view release on metacpan or  search on metacpan

lib/Apache2/AuthCASpbh.pm  view on Meta::CPAN

sub DIR_MERGE {
	my ($base, $add) = @_;

	my $mrg = Storable::dclone($base);

	foreach (keys %{$add}) {
		$mrg->{$_} = $add->{$_};
	}

	return bless($mrg, ref($base));
}

sub cfg_value {
	my ($dir_cfg, $directive) = @_;

	return $dir_cfg->{"AuthCAS_$directive"} if exists($dir_cfg->{"AuthCAS_$directive"});

	return $default_config{$directive} if exists($default_config{$directive});

	return undef;
}

sub open_session {
	my ($db, $session_id) = @_;

	if (!exists($session_dbh{$db})) {
		$session_dbh{$db} = DBI->connect("dbi:SQLite:$db",'','', { AutoCommit => 1 }) or
			return "DBI connection failed - $DBI::errstr";
	}

	my %session;
	eval { tie(%session, 'Apache::Session::Browseable::SQLite', $session_id,
		    { Handle => $session_dbh{$db}, Commit => 0 }); };

	return $@ ? $@ : \%session;
}

=head1 NAME

AuthCASpbh - CAS SSO integration for Apache/mod_perl

=head1 SYNOPSIS

Load the module in your Apache mod_perl configuration:

	PerlLoadModule Apache2::AuthCASpbh
	AuthCAS_ServerURL https://my.cas.server/cas

and include additional configuration from the ancillary modules as necessary:

L<Apache2::AuthCASpbh::Authn>

L<Apache2::AuthCASpbh::Authz>

L<Apache2::AuthCASpbh::ProxyCB>

L<Apache2::AuthCASpbh::UserAgent>

=head1 DESCRIPTION

AuthCASpbh is a framework for integrating CAS SSO support into the Apache web
server using mod_perl. It can authenticate Apache resources via CAS, perform
authorization via CAS attributes, acquire proxy granting tickets, and provides
a client allowing transparent access to other CAS applications via proxy
authentication. It automatically manages sessions using Apache::Session
(currently via sqlite, but other mechanisms could be used) and provides
mod_perl based applications access to session state and attributes.

=head2 Configuration options

=over

=item C<AuthCAS_DebugLevel>

Use a different logging level for debugging messages generated by AuthCASpbh
rather than the default "debug", allowing visibility into internal operation
without being overwhelmed by debugging output from unrelated components.
Messages can be logged at any supported Apache level, for example:

	AuthCAS_DebugLevel warn

=item C<AuthCAS_LoginPath>

The URL component added after the AuthCAS_ServerURL value to access the CAS
login service; by default "/login".

=item C<AuthCAS_PGTCallback>

The location of the callback used by the configured CAS server when the request
of a proxy granting ticket is enabled. By default, it is the relative URL
"/cas_pgt" on the server running AuthCASpbh; however, it could also be a fully
qualified URL to point it to an arbitrary location:

	AuthCAS_PGTCallback https://some.other.server/cas_pgt

The URL must be served by L<Apache2::AuthCASpbh::ProxyCB> or a compatible
mechanism that will store the proxy ticket information into the global
AuthCASpbh session.

=item C<AuthCAS_PGTIOU_TTL>

The amount of time in seconds that a proxy granting ticket IOU to proxy
granting ticket value mapping will be maintained in the AuthCASpbh global
session. By default it is 10 seconds, and it is unlikely that value would need
to be overridden in normal circumstances.


=item C<AuthCAS_ProxyAllow>

A list of proxy servers to allow access to the AuthCASpbh protected application
if proxied authentication is desired. Proxied authentication is only enabled
if at least one of AuthCAS_ProxyAllow or AuthCAS_ProxyAllowRE is configured for
the location being accessed. For example:

	AuthCAS_ProxyAllow https://my.frontend.server/cas

=item C<AuthCAS_ProxyAllowRE>

A list of regular expressions to be compared to connecting proxy server to
determine whether or not to allow access to the AuthCASpbh protected
application. Proxied authentication is only enabled if at least one of