Apache-AuthenSecurID
view release on metacpan or search on metacpan
RCS/AuthenSecurID.pm,v view on Meta::CPAN
head 1.6;
access;
symbols;
locks;
comment @# @;
1.6
date 2002.07.31.16.43.44; author Administrator; state Exp;
branches;
next 1.5;
1.5
date 2002.07.30.20.15.39; author Administrator; state Exp;
branches;
next 1.4;
1.4
date 2001.06.22.19.08.36; author root; state Exp;
branches;
next 1.3;
1.3
date 2001.06.21.14.50.24; author root; state Exp;
branches;
next 1.2;
1.2
date 2001.06.19.19.05.42; author root; state Exp;
branches;
next 1.1;
1.1
date 2001.06.15.18.45.42; author root; state Exp;
branches;
next ;
desc
@Created
@
1.6
log
@*** empty log message ***
@
text
@# $Id: AuthenSecurID.pm,v 1.5 2002/07/30 20:15:39 Administrator Exp $
package Apache::AuthenSecurID;
use strict;
use Apache ();
use Apache::Registry;
use Apache::Log;
use Apache::Constants qw(OK AUTH_REQUIRED DECLINED REDIRECT SERVER_ERROR);
use Apache::Cookie;
use Crypt::CBC;
use CGI::Carp;
use vars qw($VERSION);
$VERSION = '0.4';
sub handler {
my $r = shift;
# get configuration directives
my $auth_cookie = $r->dir_config("AuthCookie") || "SecurID";
my $auth_user_cookie = $r->dir_config("AuthUserCookie")||"SecurID_User";
my $crypt_key = $r->dir_config("AuthCryptKey") || "my secret";
my $cookie_timeout = $r->dir_config("AuthCookieTimeOut") || 30;
my $cookie_path = $r->dir_config("AuthCookiePath") || "/";
my $auth_handler = $r->dir_config("Auth_Handler") || "/ace_init";
# get cookies
my ( $session_key ) = ( ($r->header_in("Cookie") || "") =~
/${auth_cookie}=([^;]+)/);
my ( $session_user ) = ( ($r->header_in("Cookie") || "") =~
/${auth_user_cookie}=([^;]+)/);
my $username;
my $session_time;
# decrypt cookie
my $cipher = new Crypt::CBC($crypt_key,"Blowfish") || warn ( $! );
if ( $session_key ) {
my $plaintext_cookie = $cipher->decrypt_hex($session_key);
( $session_time, $username ) = split /\:/, $plaintext_cookie;
}
my $time = time();
my $timeout = $time - 60 * $cookie_timeout;
my $uri = $r->uri;
# check cookie
if ( $session_key && $username eq $session_user &&
$timeout <= $session_time ) {
$r->no_cache(1);
$r->err_headers_out->add("Pragma" => "no-cache" );
#reset timestamp
my $crypt_cookie = $cipher->encrypt_hex ("$time:$username");
$r->err_headers_out->add("Set-Cookie" => $auth_cookie . "=" .
$crypt_cookie . "; path=" . $cookie_path );
return OK;
} else {
# redirect to authentication handler
my $uri = $cipher->encrypt_hex ( $uri );
$r->no_cache(1);
$r->err_header_out("Pragma" => "no-cache");
$r->header_out("Location" => "$auth_handler?a=" . $uri );
return REDIRECT;
}
}
1;
__END__
=head1 NAME
Apache::AuthenSecurID - Authentication via a SecurID server
=head1 SYNOPSIS
# Configuration in httpd.conf or access.conf
PerlModule Apache::AuthenSecurID
<Location /secure/directory>
AuthName SecurID
AuthType Basic
PerlAuthenHandler Apache::AuthenSecurID
PerlSetVar AuthCryptKey Encryption_Key
PerlSetVar AuthCookie Name_of_Authentication_Cookie
PerlSetVar AuthUserCookie Name_of_Username_Authentication_Cookie
PerlSetVar AuthCookiePath /path/of/authentication/cookie
PerlSetVar AuthCookieTimeOut 30
PerlSetVar Auth_Handler /path/of/authentication/handler
require valid-user
</Location>
=head1 DESCRIPTION
This module allows authentication against a SecurID server. It
detects whether a user has a valid encrypted cookie containing their
username and last activity time stamp. If the cookie is valid the module
will change the activity timestamp to the present time, encrypt and send the
cookie. If the cookie is not valid the module will redirect to the
authentication handler to prompt for username and passcode.
=head1 LIST OF TOKENS
=item *
AuthCryptKey
The Blowfish key used to encrypt and decrypt the authentication cookie.
It defaults to F<my secret> if this variable is not set.
=item *
AuthCookie
The name of the of cookie to be set for the authentication token.
It defaults to F<SecurID> if this variable is not set.
=item *
AuthUserCookie
The name of the of cookie that contains the value of the persons username
in plain text. This is checked against the contents of the encrypted cookie
to verify user. The cookie is set of other applications can identify
authorized users. It defaults to F<SecurID_User> if this variable is not set.
=item *
AuthCookiePath
The path of the of cookie to be set for the authentication token.
It defaults to F</> if this variable is not set.
=item *
AuthCookieTimeOut
The time in minute a cookie is valid for. It is not recommended to set
below 5. It defaults to F<30> if this variable is not set.
=item *
Auth_Handler
The path of authentication handler. This is the URL which request with
invalid cookie are redirected to. The handler will prompt for username
and passcode. It does the actual authentication and sets the initial
cookie. This mechanism is used instead of get_basic_auth_pw because
get_basic_auth_pw will do multiple authentication attempt on pages that
contain frames. The ACE server will deny simultaneous authentication
attempts since it considers this a type of attack. It defaults to
F</ace_init> if this variable is not set. Please see
Apache::AuthenSecurID::Auth to properly configure this functionality.
=head1 CONFIGURATION
The module should be loaded upon startup of the Apache daemon.
Add the following line to your httpd.conf:
PerlModule Apache::AuthenSecurID
=head1 PREREQUISITES
For AuthenSecurID you need to enable the appropriate call-back hook
when making mod_perl:
perl Makefile.PL PERL_AUTHEN=1
AuthenSecurID requires Crypt::Blowfish and Crypt::CBC.
=head1 SEE ALSO
L<Apache>, L<mod_perl>, L<Authen::ACE> L<Apache::AuthenSecurID::Auth>
=head1 AUTHORS
=item *
mod_perl by Doug MacEachern <dougm@@osf.org>
=item *
Authen::ACE by Dave Carrigan <Dave.Carrigan@@iplenergy.com>
=item *
Apache::AuthenSecurID by David Berk <dberk@@lump.org>
=head1 COPYRIGHT
The Apache::AuthenSecurID module is free software; you can redistribute
it and/or modify it under the same terms as Perl itself.
=cut
@
1.5
log
@*** empty log message ***
@
text
@d1 1
a1 1
# $Id: AuthenSecurID.pm,v 1.4 2001/06/22 19:08:36 root Exp $
d85 2
@
1.4
log
@documentation
@
text
@d1 1
a1 1
# $Id: AuthenSecurID.pm,v 1.3 2001/06/21 14:50:24 root Exp root $
d96 1
a96 1
PerlSetVar AuthCookieHandler /path/of/authentication/handler
d146 1
a146 1
AuthCookieHandler
@
1.3
log
@many fixes
@
text
@d1 1
a1 1
# $Id: AuthenSecurID.pm,v 1.2 2001/06/19 19:05:42 root Exp root $
a18 7
# Continue only if the first request.
#return OK unless $r->is_initial_req;
#my $reqs_arr = $r->requires;
#return OK unless $reqs_arr;
#my $log = $r->log;
a19 1
# Grab the password, or return if HTTP_UNAUTHORIZED
d21 1
d28 1
d32 1
d46 1
a46 1
( $username, $session_time ) = split /\:/, $plaintext_cookie;
a48 1
# check cookie
d53 1
d57 3
a59 2
$r->err_header_out( "Pragma" => "no-cache" );
my $crypt_cookie = $cipher->encrypt_hex ( "$username:$time" );
d61 1
a61 1
$crypt_cookie . "; path=" . "/");
d64 1
d83 1
a83 5
# Configuration in httpd.conf
PerlModule Apache::AuthenSecurID
# Authentication in .htaccess
d85 1
a88 1
# authenticate via SecurID
d91 1
a91 1
PerlSetVar Auth_SecurID_VAR_ACE /ace/config/directory
d93 1
d95 2
d99 1
d103 6
a108 3
This module allows authentication against a SecurID server. If
authentication is successful it sets a cookie with a MD5 hash
token. The token expires at midnight local time.
d112 1
RCS/AuthenSecurID.pm,v view on Meta::CPAN
d136 1
a136 1
The path of the of cookie to be set for the authenticaion token.
d139 19
d172 2
d176 1
a176 1
L<Apache>, L<mod_perl>, L<Authen::SecurID>
d195 1
@
1.2
log
@*** empty log message ***
@
text
@d1 1
a1 1
# $Id: AuthenSecurID.pm,v 1.1 2001/01/18 20:50:27 root Exp $
d10 1
d21 1
a21 1
return OK unless $r->is_initial_req;
d23 3
a25 3
my $reqs_arr = $r->requires;
return OK unless $reqs_arr;
my $log = $r->log;
d30 1
d40 2
a42 1
# Get the user name.
d56 2
d59 7
a65 1
if ( $session_key && $username eq "hello" ) {
a67 1
my $uri = $r->uri;
d69 2
@
1.1
log
@Initial revision
@
text
@a9 1
use Authen::ACE;
d14 1
a14 1
$VERSION = '0.3';
a26 3
my($res,$pass) = $r->get_basic_auth_pw;
$r->log_reason("$res $pass", $r->uri);
$log->debug("$res $pass");
a27 3
return $res if $res != OK;
# Handle Cookie
a28 4
$log->debug("$auth_cookie");
my $cookie_path = $r->dir_config("AuthCookiePath") || "/";
$log->debug("$cookie_path");
a30 1
$log->debug("$crypt_key");
d33 2
a34 1
$log->debug("$cookie_timeout");
a39 1
my $user = $r->connection->user;
d54 1
a54 11
if ( $session_key
&& $user eq $username
&& ($session_time+($cookie_timeout * 60) >= $time) ) {
# OK set cookie
# my $auth_cookie = $cipher->encrypt_hex ( "$user:$time" );
# $r->err_header_out("Set-Cookie" => $auth_cookie . "=" .
# $auth_cookie . "; path=" . $cookie_path);
# $r->no_cache(1);
# $r->err_header_out("Pragma", "no-cache");
# $r->header_out("Location" => $r->uri);
a55 51
}
# SecurID Config Directory
my $VAR_ACE = $r->dir_config("Auth_SecurID_VAR_ACE") || "/var/ace";
# Sanity for usernames
if (length $user > 64 or $user =~ /[^A-Za-z0-9]/) {
$r->log_reason("Apache::AuthenSecurID username too long or"
."contains illegal characters", $r->uri);
$r->note_basic_auth_failure;
return AUTH_REQUIRED;
}
if ( ! $pass ) {
$r->log_reason("Apache::AuthenSecurID passcode empty",$r->uri);
$r->note_basic_auth_failure;
return AUTH_REQUIRED;
}
if (length $pass > 256) {
$r->log_reason("Apache::AuthenSecurID password too long",$r->uri);
$r->note_basic_auth_failure;
return AUTH_REQUIRED;
}
# Create the SecurID connection.
my $ace = Authen::ACE->new(
config => $VAR_ACE
) || warn ( $! );
# Error if we can't connect.
if (!defined $ace) {
$r->log_reason("Apache::AuthenSecurID failed to"
."init",$r->uri);
return SERVER_ERROR;
}
# Do the actual check.
my ( $result, $info ) = $ace->Check ( $pass, $user );
if ($result == ACM_OK) {
$r->log_reason("Apache::AuthenSecurID succeed auth user"
. "$user" ,$r->uri);
my $auth_cookie = $cipher->encrypt_hex ( "$user:$time" );
$r->err_header_out("Set-Cookie" => $auth_cookie . "=" .
$auth_cookie . "; path=" . $cookie_path);
$r->no_cache(1);
$r->err_header_out("Pragma", "no-cache");
$r->header_out("Location" => $r->uri);
return OK;
#return REDIRECT;
d57 4
a60 4
$r->log_reason("Apache::AuthenSecurID failed for user $user $res $VAR_ACE",
$r->uri);
$r->note_basic_auth_failure;
return AUTH_REQUIRED;
@
( run in 2.362 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )