Apache-SiteControl
5 results

 view release on metacpan or  search on metacpan

lib/Apache/SiteControl.pm  view on Meta::CPAN 

   };
   if($@) {
      $r->log_error("User tried access with invalid/nonexistent session: $@");
      return undef;
   }

   return $user->getUsername if defined($user);

   return undef;
}

1;

__END__

=head1 NAME

Apache::SiteControl - Perl web site authentication/authorization system

=head1 SYNOPSIS

See samples/site for complete example. Note, this module is intended for
mod_perl. See Apache2::SiteControl for mod_perl2.

=head1 DESCRIPTION

Apache::SiteControl is a set of perl object-oriented classes that
implement a fine-grained security control system for a web-based application.
The intent is to provide a clear, easy-to-integrate system that does not
require the policies to be written into your application components. It
attempts to separate the concerns of how to show and manipulate data from the
concerns of who is allowed to view and manipulate data and why.

For example, say your web application is written in HTML::Mason. Your
individual "screens" are composed of Mason modules, and you would like to keep
those as clean as possible, but decisions have to be made about what to allow
as the component is processed. SiteControl attempts to make that as easy as
possible.

=head2 DEVELOPER'S VIEWPOINT - EXAMPLE

In this document we use HTML::Mason to create examples of how to use the
control mechanisms, but any mod_perl based system should be supportable.

A good mason component tries to do most of the perl processing in a separate
block, so that simple substitutions can be made in HTML in the rest of
the page. This makes it much easier for web developers and perl developers to
co-exist on a project. 

The SiteControl system tries to make it possible to continue to follow this
model. You obtain a user object and permission manager from the SiteControl
system. These are intended to be opaque data types to the page designer,
and are defined elsewhere (see USERS). The actual web page component
should carry these objects around without implementing anything in the way of
policy.

For example, your mason component might look like this:

   <HTML>
      <HEAD> ... </HEAD>
   % if($manager->can($currentUser, "edit", $table)) {
         <FORM METHOD=POST ACTION="...">
            <P><INPUT TYPE=TEXT NAME="x" VALUE="<% $table->{x} %>">
            ...
         </FORM>
   % } else {
         <P>x is <% $table->{x} %>
   % }

   <%init>
   my $currentUser = Apache::SiteControl->getCurrentUser($r);
   my $manager = Apache::SiteControl->getPermissionManager($r);

   ... application specific stuff...
   i.e. 

   my $table = ...
   </%init>

Notice that the component does not bother looking at the user object, and there
is no policy code...just a request for permission:

   if($manager->can($currentUser, "do something to", $resource))

Of course the developer needs to know I<something> about the underlying system.
For example, the action string "do something to" is rather arbitrary. These can
be anything, and must be specified as rule actions. It is recommended that you
use some form of Perl constants for these instead of strings, but that is up to
you.

The resource is intended to be less opaque. This is likely the object that the
page developer wants to muck with, and so probably knows the internals of that
object a bit better. This is the crossover point from what SiteControl can
figure out on its own to information you have to supply. 

The default behavior is for the manager to deny any request.  In order for a
request to be approved, someone has to write a rule that joins together the
user, action, and resource and makes a decision about the permissibility of the
action.

If all you want is login and user tracking (but no permission manager), then it
is safe to ignore the permission manager altogether.

=head1 USERS

Users and Rules are the central components of the SiteControl system. The user
object must be Apache::SiteControl::User (or a subclass). See
Apache::SiteControl::User for a description of what it supports (session
storage, logout, etc.).  The glue to SiteControl is the UserFactory, which you
can define or accept the default of Apache::SiteControl::UserFactory
(recommended). 

Whenever a login attempt succeeds, the factory returns an object that
represents a valid, logged-in user. See Apache::SiteControl::UserFactory for
more information.

=head2 PERMISSION MANAGER

Each site will have a permission manager. There is usually no need for you
to subclass Apache::SiteControl::PermissionManager, but you do need to create one
and populate it with your access rules. You do this by creating a



( run in 1.300 second using v1.01-cache-2.11-cpan-39bf76dae61 )