view release on metacpan or  search on metacpan

lib/Apache2/AuthAny.pm  view on Meta::CPAN

Same as REMOTE_USER for identified users.

=head3 AA_IDENT_active

Users whose "active" value is not "1" are denied access to
directories protected with any "Require" directive (eg. "Require
valid-user")

In addition to the above, the value of any field in the "user" table
will be passed as AA_IDENT_. The demo database includes "firstName",
"lastName", and "created".

=head2 Logout

AuthAny provides a logout feature that allows the user to log out
without closing her browser. The feature has two functions. It sets
the state in the database to "logged_out". It also logs the user out
of Basic auth and Shibboleth. Without the second function, a user
would simply be able to click again on the GATE's provider link and
get right back into the protected application. Google authentication
is not included in this second logout function, however Google's login
state is set to expire after about a minute, after which the user must
log in again.

=cut

my %level = (error  => Apache2::Const::LOG_ERR,
             warn   => Apache2::Const::LOG_WARNING,
             notice => Apache2::Const::LOG_NOTICE,
             info   => Apache2::Const::LOG_INFO,
             debug  => Apache2::Const::LOG_DEBUG,
    );

__PACKAGE__->init;

sub init {
    my $self = shift;

     my @directives = (
         {
             name         => 'AuthAnyGateURL',
             args_how     => Apache2::Const::TAKE1,
             errmsg       => 'Custom GATE page',
         },

         {
             name         => 'AuthAnySkipAuthentication',
             args_how     => Apache2::Const::ITERATE,
             errmsg       => 'Usage: AuthAnySkipAuthentication uri-pattern1 [uri-pattern2 ...]',
         },

         {
             name         => 'AuthAnyBasicAuthUserFile',
             req_override => Apache2::Const::OR_ALL,
             args_how     => Apache2::Const::TAKE1,
             errmsg       => 'Basic auth .htpasswd file',
         },

         {
             name         => 'AuthAnyTimeout',
             args_how     => Apache2::Const::TAKE1,
             errmsg       => 'seconds',
         },


         );

    eval {
        Apache2::Module::add($self, \@directives);
        my $s = Apache2::ServerUtil->server;
        $s->push_handlers( PerlMapToStorageHandler    =>
                           'Apache2::AuthAny::MapToStorageHandler' );
        $s->push_handlers( PerlHeaderParserHandler    =>
                           'Apache2::AuthAny::RequestConfig' );
    };
    warn $@ if $@;

}

=head1 DIRECTIVES

=head2 AuthAnyGateURL (required)

If a user needs to log in, she is redirected to a GATE page which
contains a list of provider links. This directive defines
the URL to the gate page.

=cut

sub AuthAnyGateURL {
    my ($self, $params, $arg) = @_;
    $self->{AuthAnyGateURL} = $arg;
}

=head2 AuthAnySkipAuthentication

This directive accepts a list of URL patterns for which
the autentication and authorization phases will be skipped.

=cut

sub AuthAnySkipAuthentication {
    my ($self, $params, $arg) = @_;
    push @{$self->{AuthAnySkipAuthentication}}, $arg;
}

=head2 AuthAnyBasicAuthUserFile

The basic authentication user file for interactive login is defined
in the Apache configuration. This directive allows a basic auth
user file to be checked with each request to a protected resource.
In this way, the request can include an HTTP "Authorization" header
to allow scripting. No AA_AUTH cookie is required.

=cut

sub AuthAnyBasicAuthUserFile {
    my ($self, $params, $arg) = @_;
    $self->{AuthAnyBasicAuthUserFile} = $arg;
}

=head2 AuthAnyTimeout

This directive allows a default timeout to be set, after which
an "authenticated" user will become only "recognized". The value
set by AuthAnyTimeout can be overridden for any identified user
by specifying a "timeout" value in the "auth_user" db table.

=cut

sub AuthAnyTimeout {
    my ($self, $params, $arg) = @_;
    $self->{AuthAnyTimeout} = $arg;
}

=head2 AuthType auth-any (required)

This directive turns AuthAny on and causes AuthAny's environment
variables to be passed to code running in the response phase.

=head2 Require <options>

=head3 Require valid-user

The user must sign in with any mechanism/provider however
the user need not be in the userIdent db table.

=head3 Require identified-user

The user must have an entry in the userIdent and user table, and
not be in a deactivated state.

=head3 Require user <user1 [user2 ...]>

The specified users are allowed. Note, users who do not have an entry
in the userIdent table are seen by the system as "id|provider". For
example if you want to grant access to the user "john" when logging in
using "basic" authentication, and john does not have an entry in the
userIdent table, you would use the following directive:

 Require user john|basic

=head3 Require role <role1 [role2 ...]>

Users holding the specified roles are allowed access

=head3 Require authenticated

Users are not permitted if they they have timed out and thus are no
longer authenticated.

=head3 Require session

Users are not permitted if they they haven't logged in the current
browser session. This allows the administrator to force logout when
the user exits her browser.

=head1 ISSUES

=head2 mod_dir ignores AuthType

If a request is made to a directory, mod_dir will try to use one
of the index file names specified by "DirectoryIndex". It appears
that mod_dir is ignoring the "AuthName auth-any" directive and is
trying to use basic authentication resulting in errors such as,

 "configuration error:  couldn't check user.  No user file?: /gossamer/index.php"

A workaround is to use mod_rewrite on directories:

 RewriteEngine On
 RewriteRule ^gossamer/$ /gossamer/index.php
 RewriteRule ^$ /gossamer/index.php