[英]How to improve authentication in a Perl Dancer app
I am working on a Perl Dancer web application that needs to accomplish two things in terms of authentication: 我正在开发一个Perl Dancer Web应用程序,它需要在身份验证方面完成两件事:
The application is being hosted as a CGI application by Apache on a Linux box, and I do not have much control over Apache's configuration. 该应用程序由Apache在Linux机器上作为CGI应用程序托管,我对Apache的配置没有多少控制权。
Below is the workflow of the currently working application: 以下是当前工作应用程序的工作流程:
The handling of user credentials here concerns me, but I am generally new to web applications and authentication. 这里处理用户凭据关系到我,但我通常是Web应用程序和身份验证的新手。 For a small internal application, is this okay? 对于小型内部应用程序,这没关系吗? If not, how do you suggest I improve this process? 如果没有,你如何建议我改进这个过程? Like I said, the application as outlined above works, but I feel like it could/should be improved. 就像我说的,上面提到的应用程序有效,但我觉得它可以/应该改进。
One (part of a) solution could be that you let your apache webserver handle the authentication. 一个(一部分)解决方案可能是让您的apache webserver处理身份验证。 You could use Kerberos for this. 你可以使用Kerberos 。 So only permitted users can access your application. 因此,只允许用户访问您的应用程序。 In that case $ENV{REMOTE_USER}
contains the username (eg foo.bar@MY.DOMAIN.COM). 在这种情况下, $ENV{REMOTE_USER}
包含用户名(例如foo.bar@MY.DOMAIN.COM)。
If you need more information about the current user you can query your LDAP (containd in your Domain). 如果您需要有关当前用户的更多信息,可以查询LDAP(包含在您的域中)。 I use a common (LDAP) user to get more information about the current user foo.bar@MY.DOMAIN.COM. 我使用公共(LDAP)用户获取有关当前用户foo.bar@MY.DOMAIN.COM的更多信息。
I know that this is only the fist part. 我知道这只是第一部分。 I do not have experience useing/passing Kerberos tickets by SOAP. 我没有使用SOAP来使用/传递Kerberos票证的经验。 But if you mange to handle this, you have a clean SSO solution. 但是,如果您需要处理此问题,那么您就拥有了一个干净的SSO解决方案。
HTH HTH
We do this in the Apache config. 我们在Apache配置中执行此操作。 It requires something like the below. 它需要类似下面的内容。 You'll need a read only password-less user to bind to Active Directory. 您需要一个只读密码的用户来绑定到Active Directory。
AuthName "Active Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://server:389/OU=COMPANY,DC=COMPANY,DC=com?sAMAccountName,mail,name,extensionAttribute2,memberOf?base?(objectClass=user)
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=ReadOnlyUser,OU=ServiceAccounts,OU=Users,OU=XXX,OU=COMPANY,DC=COMPANY,DC=com"
AuthLDAPGroupAttributeIsDN on
require valid-user
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.