CGI::Application::PlugUserACGI::Application::Plugin::Authentication::Driver(3)NAMECGI::Application::Plugin::Authentication::Driver - Base module for
building driver classes for CGI::Application::Plugin::Authentication
VERSION
This document describes
CGI::Application::Plugin::Authentication::Driver version 0.20
SYNOPSIS
package CGI::Application::Plugin::Authentication::Driver::MyDriver;
use base qw(CGI::Application::Plugin::Authentication::Driver);
sub verify_credentials {
my $self = shift;
my @credentials = @_;
if ( >>> Validate Credentials <<< ) {
return $credentials[0];
}
return;
}
DESCRIPTION
This module is a base class for all driver classes for the
CGI::Application::Plugin::Authentication plugin. Each driver class is
required to provide only one method to validate the given credentials.
Normally only two credentials will be passed in (username and
password), but you can configure the plugin to handle any number of
credentials (for example you may require the user to enter a group
name, or domain name as well as a username and password).
FIELD FILTERS
It is quite common for passwords to be stored using some form of one
way encryption. Unix crypt being the old standard in the Unix
community, however MD5 or SHA1 hashes are more popular today. In order
to simplify the validation routines some methods have been provided to
help test these passwords. When configuring a Driver (and if the
driver supports it), you can specify which fields are encoded, and
which method is used for the encoding by specifying a filter on the
field in question.
CREDENTIALS => ['authen_username', 'authen_password'],
DRIVERS => [ 'DBI',
DSN => '...',
TABLE => 'users',
CONSTRAINTS => {
username => '__CREDENTIAL_1__',
'MD5:password' => '__CREDENTIAL_2__',
}
],
Here we are saying that the password field is encoded using an MD5
hash, and should be checked accordingly.
Filter options
Some of the filters may have multiple forms. For example there are
three forms of MD5 hashes: binary, base64 and hex. You can specify
these extra options by using an underscore to separate it from the
filter name.
'MD5_base64:password'
Chained Filters
it is possible to chain multiple filters. This can be useful if your
MD5 strings are stored in hex format. Hex numbers are case
insensitive, so the may be stored in either upper or lower case. To
make this consistent, you can MD5 encode the password first, and then
upper case the results. The filters are applied from the inside out:
'uc:MD5_hex:password'
Custom Filters
If your field is encoded using a custom technique, then you can provide
a custom filter function. This can be be done by providing a FILTERS
option that contains a hash of filter subroutines that are keyed by
their name. You can then use the filter name on any of the fields as
if it was a builtin filter.
CREDENTIALS => ['authen_username', 'authen_password'],
DRIVERS => [ 'DBI',
DSN => '...',
TABLE => 'users',
CONSTRAINTS => {
username => '__CREDENTIAL_1__',
'rot13:password' => '__CREDENTIAL_2__',
}
FILTERS => { rot13 => \&rot13_filter },
],
sub rot13_filter {
my $param = shift;
my $value = shift;
$value =~ tr/A-Za-z/N-ZA-Mn-za-m/;
return $value;
}
Please see the documentation for the driver that you are using to make
sure that it supports encoded fields.
Builtin Filters
Here is a list of the filters that are provided with this module:
crypt - provided by perl "crypt" function
MD5 - requires Digest::MD5
SHA1 - requires Digest::SHA1
uc - provided by the perl "uc" function
lc - provided by the perl "lc" function
trim - removed whitespace from the start and end of the field
METHODS
new
This is a constructor that can create a new Driver object. It requires
an Authentication object as its first parameter, and any number of
other parameters that will be used as options depending on which Driver
object is being created. You shouldn't need to call this as the
Authentication plugin takes care of creating Driver objects.
initialize
This method will be called right after a new Driver object is created.
So any startup customizations can be dealt with here.
options
This will return a list of options that were provided when this driver
was configured by the user.
authen
This will return the underlying
CGI::Application::Plugin::Authentication object. In most cases it will
not be necessary to access this.
find_option
This method will search the Driver options for a specific key and
return the value it finds.
verify_credentials
This method needs to be provided by the driver class. It needs to be
an object method that accepts a list of credentials, and will verify
that the credentials are valid, and return a username that will be used
to identify this login (usually you will just return the value of the
first credential, however you are not bound to that)..
filter
This method can be used to filter a field (usually password fields)
using a number of standard or custom encoding techniques. See the
section on Builtin Filters above to see what filters are available When
using a custom filter, you will need to provide a FILTERS option in the
configuration of the DRIVER (See the section on FIELD FILTERS above for
an example). By default, if no filter is specified, it is returned as
is. This means that you can run all fields through this function even
if they don't have any filters to simplify the driver code.
my $filtered = $self->filter('MD5_hex:password', 'foobar');
- or -
# custom filter
my $filtered = $self->filter('foobar:password', 'foo');
- or -
# effectively a noop
my $filtered = $self->filter('username', 'foo');
check_filtered
This method can be used to test filtered fields (usually password
fields) against a number of standard or custom encoding techniques.
The following encoding techniques are provided: plain, MD5, SHA1,
crypt. When using a custom encoder, you will need to provide it in the
configuration of the DRIVERS (See the section on ENCODED PASSWORDS
above for an example). By default, if no encoding is specified, it is
assumed to be 'plain'. This means that you can run all fields through
this function even if they don't have any encoding to simplify the
driver code.
my $verified = $self->check_filtered('MD5:password', 'foobar', 'OFj2IjCsPJFfMAxmQxLGPw');
- or -
# custom encoder
my $verified = $self->check_filtered('foobar:password', 'foo', 'bar');
- or -
# a field that isn't filtered (effectively just checks for equality on second and third args)
my $verified = $self->check_filtered('username', 'foobar', 'foobar');
my $verified = $self->check_filtered('plain:username', 'foobar', 'foobar');
strip_field_names
This method will take a field name (or list of names) and strip off the
leading encoding type. For example if you passed in 'MD5:password' the
method would return 'password'.
my $fieldname = $self->strip_field_names('MD5:password');
SEE ALSO
CGI::Application::Plugin::Authentication, perl(1)AUTHOR
Cees Hek <ceeshek@gmail.com>
LICENCE AND COPYRIGHT
Copyright (c) 2005, SiteSuite. All rights reserved.
This module is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.
DISCLAIMER OF WARRANTY
BECAUSE THIS SOFTWARE IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT
WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER
PARTIES PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH
YOU. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
NECESSARY SERVICING, REPAIR, OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE SOFTWARE AS PERMITTED BY THE ABOVE LICENCE, BE LIABLE
TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
perl v5.14.1CGI::Application::Plugin::Authentication::Driver(3)