|
CGI::Bus::uauth - default or base user authentication class |
CGI::Bus::uauth - default or base user authentication class
use CGI::Bus; $s =CGI::Bus->new(); $s->ugroups; # get groups current user belongs to
use CGI::Bus; $s =CGI::Bus->new(); $s->set(-login => '/cgi-bin/login-screen.cgi'); $s->uauth; # go to login screen
use CGI::Bus; $s =CGI::Bus->new(); $s->set(-login => undef); $s->uauth->authscr # login script under web server authentication
use CGI::Bus; $s =CGI::Bus->new(); $s->uauth->loginscr; # ... with authentication by application
This is default or base user authentication class.
It provides user, ugroups, uglist, auth methods
for CGI::Bus 'user' and 'group' methods, which are
wrappers to CGI::Bus::uauth.
It contains platform specific methods and may be overwritten
in CGI::Bus with '-import'.
It implements a three user authentication methods:
Web server user authentication on Win32 IIS or Apache with 'NTLM' module. Win32 operation use Windows 2000 ADSI via Win32::OLE module or 'findgrp.exe' Windows NT Resource Kit utility or Win32API::Net module.
Apache user authentication with 'AuthUserFile' and 'AuthGroupFile'.
Apache itself may use 'uagroup' buffer file produced from Windows 2000 ADSI within dpath.
User authentication by application (with loginscr or auth/authscr),
where user data are stored within
CGI::Bus::udata or its replacement.
Cookie operation (auth, loginscr, signchk, signset, logout)
use Digest modules, default is 'MD5'.
Microsoft IIS deimpersonation requires Win32::API for 'RevertToSelf' call.
See CGI::Bus::Base for inherited slots and methods.
signchk and signset.
Default used is 'MD5'
auth
ugroups and uglist calls
-login and exit may be used for authentication.
Login screen should set $ENV{REMOTE_USER} (by web server or itself)
and call auth; signset(?redirect) will be called inside.
This operation is for optional web server authentication.
It is not needed when web server authentication is set for scripts.
loginscr may be used for user authentication by application.
userauth call, which calls auth.
Not authenticated users will be authenticated and redirected back.
Authenticated users will get authentication information page with URL
to return back.
This method is created partially due to possible browser redirection problems.
-login.
If there is no login script URL, empty string will be returned.
If login script URL ends with '/' sign, it is treated as
authenticated location, and current script name will to be appended.
Default return URL is current script's URL.
auth call can redirect to login script,
but authurl may be used to place URL to lead user to
login script directly and decrease browser redirections.
auth instead of loginscr for web server authentication with cookie.
See issue about authentication by application.
userver.
signchk
usdomain.
ugroups extended with new 'user name' parameter.
ugroups fixed to return [guest] instead of empty list.
Evolution to Windows ADSI using Win32::OLE, other Windows interfaces used at last only.
-adsi slot ignored and removed.
Win32::OLE->Option(``Warn''=>0) used anywere.
ADSI data buffered in CGI::Bus::dpath for faster access and Apache usage.
New: Deimpersonation for Microsoft IIS
using 'RevertToSelf' via Win32::API.
Tried when finished with '/' sign -login URL.
ugroups on Win32 returns global group names prefixed with
domain name for users from foreign domains.
-adsi switch, attempting to use a Windows 2000 ADSI, see issues in the source code
? AuthDBMUserFile('user'=>), AuthDBMGroupFile('user'=>'groups')
? AuthDBUserFile, AuthDBGroupFile
- All platform and authentication method specifics could not be implemented in a one module. Another authentication support modules may be needed. - Application (password, not web server) authentication interferes with web server access control to a files. So, if application publishes files via URLs, this URLs should operate via scripts, or only web server authentication should be used.
Andrew V Makarow <makarow at mail.com>
|
CGI::Bus::uauth - default or base user authentication class |