如何在Perl Dancer应用程序中改进身份验证
[英]How to improve authentication in a Perl Dancer app
问题描述
I am working on a Perl Dancer web application that needs to accomplish two things in terms of authentication: 
我正在开发一个Perl Dancer Web应用程序,它需要在身份验证方面完成两件事:
- authenticate users based on Active Directory for access to the application 基于Active Directory对用户进行身份验证以访问应用程序
- authenticate as the user to access a couple of .NET web services. 作为用户进行身份验证以访问几个.NET Web服务。
The application is being hosted as a CGI application by Apache on a Linux box, and I do not have much control over Apache's configuration. 该应用程序由Apache在Linux机器上作为CGI应用程序托管,我对Apache的配置没有多少控制权。
Below is the workflow of the currently working application: 以下是当前工作应用程序的工作流程:
- Display a login page to the user 显示用户的登录页面
- When the user submits the form, use Authen::Simple::ActiveDirectory to verify the account is valid 当用户提交表单时,使用Authen :: Simple :: ActiveDirectory验证帐户是否有效
- Store the user's credentials using Dancer::Session::Cookie (encrypted cookies) 使用Dancer :: Session :: Cookie (加密的cookie)存储用户的凭据
- Display a search form to the user 向用户显示搜索表单
- When the user submits this form, use Authen::NTLM and SOAP::Lite to access the .NET services (similar to the example here ) to perform a search 当用户提交此表单时,使用Authen :: NTLM和SOAP :: Lite访问.NET服务(类似于此处的示例)以执行搜索
- Display the results to the user 向用户显示结果
The handling of user credentials here concerns me, but I am generally new to web applications and authentication. 这里处理用户凭据关系到我,但我通常是Web应用程序和身份验证的新手。 For a small internal application, is this okay? 对于小型内部应用程序,这没关系吗? If not, how do you suggest I improve this process? 如果没有,你如何建议我改进这个过程? Like I said, the application as outlined above works, but I feel like it could/should be improved. 就像我说的,上面提到的应用程序有效,但我觉得它可以/应该改进。
2 个解决方案
解决方案1
1 2013-02-24 12:17:12
One (part of a) solution could be that you let your apache webserver handle the authentication. 一个(一部分)解决方案可能是让您的apache webserver处理身份验证。 You could use Kerberos for this. 你可以使用Kerberos 。 So only permitted users can access your application. 因此,只允许用户访问您的应用程序。 In that case $ENV{REMOTE_USER} contains the username (eg foo.bar@MY.DOMAIN.COM). 在这种情况下, $ENV{REMOTE_USER}包含用户名(例如foo.bar@MY.DOMAIN.COM)。
If you need more information about the current user you can query your LDAP (containd in your Domain). 如果您需要有关当前用户的更多信息,可以查询LDAP(包含在您的域中)。 I use a common (LDAP) user to get more information about the current user foo.bar@MY.DOMAIN.COM. 我使用公共(LDAP)用户获取有关当前用户foo.bar@MY.DOMAIN.COM的更多信息。
I know that this is only the fist part. 我知道这只是第一部分。 I do not have experience useing/passing Kerberos tickets by SOAP. 我没有使用SOAP来使用/传递Kerberos票证的经验。 But if you mange to handle this, you have a clean SSO solution. 但是,如果您需要处理此问题,那么您就拥有了一个干净的SSO解决方案。
HTH HTH
解决方案2
0 2014-08-05 10:22:31
We do this in the Apache config. 我们在Apache配置中执行此操作。 It requires something like the below. 它需要类似下面的内容。 You'll need a read only password-less user to bind to Active Directory. 您需要一个只读密码的用户来绑定到Active Directory。
AuthName "Active Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://server:389/OU=COMPANY,DC=COMPANY,DC=com?sAMAccountName,mail,name,extensionAttribute2,memberOf?base?(objectClass=user)
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=ReadOnlyUser,OU=ServiceAccounts,OU=Users,OU=XXX,OU=COMPANY,DC=COMPANY,DC=com"
AuthLDAPGroupAttributeIsDN on
require valid-user
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.