77 lines
2.2 KiB
ReStructuredText
77 lines
2.2 KiB
ReStructuredText
|
Secure Token Handler
|
||
|
====================
|
||
|
|
||
|
Presentation
|
||
|
------------
|
||
|
|
||
|
The Secure Token Handler is a special Handler that creates a token for
|
||
|
each request and send it to the protected application. The real user
|
||
|
identifier is stored in a Memcached server and the protected application
|
||
|
can request the Memcached server to get user identifier.
|
||
|
|
||
|
This mechanism allows one to protect an application with an unsafe link
|
||
|
between Handler and the application, but with a safe link between the
|
||
|
Memcached server and the application.
|
||
|
|
||
|
Configuration
|
||
|
-------------
|
||
|
|
||
|
Install Cache::Memcached dependency.
|
||
|
|
||
|
Virtual host
|
||
|
~~~~~~~~~~~~
|
||
|
|
||
|
You just have to set "Type: SecureToken" in the VirtualHost options in
|
||
|
the manager.
|
||
|
|
||
|
If you want to protect only a virtualHost part, keep type on "Main" and
|
||
|
set type in your configuration file:
|
||
|
|
||
|
- Apache: use simply a ``PerlSetVar VHOSTTYPE AuthBasic``
|
||
|
- Nginx: create another FastCGI with a
|
||
|
``fastcgi_param VHOSTTYPE SecureToken;``
|
||
|
|
||
|
|
||
|
.. important::
|
||
|
|
||
|
This handler uses Apache2Filter Module to hide token, prefer
|
||
|
:doc:`Handling server webservice calls<servertoserver>` for other
|
||
|
servers.
|
||
|
|
||
|
Handler parameters
|
||
|
~~~~~~~~~~~~~~~~~~
|
||
|
|
||
|
SecureToken parameters are the following:
|
||
|
|
||
|
- **Memcached servers**: addresses of Memcached servers, separated with
|
||
|
spaces.
|
||
|
- **Token expiration**: time in seconds for token expiration (remove
|
||
|
from Memcached server).
|
||
|
- **Attribute to store**: the session key that will be stored in
|
||
|
Memcached.
|
||
|
- **Protected URLs**: Regexp of URLs for which the secure token will be
|
||
|
sent, separated by spaces
|
||
|
- **Header name**: name of the HTTP header carrying by the secure
|
||
|
token.
|
||
|
- **Allow requests in error**: allow a request that has generated an
|
||
|
error in token generation to be forwarded to the protected
|
||
|
application without secure token (default: yes)
|
||
|
|
||
|
|
||
|
.. important::
|
||
|
|
||
|
Due to Handler API change in 1.9, you need to set these
|
||
|
attributes in ``lemonldap-ng.ini`` and not in Manager, for example:
|
||
|
|
||
|
.. code:: ini
|
||
|
|
||
|
[handler]
|
||
|
secureTokenMemcachedServers = 127.0.0.1:11211
|
||
|
secureTokenExpiration = 60
|
||
|
secureTokenAttribute = uid
|
||
|
secureTokenUrls = .*
|
||
|
secureTokenHeader = Auth-Token
|
||
|
secureTokenAllowOnError = 1
|
||
|
|
||
|
|