NAME
Maypole::Authentication::Abstract - Abstract Authentication for Maypole
SYNOPSIS
Simple example of all three security levels:
use base qw(Apache::MVC Maypole::Authentication::Abstract);
sub authenticate {
my $r = shift;
if ( $r->{table} eq 'openforall' ) {
$r->public;
}
elsif ( $r->{table} eq 'membersonly' ) {
$r->private;
$r->{template} = 'login' unless $r->{user};
}
elsif ( $r->{table} eq 'topsecret' ) {
$r->restricted;
$r->{template} = 'login' unless $r->{user};
}
}
Another example:
use base qw(Apache::MVC Maypole::Authentication::Abstract);
MyApp->config->{auth} = {
user_class => 'MyApp::Customer',
user_field => 'email',
session_class => 'Apache::Session::Postgres',
session_args => {
DataSource => 'dbi:Pg:dbname=myapp',
UserName => 'postgres',
Password => '',
Commit => 1
}
};
sub authenticate {
my $r = shift;
if ( $r->{table} eq 'products' && $r->{action} eq 'list' ) {
$r->public;
}
elsif ( $r->{table} eq 'products' && $r->{action} eq 'search' ) {
$r->private;
$r->{template} = 'login' unless $r->{user};
}
elsif ( $r->{table} eq 'products' && $r->{action} eq 'edit' ) {
$r->restricted;
$r->{template} = 'login' unless $r->{user};
}
}
Tickets in templates
<INPUT TYPE="hidden" NAME="ticket" VALUE="[% ticket %]">
Global session handling is also possible:
sub authenticate {
my $r = shift;
$r->public;
if ( $r->{table} eq 'products' && $r->{action} eq 'search' ) {
$r->private;
$r->{template} = 'login' unless $r->{user};
}
elsif ( $r->{table} eq 'products' && $r->{action} eq 'edit' ) {
$r->restricted;
$r->{template} = 'login' unless $r->{user};
}
}
DESCRIPTION
This module is based on Maypole::Authentication::UserSessionCookie but adds some more advanced features.
For example we have three levels of security:
Public: No authentication, only session management
Private: Authenticate once, go everywhere
Restricted: Authenticate and reauthorize with a ticket for every
request (best used in a post form as hidden input)
The configuration works similar to Maypole::Authentication::UserSessionCookie but with some little additions.
$r->{session_id} can be used from parse_path() for example,
useful if the user has cookies disabled.
We provide a number of methods to be inherited by a Maypole class. The three methods public
, private
and restricted
determine the security level.
public
$r->public;
public
checks for a session cookie and looks into the session_id
slot of the Maypole request and then populates the resulting session hash to the session
slot.
private
$r->private;
private
does the same as public but also calls check_credentials
if you haven't authorized before. If the login was successful it populates a User
object to the user
slot of the Maypole object.
restricted
$r->restricted;
restricted
does the same as private
but also calls ticket
.
login
This method creates the session hash. It also sets $r-
{template_args}{session_id}>.
logout
This method deletes the session hash.
check_credentials
This method checks for two form parameters (typically user
and password
but configurable) and does a search
on the user class for those values. If the credentials are wrong, then $r-
{template_args}{login_error}> is set to an error string.
uid_to_user
This method returns the result of a retrieve
on the UID from the user class.
ticket
This method checks for a form parameter, ticket
and reauthorizes the user whenever it is called. By default the ticket is just a serialized array represented as hex string containing the user and the password, but it is very simple to overload ticket
with a better method. Use a Crypt:: module or even Kerberos! It also sets $r->{template_args}{ticket}.
TODO
Better documentation.
AUTHOR
Sebastian Riedel, sri@cpan.org
COPYRIGHT
Copyright 2004 Sebastian Riedel. All rights reserved.
This program is free software, you can redistribute it and/or modify it under the same terms as Perl itself.