I am working on a Perl Dancer web application that needs to accomplish two things in terms of authentication:
The application is being hosted as a CGI application by Apache on a Linux box, and I do not have much control over Apache's configuration.
Below is the workflow of the currently working application:
The handling of user credentials here concerns me, but I am generally new to web applications and authentication. For a small internal application, is this okay? If not, how do you suggest I improve this process? Like I said, the application as outlined above works, but I feel like it could/should be improved.
One (part of a) solution could be that you let your apache webserver handle the authentication. You could use Kerberos for this. So only permitted users can access your application. In that case $ENV{REMOTE_USER}
contains the username (eg foo.bar@MY.DOMAIN.COM).
If you need more information about the current user you can query your LDAP (containd in your Domain). I use a common (LDAP) user to get more information about the current user foo.bar@MY.DOMAIN.COM.
I know that this is only the fist part. I do not have experience useing/passing Kerberos tickets by SOAP. But if you mange to handle this, you have a clean SSO solution.
HTH
We do this in the Apache config. It requires something like the below. You'll need a read only password-less user to bind to Active Directory.
AuthName "Active Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://server:389/OU=COMPANY,DC=COMPANY,DC=com?sAMAccountName,mail,name,extensionAttribute2,memberOf?base?(objectClass=user)
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=ReadOnlyUser,OU=ServiceAccounts,OU=Users,OU=XXX,OU=COMPANY,DC=COMPANY,DC=com"
AuthLDAPGroupAttributeIsDN on
require valid-user
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.