
# Set this after successful initialization
$self->{init} = 1;
return 1;
}
# Perform the authentication. Returns a "yes" value (1, true) on success
# and "no" value (0, false, or undef) on failure. The function takes
# three arguments. 1) The object itself 2) The username 3) The password
# The username and password at this point have been through ALL checks in
# the module. (Valid chars, valid length, etc,)
sub Authenticator {
my $self = shift;
my $user = shift;
my $pass = shift;
# Enter stuff here
# DEFAULT DENY #
return 0;
lib/Apache/AppSamurai/AuthBase.pm view on Meta::CPAN
sub Authenticate {
my $self = shift;
(scalar(@_) == 2) || (croak 'Usage: $a->Authenticate($user, $pass);');
my ($user, $pass) = @_;
## DEFAULT DENY ##
my $authenticated = 0;
# Check for clean input.
($user = $self->CheckInputUser($user)) || ($self->AddError('warn', 'Invalid username') && return 0);
($pass = $self->CheckInputPass($pass)) || ($self->AddError('warn', 'Invalid password') && return 0);
# Initialize if not yet done
if (!$self->{init}) {
($self->Initialize()) || (return 0);
}
## This is where the Authentication happens. Create your own overridden
# Authenticator functions today!
($self->Authenticator($user, $pass)) && ($authenticated = 1);
lib/Apache/AppSamurai/AuthBase.pm view on Meta::CPAN
if ($self->{conf}{UserUc}) {
$user = uc($user);
} elsif ($self->{conf}{UserLc}) {
$user = lc($user);
}
return $user;
}
# Filter or reject the password. Return the password (with
# modifications, if needed) on success, or nothing on failure.
# CUSTOMIZE THIS TO ONLY ALLOW VALID PASSWORDS FOR YOUR AUTH MODULE!
# BE CAREFUL IF YOU RETURN AN ALTERED PASSWORD! In almost all cases,
# you should fail out instead of trying to help a user. No lc($pass)
# unless your backend authentication checker really is case insensitive.
sub CheckInputPass {
my $self = shift;
my $pass = (shift || return undef);
# Strip surrounding whitespace, if so configured
if ($self->{conf}{PassStripWhite}) {
$pass =~ s/^\s*(.+?)\s*$/$1/;
}
my $plen = length($pass);
# Check password against the list of valid password characters
unless ($pass =~ /^([$self->{conf}{PassChars}]+)$/) {
$self->AddError('warn', 'Password contains invalid characters');
return undef;
}
# Check for a valid password length.
if ($plen < $self->{conf}{PassMin}) {
$self->AddError('warn', "Password too small ($plen)");
return undef;
} elsif ($plen > $self->{conf}{PassMax}) {
$self->AddError('warn', "Password too large ($plen)");
return undef;
}
return $pass;
}
lib/Apache/AppSamurai/AuthBase.pm view on Meta::CPAN
module config and use within AppSamurai.
=head1 DESCRIPTION
All L<Apache::AppSamurai|Apache::AppSamurai> authentication submodules
should inherit from Auth::Base. This module provides the a standard
framework including config, initialization, basic input validation and
filtering, error checking, and logging needed by all AppSamurai auth modules.
Auth modules must each define at least an L</Authenticator()> method to accept
the username (C<credential_0>) and the mapped credential (password) and return
0 on failure and 1 on success. Other commonly overridden methods are
L</Configure()> which includes the setup of the C< $self->{conf} >
configuration hash, and L</Initialize()> which performs any needed
pre-authentication setup work.
=head1 METHODS
=head2 new()
Runs I<Configure()>, (passing along any arguments), which creates and
lib/Apache/AppSamurai/AuthBase.pm view on Meta::CPAN
If set to 1, converts the username to all caps before checking. (Default: 0)
=head3 I<UserLc>
If set to 1, converts the username to all lower case before checking.
(Default: 0)
=head3 I<PassMin>
Minimum characters in password. (Default: 4)
=head3 I<PassMax>
Maximum characters in password. (Default: 16384)
=head3 I<PassChars>
Characters allowed in a password. These are matched with a Perl regex and
character classes like "\w" and "\d" are allowed. (Default:
C<< \w\d !\@\#\$\%\^\&\*:\,\.\?\-_=\+ >>)
=head3 I<PassStripWhite>
If set to 1, strips any whitespace surrounding the password.
(Default: 0)
=head3 I<DefaultLogLevel>
The L</AddError()> method can take two styles of input when adding log
lines to the object's errors array. This option sets the logging
severity for log lines passed in without a specific severity set.
The valid values are the same as those allowed in the Apache C<LogLevel>
directive: emerg, alert, crit, error, warn, notice, info, and debug.
(Default: error)
lib/Apache/AppSamurai/AuthBase.pm view on Meta::CPAN
on failure. Checks the C<< $self->{init} >> flag for a previous run,
and returns 1 of object has already been initialized. Once completed,
the C<< $self->{init} >> flag is set to 1 before returning.
See L</EXAMPLES> for a sample overridden C<Initialize()> method.
=head2 Authenticator()
C<Apache::AppSamurai::AuthBase::Authenticator()> is just a skeleton and
must be overridden for each authentication module. It is called with
an object reference and takes the username and password as two scalar
inputs. It must return 0 on an authentication failure or any other
failure. 1 should only be returned on a clean and successful authentication.
B<Please carefully test this method in any authentication module before
using in production!> Also, it is recommended that the last command inside
all C<Authenticator()> methods is C<return 0;>. This helps ensure that
if there is some sort of unanticipated failure, or unanticipated fall through
condition, there is one more obstacle in the way of a potential authentication
bypass.
See L</EXAMPLES> for a simple example of a C<Authenticator()> method.
=head2 Authenticate()
This is called by Apache::AppSamurai to perform the authentication check.
It is called with an object reference and takes the username and password
as scalar arguments.
The username is validated using L</CheckInputUser()>, and then the password
is validated using L</CheckInputPass()>. (If either of those fail,
an error is added and 0 is returned.)
After validation, L</Initialize()> is called if the C<< $self->{init} >>
flag has not been set. (Note - Apache::AppSamurai calls C<Initialize()>
separately. This functionality is added as a fail safe, or for testing.)
Finally, the object's L</Authenticator()> method is called to perform the
actual work of checking the credentials. It's result is returned by
C<Authenticate()> to the caller.
lib/Apache/AppSamurai/AuthBase.pm view on Meta::CPAN
=back
If all conditions are met, the validated and cleaned username is returned.
C<CheckInputUser()> should not generally need to be overridden unless an
authentication module needs more extensive filtering.
=head2 CheckInputPass()
Is called with an object ref and expects a scalar password as its only
argument. If successful, the validated password is returned. In case of
a failure or violation, C<undef> is returned.
Note - "password" is used in the descriptions below. This equates the
whatever data, (password, passphrase, PIN, whatever), will be passed as
an authentication credential to the authentication module.
C<CheckInputPass()> uses settings out of C<< $self->{conf} >> as follows:
=over 4
=item *
If I<PassStripWhite> is 1, surrounding whitespace is removed. (This is
generally not a good idea unless the specific authentication system does
not support whitespace in the password.)
=item *
The password is checked against I<PassChars>. Try to allow as many characters
as the underlying authentication system can safely support to avoid reducing
the strength of the passwords or other authentication data that can be used.
(Note - The default I<PassChars> should be decent for most uses, however,
it may be loosened or restricted more in future versions.)
=item *
The length of the password is checked against I<PassMin> and then I<PassMax>.
Once again, avoid limiting the maximum password length as much as safely
possible.
=back
If all conditions are met, the validated and cleaned password is returned.
C<CheckInputPass()> should not generally need to be overridden unless an
authentication module needs more extensive filtering.
=head2 AddError()
Adds a new log message to the C<< @{$self->{errors}} >> array, which is
returned to a then processed by Apache::AppSamurai.
C<AddError()> is called using an object reference and expects one of
lib/Apache/AppSamurai/AuthBasic.pm view on Meta::CPAN
PerlSetVar fredAuthBasicKeepAuth 1
# Collect cookies from AuthBasic check and send back to the user's browser
# on login (This is the default behaviour)
PerlSetVar fredAuthBasicPassBackCookies 1
=head1 DESCRIPTION
This L<Apache::AppSamurai|Apache::AppSamurai> authentication module checks a
username and password against a backend webserver, (referred to as the "auth
server" below), using HTTP basic authentication (as defined in
L<RFC 2617|http://www.faqs.org/rfcs/rfc2617.html>). In general, the
auth server is the same as the server Apache::AppSamurai is protecting,
though it does not have to be.
B<It is not recommended that you use AuthBasic as the only authentication
method for an Apache::AppSamurai instance!> There are various types of
failures that could result in an erroneous login success. There are also
inherent weaknesses in the HTTP basic auth system.
lib/Apache/AppSamurai/AuthBasic.pm view on Meta::CPAN
If 1, saves the basic authentication header that is sent to the auth server
by AuthBasic and continue to send the same header to the proxied server
after login. This is almost always used when protecting a single basic auth
backend webserver.
B<Cross Server Warning:>
When I<KeepAuth> is enabled, B<all> the backend servers or apps protected
by the specific auth name will receive the authorization header. B<Do not
enable this feature unless you are certain all the servers and applications
being protected by this Apache::AppSapurai instance should be receiving users'
usernames and passwords!>
B<Session Storage Warning:>
By default Apache::AppSamurai uses AES (Rijndael) to encrypt session data before storing it to disk, greatly reducing the risk of keeping
the basic auth header, If you use this feature, please leave the
L<Apache::AppSamurai::Session::Serialize::CryptBase64|Apache::AppSamurai::Session::Serialize::CryptBase64> module configured as the session serialization
module.
=head2 I<PassBackCookies> C<0|1>
(Default: 0)
lib/Apache/AppSamurai/AuthBasic.pm view on Meta::CPAN
(Default: 10)
The number of seconds to wait for the auth server to respond.
=head2 I<PassChars> C<REGEX-CHARS>
(Default: C<< \w\d !\@\#\$\%\^\&\*,\.\?\-_=\+ >>)
This is actually a configuration item included in Apache::AppSamurai::AuthBase.
It is mentioned here because the AuthBasic version overrides the usual
default by removing the C<:> character. (C<:> is used to split the username
and password inside the Base64 encoded authorization header.)
=head2 OTHERS
All other configuration items are inherited from
L<Apache::AppSamurai::AuthBase|Apache::AppSamurai::AuthBase>. Consult
its documentation for more information.
=head1 METHODS
=head2 Configure()
lib/Apache/AppSamurai/AuthBasic.pm view on Meta::CPAN
Checks that C<Basic> is listed as a supported type.
=item *
If C<RequireRealm> is configured, the realm returned by the auth server
is checked against the C<RequireRealm> value.
=item *
A second request is sent, this time with the username and password (credential)
included.
=item *
The return code is checked against C<SuccessCode>
=item *
If C<PassBackCookies> is 1, the cookies set by the auth server are saved
in the alterlist cookie hash with "passback" rules.
=item *
If C<KeepAuth> is 1, the authorization header (containing the username and
password) are saved in the alterlist header hash with an "add" rule.
=item *
If all checks have succeeded, 1 is returned.
=back
=head1 EXAMPLES
See L</SYNOPSIS> for a basic example, or configuration examples in
lib/Apache/AppSamurai/AuthRadius.pm view on Meta::CPAN
# Set the RADIUS key to use
PerlSetVar fredAuthRadiusSecret "ThePasswordJustBetterNotBePASSWORD"
# Set the timeout for the RADIUS connection
PerlSetVar fredAuthRadiusTimeout 5
=head1 DESCRIPTION
This L<Apache::AppSamurai|Apache::AppSamurai> authentication module checks a
username and password against a backend RADIUS service.
This module is one way to access strong authentication systems, like RSA
SecurID. Note that features like "Next Tokencode" are not supported by
this module at this time, so Apache::AppSamurai can not help users
re-synchronize their tokens.
=head1 USAGE
The basic L<Apache::AppSamurai::AuthBase|Apache::AppSamurai::AuthBase>
configuration options are supported. Additional options are described
lib/Apache/AppSamurai/AuthRadius.pm view on Meta::CPAN
=head2 I<Connect> C<SERVER:PORT>
(Default: C<127.0.0.1:1812>)
Set to the IP address or FQDN (fully qualified domain name) of the RADIUS
server, a C<:>, and then the port RADIUS is listening on.
=head2 I<Secret> C<PASSWORD>
(Default: C<defaultisstupid>)
Set the RADIUS secret (password) used for communication between the
Apache::AppSamurai server and the RADIUS server. If possible, use a
unique RADIUS secret for different devices to reduce the risk of
attack from other devices, and the risk of capturing authentication
information in transit.
Oh, and B<don't use I<defaultisstupid> as your RADIUS secret!>
=head2 I<Timeout> C<SECONDS>
(Default: 5)
lib/Apache/AppSamurai/AuthSimple.pm view on Meta::CPAN
=head1 SYNOPSIS
The module is selected and configured inside the Apache configuration.
# Example with an authname of "fred" for use as part of an Apache config.
# Configure as an authentication method (Authen::Simple::Passwd shown)
PerlSetVar fredAuthMethods "AuthSimplePasswd"
# Set auth method options (Authen::Simple::Passwd "path" option shown)
PerlSetVar fredAuthSimplePasswdpath "/var/www/conf/passwordfile"
=head1 DESCRIPTION
This L<Apache::AppSamurai|Apache::AppSamurai> authentication module checks a
username and password using the Authen::Simple auth framework and a supported
Authen::Simple::XXX adaptor module. If this sounds confusing, read on and
examine the examples.
This module opens up authentication access to a wide array of options including
PAM, LDAP, Kerberos, and even SSH.
=head1 USAGE
Basic L<Apache::AppSamurai::AuthBase|Apache::AppSamurai::AuthBase>
configuration options are supported. Additional options are described
lib/Apache/AppSamurai/Util.pm view on Meta::CPAN
# One time I put a VERY stupid bug in this code. End result: It returned
# the SHA256 digest of '' for everything. Stupid. NEVER AGAIN!!!!
# (FYI: Yes, this method is unit tested now, too, but still...)
if ($key =~ /^e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855$/i) {
die "OH MY GOD!!!! That is the SHA256 of nothing, bozo!";
}
return $key;
}
# Hash plaintext password/passphrase
sub HashPass {
my $plain = shift;
# Check for basic decency. (This is checked when configuring. This is just a failsafe.)
($plain =~ /^[[:print:]]+$/s) or die "HashPass(): Invalid characters in plaintext passphrase";
return sha256_hex($plain);
}
# Just hash whatever is passed in, joining as needed
lib/Apache/AppSamurai/Util.pm view on Meta::CPAN
write custom data sanitization into each logging event.
For instance, for a session ID of
"628b49d96dcde97a430dd4f597705899e09a968f793491e4b704cae33a40dc02"
the output would be:
"628b49d96dcde97a430dd4f597705899XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
which would be fairly safe since only half the data would be revealed in the
log. This is still 128 bits of digest, and in most cases would be enough not
to seriously endanger the data.
On the other hand, if you allow long passwords and you log a basic
authentication "Authorization:" header of:
"cm9nZXJ0aGVtYW46VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wZWQgb3ZlciB0aGUgbGF6eSBkb2cu"
the output would be:
"cm9nZXJ0aGVtYW46VGhlIHF1aWNrIGJyb3duIGXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX".
This is not very safe. Here is what decoding produces:
"rogertheman:The quick brown e×]u×]u×]u×]u×]u×]u×]u×]u×]u×"
So, the user's name is "rogertheman". More importantly, we can guess what
the rest of the password is, and we know the length of the password.
Apache::AppSamurai does log the Authorization: header using XHalf when
Debug is enabled. Be very careful when running production servers! Only
use Debug when absolutely needed, monitor the logs for sensitive information
leak, and remove debug log data when possible.
That said, leave Debug set to 0 and do not use XHalf in any modules you
code if you find it too risky.
=head1 SEE ALSO
t/05-util.t view on Meta::CPAN
# These next ones require change/extension if we change from SHA-256
ok(Apache::AppSamurai::Util::CreateSessionAuthKey('TEST') eq '94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2', "CreateSessionAuthKey() - correct non-random session returned");
isnt(Apache::AppSamurai::Util::CreateSessionAuthKey('') eq 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', "CreateSessionAuthKey() - Returned random session (not the evil hash of nothing)");
ok(Apache::AppSamurai::Util::HashPass('JERRY') eq '5f5cc5dd3cf310b664fb5ee4dbe9569b243a00f95907186cb8d12828906d4c14', "HashPass() - Correct hash");
isnt(eval {Apache::AppSamurai::Util::HashPass('') eq 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' }, "HashPass() - Must not accept empty");
# Just using ComputeSessionId for the other session related
$serverkey = Apache::AppSamurai::Util::HashPass('The password is GRAVY');
$authkey = '94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2';
ok(Apache::AppSamurai::Util::ComputeSessionId($authkey,$serverkey) eq '21fccb94da476b7c2a8e4ebfc88526590f14ba37410c5106a9df672fc42626f5', "ComputeSessionId() - Correct session ID computed");
t/12-session-ser-cryptbase64.t view on Meta::CPAN
use Test::More tests => 3;
BEGIN {
use_ok( 'Apache::AppSamurai::Session::Serialize::CryptBase64' );
}
diag( "Testing Apache::AppSamurai::Session::Serialize::CryptBase64 $Apache::AppSamurai::Session::Serialize::CryptBase64::VERSION, Perl $], $^X" );
$user = 'the luser';
$pass = 'my password is password';
$sess = { data => {
user => $user,
pass => $pass
},
args => {
ServerKey => 'e1fccb94da476b7c2a8e4ebfc88526590f14ba37410c5106a9df672fc42626f5',
key => 'e4ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2',
SerializeCipher => &Apache::AppSamurai::Session::Serialize::CryptBase64::find_cipher()
}
t/55-authsimple.t view on Meta::CPAN
use_ok ( 'Apache::AppSamurai::AuthSimple' );
diag( "Testing Apache::AppSamurai::AuthSimple $Apache::AppSamurai::AuthSimple::VERSION, Perl $], $^X" );
my $conf = {SubModule => "Passwd", path=>$testpwf};
my $a;
ok($a = Apache::AppSamurai::AuthSimple->new(%{$conf}), "Create new AuthSimple object");
ok($a->Authenticate("moron", "moron"), "Login with correct username and password suceeded");
ok(!$a->Authenticate("dufus", "notit"), "Login with valid username but wrong password failed");
ok(!$a->Authenticate("noguy", "wha?"), "Login with nonexistent username failed");
}
t/conf/extra.conf.in view on Meta::CPAN
PerlRequire @ServerRoot@/startup.pl
PerlModule Apache::AppSamurai
PerlSetVar WhatEverPath /
PerlSetVar WhatEverLoginScript /docs/login.pl
PerlSetVar WhatEverDebug 3
PerlSetVar WhatEverCookieName CakeNotCookie
PerlSetVar WhatEverSecure 1
# Map Basic auth password into 3 credentials, separated by
# semicolons and reverse mapped for fun!
PerlSetVar WhatEverBasicAuthMap "3,2,1=(.+);([^;]+);([^;]+)"
# Please, don't use these auth modules... they kinda suck.
# (Note that the names hint to the static password for each.
# You know that ain't cool.)
PerlSetVar WhatEverAuthMethods "AuthTestFLUFFY,AuthTestPASSWORD,AuthTest123456"
# Some trackers and tracker system setup
PerlSetVar WhatEverAuthUnique 1
PerlSetVar WhatEverIPFailures "2:10"
PerlSetVar WhatEverTrackerCleanup 30
# Encryption is on by default
PerlSetVar WhatEverSessionServerPass "The Password is PASSWORD"
t/lib/Apache/AppSamurai/AuthPASSWORD.pm view on Meta::CPAN
# Make a backdoor. Yes, in case you didn't read above, let me reiterate:
# DO NOT USE THIS MODULE IN PRODUCTION!!!!
sub Authenticator {
my $self = shift;
my $user = shift;
my $pass = shift;
# This is the sort of hard-hitting security coding I deserve
# an award for....
if (($user) && ($pass =~ /password/i)) {
return 1; # Ok!
}
# DEFAULT DENY #
return 0;
}
1;
__END__
( run in 0.758 second using v1.01-cache-2.11-cpan-49f99fa48dc )