Apache-AuthTicket
view release on metacpan or search on metacpan
eliminate need for _get_max_secret_version() - consolidated into
fetch_secret()
changed make_ticket() no longer takes $r parameter - use object attr
instead
added secret_version() to fetch current max secret version
abstract new ticket fields generation into new_ticket_for()
Release 0.90
changed LICENSE information in README removed "same terms as perl" and be
more explicit.
moved password check routines out into Util::compare_password()
removed last of the hard coded SQL in Apache2::AuthTicket
removed cruft in Apache2::AuthTicket left over from MP1 migration
changed $this => $self
added tests for tampered cookie, CheckIP=0, CheckBrowser=1
changed config parsing so that boolean values can be specified as any of:
TRUE : 1, yes, on, true
FALSE: 0, no, off, false
added Apache::AuthTicket::Util and moved some internal into it
added configuration parameter TicketCheckBrowser which enables checking of
the client User-Agent string.
o update to use new Apache::Filter API (you need at least 1.012 now)
o Create Apache2::AuthTicket from copy of Apache::AuthTicket and ported to
mod_perl 2.0 API. This is the first release that supports mod_perl2
o MP2 - use SQL::Abstract to generate queries
Release 0.31
o Removed an email address from Changes file via owners request.
Release 0.30
o Changed calls from to Digest::MD5->md5_hex to just Digest::MD5::md5_hex()
This causes md5 passwords generated with other md5() routines (PHP for
example to fail). Thanks to Steve Chadsey for spotting this.
** NOTE ** MD5 passwords that worked with previous versions will not work
with this version due to the fact that md5_hex() was used incorrectly.
Upgrading from previous versions will also invalidate any current tickets
because the ticket generation routines also were using md5_hex
incorrectly.
Release 0.20
o Renamed module from Apache::TicketAccess to Apache::AuthTicket after
discovering that Apache::TicketAccess is distributed with the mod_perl
book examples.
o Adapted module to Apache::AuthCookie v2.011. This module now
subclasses Apache::AuthCookie and relies on AuthCookie for all of the
cookie login logic. This was basically a complete rewrite.
o Split up query to fetch the server secret so that the LIMIT clause is
not needed (for Sybase ASE backends, thanks to Eivind Trondsen)
o Made DBI commit() only be called if AutoCommit is off.
(silences a warn() for MySQL)
o Added support for md5 style passwords.
o Added support for crypt() style passwords.
o Added way to retrieve reason for login using
$r->subprocess_env("AuthTicketReason").
o Added support for Idle Timeout logouts via TicketIdleTimeout
configuration.
o Added "sample" directory with sql examples for setting up pgsql and mysql
backends, as well as httpd.conf samples.
o Removed libapreq dependency (AuthCookie does this stuff now)
Relaese 0.10
o Initial public release: Apache::TicketAccess 0.10
lib/Apache/AuthTicket.pm view on Meta::CPAN
module.
example: dbi:Pg:dbname=test
=item B<TicketDBUser>
This directive specifys the username to use when connecting to the databse.
=item B<TicketDBPassword>
This directive specifys the password to use when connecting to the databse.
=item B<TicketTable>
This directive specifys the ticket hash table as well as the column name for
the hash.
Format: table_name:ticket_column_name:timestamp_column
Example: tickets:ticket_hash:ts
=item B<TicketUserTable>
This directive specifys the users table and the username and password column
names.
Format: table_name:username_column:password_column
Example: users:usrname:passwd
=item B<TicketPasswordStyle>
This directive specifys what type of passwords are stored in the database. The
default is to use I<cleartext> passwords. Currently supported password styles
are:
=over 3
=item I<cleartext>
This password style is just plain text passwords. When using this password
style, the supplied user password is simply compared with the password stored
in the database.
=item I<md5>
This password style generates an MD5 hex hash of the supplied password before
comparing it against the password stored in the database. Passwords should be
stored in the database by passing them through Digest::MD5::md5_hex().
=item I<crypt>
This password style uses traditional crypt() to encrypt the supplied password
before comparing it to the password saved in the database.
=back
=item B<TicketSecretTable>
This directive specifys the server secret table as well as the names of the
secret data column and the version column.
Format: table_name:data_column:version_column
lib/Apache/AuthTicket.pm view on Meta::CPAN
=back
=head2 Database Configuration
Three database tables are needed for this module:
=over 3
=item B<users table>
This table stores the actual usernames and passwords of the users. This table
needs to contain at least a username and password column. This table is
confgured by the I<TicketUserTable> directive.
example:
CREATE TABLE users (
usename VARCHAR(32) NOT NULL,
passwd VARCHAR(32) NOT NULL
);
=item B<tickets table>
lib/Apache/AuthTicket.pm view on Meta::CPAN
Feel free to examine the source code for other methods that you might choose to
overload.
=over 3
=item void make_login_screen($r, String action, String destination)
This method creats the "login" screen that is shown to the user. You can
overload this method to create your own login screen. The log in screen only
needs to contain a hidden field called "destination" with the contents of
I<destination> in it, a text field named I<credential_0> and a password field
named I<credential_1>. You are responsible for sending the http header as well
as the content. See I<Apache::AuthCookie> for the description of what each of
these fields are for.
I<action> contains the action URL for the form. You must set the action of
your form to this value for it to function correctly.
I<Apache::AuthTicket> also provides a mechanism to determine why the login for
is being displayed. This can be used in conjunction with
I<Apache::AuthCookie>'s "AuthCookieReason" setting to determine why the user is
lib/Apache/AuthTicket/Base.pm view on Meta::CPAN
$r->print(
qq{<form method="post" action="$action">},
qq{<input type="hidden" name="destination" value="$destination">},
q{<table>},
q{<tr>},
q{<td>Name</td>},
q{<td><input type="text" name="credential_0"></td>},
q{</tr>},
q{<tr>},
q{<td>Password</td>},
q{<td><input type="password" name="credential_1"></td>},
q{</tr>},
q{</table>},
q{<input type="submit" value="Log In">},
q{<p>},
q{</form>},
q{<EM>Note: </EM>},
q{Set your browser to accept cookies in order for login to succeed.},
q{You will be asked to log in again after some period of time.},
q{</body></html>}
);
lib/Apache/AuthTicket/Base.pm view on Meta::CPAN
$self->get_config($_)
} qw/TicketDB TicketDBUser TicketDBPassword/;
my $dbh = DBI->connect_cached($db, $user, $pass)
or die "DBI Connect failure: ", DBI->errstr, "\n";
return $dbh;
}
sub check_credentials {
my ($self, $user, $password) = @_;
my ($table, $user_field, $pass_field) = $self->user_table;
my ($stmt, @bind) =
$self->sql->select($table, $pass_field, {$user_field => $user});
my ($db_pass) = eval {
$self->dbh->selectrow_array($stmt, undef, @bind);
};
if ($@) {
lib/Apache/AuthTicket/Base.pm view on Meta::CPAN
return 0;
}
unless (defined $db_pass) {
# user not in database
return 0;
}
my $style = $self->get_config('TicketPasswordStyle');
if ($self->compare_password($style, $password, $db_pass)) {
return 1;
}
else {
return 0;
}
}
sub fetch_secret {
my ($self, $version) = @_;
lib/Apache/AuthTicket/Base.pm view on Meta::CPAN
}
sub user_agent {
my $self = shift;
return $ENV{HTTP_USER_AGENT}
|| $self->request->headers_in->get('User-Agent')
|| '';
}
sub compare_password {
my ($self, $style, $check, $expected) = @_;
if ($style eq 'crypt') {
return crypt($check, $expected) eq $expected;
}
elsif ($style eq 'cleartext') {
return $check eq $expected;
}
elsif ($style eq 'md5') {
return Digest::MD5::md5_hex($check) eq $expected;
}
else {
die "unrecognized password style '$style'";
}
return 0;
}
sub str_config_value {
my $self = shift;
for my $value (@_) {
next unless defined $value;
lib/Apache/AuthTicket/Base.pm view on Meta::CPAN
Get the database handle
=head2 dbi_connect
my $dbh = $self->dbi_connect
Returns a new connection to the database
=head2 check_credentials
my $ok = $self->check_credentials($username, $password)
Return C<true> if the credentials are valid
=head2 fetch_secret
my ($value, $version) = $self->fetch_secret;
my ($value) = $self->fetch_secret($version)
Return the secret and version of the secret. if the C<version> argument is
present, return that specific version of the secret instead of the most recent
lib/Apache/AuthTicket/Base.pm view on Meta::CPAN
my $hash = $self->hash_for(@values)
Compute a hash for the given values
=head2 user_agent
my $agent = $self->user_agent
Get the request client's user agent string
=head2 compare_password
my $ok = $self->compare_password($style, $entered, $actual)
Check a password and return C<true> if C<entered> matches C<actual>. C<style> specifys what type of password is in C<actual>, and is one of the following:
=over 4
=item *
crypt
standard UNIX C<crypt()> value
=item *
cleartext
plain text password
=item *
md5
MD5 hash of password
=back
=head2 str_config_value
my $val = $self->str_config_value($name)
Get a configuration value. This converts things like yes,on,true to C<1>, and
no,off,false to C<0>. Multiple C<name> values may be given and the first
defined value will be returned. If no config value is defined matching any of
lib/Apache2/AuthTicket.pm view on Meta::CPAN
module.
example: dbi:Pg:dbname=test
=item B<TicketDBUser>
This directive specifys the username to use when connecting to the databse.
=item B<TicketDBPassword>
This directive specifys the password to use when connecting to the databse.
=item B<TicketTable>
This directive specifys the ticket hash table as well as the column name for
the hash.
Format: table_name:ticket_column_name:timestamp_column
Example: tickets:ticket_hash:ts
=item B<TicketUserTable>
This directive specifys the users table and the username and password column
names.
Format: table_name:username_column:password_column
Example: users:usrname:passwd
=item B<TicketPasswordStyle>
This directive specifys what type of passwords are stored in the database. The
default is to use I<cleartext> passwords. Currently supported password styles
are:
=over 3
=item I<cleartext>
This password style is just plain text passwords. When using this password
style, the supplied user password is simply compared with the password stored
in the database.
=item I<md5>
This password style generates an MD5 hex hash of the supplied password before
comparing it against the password stored in the database. Passwords should be
stored in the database by passing them through Digest::MD5::md5_hex().
=item I<crypt>
This password style uses traditional crypt() to encrypt the supplied password
before comparing it to the password saved in the database.
=back
=item B<TicketSecretTable>
This directive specifys the server secret table as well as the names of the
secret data column and the version column.
Format: table_name:data_column:version_column
lib/Apache2/AuthTicket.pm view on Meta::CPAN
=back
=head2 Database Configuration
Three database tables are needed for this module:
=over 3
=item B<users table>
This table stores the actual usernames and passwords of the users. This table
needs to contain at least a username and password column. This table is
confgured by the I<TicketUserTable> directive.
example:
CREATE TABLE users (
usename VARCHAR(32) NOT NULL,
passwd VARCHAR(32) NOT NULL
);
=item B<tickets table>
lib/Apache2/AuthTicket.pm view on Meta::CPAN
Feel free to examine the source code for other methods that you might choose to
overload.
=over 3
=item void make_login_screen($r, String action, String destination)
This method creats the "login" screen that is shown to the user. You can
overload this method to create your own login screen. The log in screen only
needs to contain a hidden field called "destination" with the contents of
I<destination> in it, a text field named I<credential_0> and a password field
named I<credential_1>. You are responsible for sending the http header as well
as the content. See I<Apache2::AuthCookie> for the description of what each of
these fields are for.
I<action> contains the action URL for the form. You must set the action of
your form to this value for it to function correctly.
I<Apache2::AuthTicket> also provides a mechanism to determine why the login for
is being displayed. This can be used in conjunction with
I<Apache2::AuthCookie>'s "AuthCookieReason" setting to determine why the user is
( run in 1.218 second using v1.01-cache-2.11-cpan-49f99fa48dc )