stackoom
  简体   繁体   中英

How to improve authentication in a Perl Dancer app

 原文  2013-02-22 18:28:56       web-services/ perl/ authentication/ active-directory/ dancer

Question

I am working on a Perl Dancer web application that needs to accomplish two things in terms of authentication:

  1. authenticate users based on Active Directory for access to the application
  2. authenticate as the user to access a couple of .NET web services.

The application is being hosted as a CGI application by Apache on a Linux box, and I do not have much control over Apache's configuration.

Below is the workflow of the currently working application:

  1. Display a login page to the user
  2. When the user submits the form, use Authen::Simple::ActiveDirectory to verify the account is valid
  3. Store the user's credentials using Dancer::Session::Cookie (encrypted cookies)
  4. Display a search form to the user
  5. When the user submits this form, use Authen::NTLM and SOAP::Lite to access the .NET services (similar to the example here ) to perform a search
  6. Display the results to the user

The handling of user credentials here concerns me, but I am generally new to web applications and authentication. For a small internal application, is this okay? If not, how do you suggest I improve this process? Like I said, the application as outlined above works, but I feel like it could/should be improved.

2 answers

solution1
 1  2013-02-24 12:17:12

One (part of a) solution could be that you let your apache webserver handle the authentication. You could use Kerberos for this. So only permitted users can access your application. In that case $ENV{REMOTE_USER} contains the username (eg foo.bar@MY.DOMAIN.COM).

If you need more information about the current user you can query your LDAP (containd in your Domain). I use a common (LDAP) user to get more information about the current user foo.bar@MY.DOMAIN.COM.

I know that this is only the fist part. I do not have experience useing/passing Kerberos tickets by SOAP. But if you mange to handle this, you have a clean SSO solution.

HTH

solution2
 0  2014-08-05 10:22:31

We do this in the Apache config. It requires something like the below. You'll need a read only password-less user to bind to Active Directory. 

    AuthName "Active Directory"
    AuthType Basic
    AuthBasicProvider ldap
    AuthLDAPUrl ldap://server:389/OU=COMPANY,DC=COMPANY,DC=com?sAMAccountName,mail,name,extensionAttribute2,memberOf?base?(objectClass=user)
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "CN=ReadOnlyUser,OU=ServiceAccounts,OU=Users,OU=XXX,OU=COMPANY,DC=COMPANY,DC=com"
    AuthLDAPGroupAttributeIsDN on 
    require valid-user

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Improve on this pattern for handling how a mobile app knows how to find it's server Perl script to call WCF Service with authentication? How to do authentication in a native app using web service? Google App Engine - JBoss authentication Azure App Service - Add Authentication Authentication with website, mobile app, and webservice Integrating authentication between a web app and desktop app How to improve blending performance to make smooth scrolling? How to use a SOAP API for Perl? how to set authentication in wsdl
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM