Add slave mechanism. Closes #222
This commit is contained in:
parent
846e9c3475
commit
9969dd69e2
@ -24,6 +24,7 @@ var helpCh={
|
||||
'authParams':'/pages/documentation/latest/start.html#authentication_users_and_password_databases',
|
||||
'authProxy':'/pages/documentation/latest/authproxy.html',
|
||||
'authRemote':'/pages/documentation/latest/authremote.html',
|
||||
'authSlave':'/pages/documentation/latest/authslave.html',
|
||||
'authSSL':'/pages/documentation/latest/authssl.html',
|
||||
'authTwitter':'/pages/documentation/latest/authtwitter.html',
|
||||
'cookies':'/pages/documentation/latest/ssocookie.html',
|
||||
|
@ -341,6 +341,7 @@ sub struct {
|
||||
dbi => ['dbiParams'],
|
||||
apache => ['apacheParams'],
|
||||
null => ['nullParams'],
|
||||
slave => ['slaveParams'],
|
||||
choice => [
|
||||
qw(ldapParams sslParams casParams remoteParams proxyParams openIdParams twitterParams dbiParams apacheParams nullParams choiceParams)
|
||||
],
|
||||
@ -572,6 +573,13 @@ sub struct {
|
||||
nullAuthnLevel => 'int:/nullAuthnLevel',
|
||||
},
|
||||
|
||||
# Slave
|
||||
slaveParams => {
|
||||
_nodes => [qw(slaveAuthnLevel)],
|
||||
_help => 'authSlave',
|
||||
slaveAuthnLevel => 'int:/slaveAuthnLevel',
|
||||
},
|
||||
|
||||
# Choice
|
||||
choiceParams => {
|
||||
_nodes => [qw(authChoiceParam n:authChoiceModules)],
|
||||
@ -1645,6 +1653,9 @@ sub testStruct {
|
||||
# Null
|
||||
nullAuthnLevel => $integer,
|
||||
|
||||
# Slave
|
||||
slaveAuthnLevel => $integer,
|
||||
|
||||
# Choice
|
||||
authChoiceParams => $testNotDefined,
|
||||
authChoiceModules => {
|
||||
@ -1878,6 +1889,7 @@ sub defaultConf {
|
||||
twitterAuthnLevel => 1,
|
||||
apacheAuthnLevel => 4,
|
||||
nullAuthnLevel => 0,
|
||||
slaveAuthnLevel => 2,
|
||||
|
||||
};
|
||||
}
|
||||
|
@ -1,117 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NON AUTHENTICATING PORTAL TO USE WITH OTHER WEB-SSO
|
||||
|
||||
If Lemonldap::NG has to operate with another Web-SSO without any interworking
|
||||
system, Lemonldap::NG can be used as slave.
|
||||
|
||||
Install :
|
||||
|
||||
=over
|
||||
|
||||
=item * Install and adapt this file in an area protected by the master SSO
|
||||
|
||||
=item * Use L<Lemonldap::NG::Handler::CDA> to protect Lemonldap::NG area if
|
||||
this area is not in the same DNS domain than the portal
|
||||
|
||||
=back
|
||||
|
||||
Authentication scheme :
|
||||
|
||||
=over
|
||||
|
||||
=item * a user that wants to access to a protected url, Lemonldap::NG::Handler
|
||||
redirect it to the portal
|
||||
|
||||
=item * the portal creates the Lemonldap::NG session with the parameters given
|
||||
by the master SSO
|
||||
|
||||
=item * the user is redirected to the wanted application. If it is not in the
|
||||
same domain, the handler detects the session id with the Lemonldap::NG
|
||||
cross-domain-authentication mechanism and generates the cookie
|
||||
|
||||
=back
|
||||
|
||||
=cut
|
||||
|
||||
use Lemonldap::NG::Portal::SharedConf;
|
||||
|
||||
my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||
{
|
||||
cda => 1,
|
||||
|
||||
# SUBROUTINES OVERLOAD
|
||||
# 2 cases :
|
||||
# 1 - If LDAP search is not needed (the master SSO gives all
|
||||
# that we need)
|
||||
extractFormInfo => sub { PE_OK },
|
||||
connectLDAP => sub { PE_OK },
|
||||
bind => sub { PE_OK },
|
||||
search => sub { PE_OK },
|
||||
setSessionInfo => sub {
|
||||
my $self = shift;
|
||||
|
||||
# TODO: You have to set $self->{sessionInfo}
|
||||
# hash table with user attributes
|
||||
# Example:
|
||||
# $self->{sessionInfo}->{uid} = $ENV{REMOTE_USER};
|
||||
PE_OK,;
|
||||
},
|
||||
unbind => sub { PE_OK },
|
||||
|
||||
# 2 - Else, LDAP will do its job, but we have to set UID or
|
||||
# what is needed by C<formateFilter> subroutine.
|
||||
extractFormInfo => sub {
|
||||
my $self = shift;
|
||||
|
||||
# EXAMPLE with $ENV{REMOTE_USER}
|
||||
$self->{user} = $ENV{REMOTE_USER};
|
||||
PE_OK;
|
||||
},
|
||||
|
||||
# In the 2 cases, authentication phase has to be avoided
|
||||
authenticate => sub { PE_OK },
|
||||
|
||||
# If no Lemonldap::NG protected application is in the same domaine than
|
||||
# the portal, it is recommended to not set a lemonldap::NG cookie in the
|
||||
# other domain :
|
||||
# Lemonldap::NG::Handler protect its cookie from remote application
|
||||
# (to avoid developers to spoof an identity), but the master SSO
|
||||
# will probably keep it.
|
||||
buildCookie => sub {
|
||||
my $self = shift;
|
||||
$self->{cookie} = $self->cookie(
|
||||
-name => $self->{cookieName},
|
||||
|
||||
# null value instead of de $self->{id}
|
||||
-value => '',
|
||||
-domain => $self->{domain},
|
||||
-path => "/",
|
||||
-secure => $self->{securedCookie},
|
||||
@_,
|
||||
);
|
||||
PE_OK;
|
||||
},
|
||||
}
|
||||
);
|
||||
|
||||
# Else, we process as usual, but without prompting users with a form
|
||||
|
||||
if ( $portal->process() ) {
|
||||
print $portal->header('text/html; charset=utf-8');
|
||||
print $portal->start_html;
|
||||
print "<h1>You are well authenticated !</h1>";
|
||||
print $portal->end_html;
|
||||
}
|
||||
else {
|
||||
print $portal->header('text/html; charset=utf-8');
|
||||
print $portal->start_html;
|
||||
print qq#<h2>Authentication failed</h2>
|
||||
Portal is not able to recognize you
|
||||
<br />
|
||||
Contact your administrator (Error: # . $portal->error . ')';
|
||||
print $portal->end_html;
|
||||
}
|
||||
1;
|
@ -83,7 +83,7 @@ __END__
|
||||
|
||||
=encoding utf8
|
||||
|
||||
Lemonldap::NG::Portal::Apache - Perl extension for building Lemonldap::NG
|
||||
Lemonldap::NG::Portal::AuthApache - Perl extension for building Lemonldap::NG
|
||||
compatible portals with Apache authentication.
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
@ -71,8 +71,8 @@ __END__
|
||||
|
||||
=encoding utf8
|
||||
|
||||
Lemonldap::NG::Portal::Apache - Perl extension for building Lemonldap::NG
|
||||
compatible portals with Apache authentication.
|
||||
Lemonldap::NG::Portal::AuthNull - Perl extension for building Lemonldap::NG
|
||||
compatible portals with no authentication.
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
|
@ -0,0 +1,96 @@
|
||||
##@file
|
||||
# Slave authentication backend file
|
||||
|
||||
##@class
|
||||
# Slave authentication backend class
|
||||
package Lemonldap::NG::Portal::AuthSlave;
|
||||
|
||||
use strict;
|
||||
use Lemonldap::NG::Portal::Simple;
|
||||
use Lemonldap::NG::Portal::AuthNull;
|
||||
|
||||
our $VERSION = '1.0.0';
|
||||
our @ISA = qw(Lemonldap::NG::Portal::AuthNull);
|
||||
|
||||
## @apmethod int setAuthSessionInfo()
|
||||
# Set _user value to 'anonymous' and authenticationLevel to 0
|
||||
# @return Lemonldap::NG::Portal constant
|
||||
sub setAuthSessionInfo {
|
||||
my $self = shift;
|
||||
|
||||
$self->{sessionInfo}->{'_user'} = 'anonymous';
|
||||
$self->{sessionInfo}->{authenticationLevel} = $self->{slaveAuthnLevel};
|
||||
|
||||
PE_OK;
|
||||
}
|
||||
|
||||
1;
|
||||
__END__
|
||||
|
||||
=head1 NAME
|
||||
|
||||
=encoding utf8
|
||||
|
||||
Lemonldap::NG::Portal::AuthSlave - Perl extension for building Lemonldap::NG
|
||||
compatible portals with Apache authentication.
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
use Lemonldap::NG::Portal::SharedConf;
|
||||
my $portal = new Lemonldap::NG::Portal::Simple(
|
||||
configStorage => {...}, # See Lemonldap::NG::Portal
|
||||
authentication => 'Slave',
|
||||
);
|
||||
|
||||
if($portal->process()) {
|
||||
# Write here the menu with CGI methods. This page is displayed ONLY IF
|
||||
# the user was not redirected here.
|
||||
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
|
||||
print "...";
|
||||
|
||||
# or redirect the user to the menu
|
||||
print $portal->redirect( -uri => 'https://portal/menu');
|
||||
}
|
||||
else {
|
||||
print $portal->header('text/html; charset=utf8'); # DON'T FORGET THIS (see CGI(3))
|
||||
print "<html><body><h1>Unable to work</h1>";
|
||||
print "This server isn't well configured. Contact your administrator.";
|
||||
print "</body></html>";
|
||||
}
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
This library just overload few methods of Lemonldap::NG::Portal::Simple to
|
||||
create sessions for anonymous users.
|
||||
|
||||
See L<Lemonldap::NG::Portal::Simple> for usage and other methods.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::Simple>,
|
||||
L<http://lemonldap-ng.org/>
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
Clement Oudot, E<lt>clement@oodo.netE<gt>
|
||||
|
||||
=head1 BUG REPORT
|
||||
|
||||
Use OW2 system to report bug or ask for features:
|
||||
L<http://jira.ow2.org>
|
||||
|
||||
=head1 DOWNLOAD
|
||||
|
||||
Lemonldap::NG is available at
|
||||
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
||||
|
||||
=head1 COPYRIGHT AND LICENSE
|
||||
|
||||
Copyright (C) 2010 by Clement Oudot
|
||||
|
||||
This library is free software; you can redistribute it and/or modify
|
||||
it under the same terms as Perl itself, either Perl version 5.10.0 or,
|
||||
at your option, any later version of Perl 5 you may have available.
|
||||
|
||||
=cut
|
||||
|
@ -0,0 +1,30 @@
|
||||
## @file
|
||||
# Slave userDB mechanism
|
||||
|
||||
## @class
|
||||
# Slave userDB mechanism class
|
||||
package Lemonldap::NG::Portal::UserDBSlave;
|
||||
|
||||
use strict;
|
||||
use Lemonldap::NG::Portal::Simple;
|
||||
use Lemonldap::NG::Portal::UserDBNull;
|
||||
|
||||
our $VERSION = '1.0.0';
|
||||
our @ISA = qw(Lemonldap::NG::Portal::UserDBNull);
|
||||
|
||||
## @apmethod int setSessionInfo()
|
||||
# Search exportedVars values in HTTP headers.
|
||||
# @return Lemonldap::NG::Portal constant
|
||||
sub setSessionInfo {
|
||||
my $self = shift;
|
||||
my $c = 0;
|
||||
while ( my ( $k, $v ) = each %{ $self->{exportedVars} } ) {
|
||||
$v = 'HTTP_' . uc($v);
|
||||
$v =~ s/\-/_/g;
|
||||
$self->{sessionInfo}->{$k} = $ENV{$v} and $c++;
|
||||
}
|
||||
return ( $c ? PE_OK : PE_USERNOTFOUND );
|
||||
}
|
||||
|
||||
1;
|
||||
|
Loading…
Reference in New Issue
Block a user