view release on metacpan or  search on metacpan

README  view on Meta::CPAN

    This method is a CGI::Application prerun callback that will be
    automatically registered for you if you are using CGI::Application 4.0
    or greater. If you are using an older version of CGI::Application you
    will have to create your own cgiapp_prerun method and make sure you call
    this method from there.

     sub cgiapp_prerun {
        my $self = shift;

        $self->CGI::Application::Plugin::Authentication::prerun_callback();
     }

CGI::Application RUNMODES
  authen_login_runmode
    This runmode is provided if you do not want to create your own login
    runmode. It will display a simple login form for the user, which can be
    replaced by assigning RENDER_LOGIN a coderef that returns the HTML.

  authen_dummy_redirect
    This runmode is provided for convenience when an external redirect needs
    to be done. It just returns an empty string.

EXAMPLE
    In a CGI::Application module:

      use base qw(CGI::Application);
      use CGI::Application::Plugin::AutoRunmode;
      use CGI::Application::Plugin::Session;
      use CGI::Application::Plugin::Authentication;

      __PACKAGE__->authen->config(
            DRIVER         => [ 'Generic', { user1 => '123' } ],
            STORE          => 'Session',
            LOGOUT_RUNMODE => 'start',
      );
      __PACKAGE__->authen->protected_runmodes(qr/^auth_/, 'one');

      sub start : RunMode {
        my $self = shift;

      }

      sub one : RunMode {
        my $self = shift;

        # The user will only get here if they are logged in
      }

      sub auth_two : RunMode {
        my $self = shift;

        # This is also protected because of the
        # regexp call to protected_runmodes above
      }

COMPATIBILITY WITH CGI::Application::Plugin::ActionDispatch
    The prerun callback has been modified so that it will check for the
    presence of a prerun mode. This is for compatibility with
    CGI::Application::Plugin::ActionDispatch. This change should be
    considered experimental. It is necessary to load the ActionDispatch
    module so that the two prerun callbacks will be called in the correct
    order.

RECOMMENDED USAGE
    CSS The best practice nowadays is generally considered to be to not have
        CSS embedded in HTML. Thus it should be best to set LOGIN_FORM ->
        DISPLAY_CLASS to 'Basic'.

    Post login destination
        Of the various means of selecting a post login destination the most
        secure would seem to be POST_LOGIN_URL. The "destination" parameter
        could potentially be hijacked by hackers. The POST_LOGIN_RUNMODE
        parameter requires a hidden parameter that could potentially be
        hijacked.

    Taint mode
        Do run your code under taint mode. It should help protect your
        application against a number of attacks.

    URL and username checking
        Please set the "DETAINT_URL_REGEXP" and "DETAINT_USERNAME_REGEXP"
        parameters as tightly as possible. In particular you should prevent
        the destination parameter being used to redirect authenticated users
        to external sites; unless of course that is what you want in which
        case that site should be the only possible external site.

    The login form
        The HTML currently generated does not seem to be standards compliant
        as per RT bug 58023. Also the default login form includes hidden
        forms which could conceivably be hijacked. Set LOGIN_FORM ->
        DISPLAY_CLASS to 'Basic' to fix this.

TODO
    There are lots of things that can still be done to improve this plugin.
    If anyone else is interested in helping out feel free to dig right in.
    Many of these things don't need my input, but if you want to avoid
    duplicated efforts, send me a note, and I'll let you know of anyone else
    is working in the same area.

    review the code for security bugs and report
    complete the separation of presentation and logic
    write a tutorial
    build more Drivers (Class::DBI, LDAP, Radius, etc...)
    Add support for method attributes to identify runmodes that require
    authentication
    finish the test suite
    provide more example code
    clean up the documentation
    build a DB driver that builds it's own table structure. This can be used
    by people that don't have their own user database to work with, and
    could include a simple user management application.

BUGS
    This is alpha software and as such, the features and interface are
    subject to change. So please check the Changes file when upgrading.

    Some of the test scripts appear to be incompatible with versions of
    Devel::Cover later than 0.65.

SEE ALSO
    CGI::Application, perl(1)