NAME

Bio::Das::ProServer::Authenticator::ip - authenticates DAS requests by IP address

VERSION

$LastChangedRevision: 453 $

SYNOPSIS

To authenticate a request:

my $auth = Bio::Das::ProServer::Authenticator::ip->new({
  'config' => {
               'authallow' => $, # IP whitelist
              },
});

my $allow = $auth->authenticate({
  'peer_addr' => $, # packed
  'request'   => $, # HTTP::Request object
  ...
});

Once authenticated the IP address is stored:

if ($allow) {
  my $ip    = $auth->ip();
}

To simply perform IP address authentication but not deny requests, configure the source with a lax IP range (e.g. "0/0"). This allows the source to alter its behaviour in a more subtle fashion (e.g provide different data for different sites).

DESCRIPTION

Authenticates requests according to a 'whitelist' of IP address ranges. Requests from clients not within one of these ranges are denied.

The IP addresses that are checked against the whitelist are: 1) that of the socket connection 2) those listed in the X-Forwarded-For HTTP header

The latter is necessary for clients and servers operating behind proxies.

IMPORTANT NOTE: Because IP addresses can be spoofed by clients, this is NOT a robust method of securing data.

CONFIGURATION AND ENVIRONMENT

The whitelist for IP addresses is configured in the source INI section, using any combination of specific, additive, range or CIDR format IPs. Valid separators are comma and semicolon.

[mysource]
authenticator = ip
authallow     = 1.2.3.4,193.62.196.0 + 255 , 123.123.123.1 - 123.123.123.10 ; 192.168/16

SUBROUTINES/METHODS

authenticate : Applies authentication to a request.

Requires: a hash reference containing details of the DAS request
Returns:  either nothing (allow) or a HTTP::Response (deny)

my $allow = $oAuth->authenticate({
  'peer_addr' => $, # packed (socket IP address)
  'request'   => $, # HTTP::Request object (for X-Forwarded-For header)
  ...
});

ip : Gets the authenticated IP address

my $sIp = $oAuth->ip();

init : Initialises the IP whitelist

DIAGNOSTICS

my $auth = Bio::Das::ProServer::Authenticator::ip->new({
  ...
  'debug'  => 1,
});

DEPENDENCIES

Carp
Net::IP
Socket
Bio::Das::ProServer::Authenticator

BUGS AND LIMITATIONS

Clients that are separated from the server by an anonymising HTTP proxy (i.e. one that does not reveal the client's IP address in the X-Forwarded-For HTTP header) will always fail this method of authentication.

Note that clients may spoof an IP address in the X-Forwarded-For header. Therefore this method of authentication is not a robust security precaution.

INCOMPATIBILITIES

None reported.

AUTHOR

Andy Jenkinson <andy.jenkinson@ebi.ac.uk>

LICENSE AND COPYRIGHT

To install Bio::Das::ProServer, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Bio::Das::ProServer

CPAN shell

perl -MCPAN -e shell
install Bio::Das::ProServer

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)