Plack::Middleware::Auth::Negotiate - Negotiate authentication middleware (SPNEGO)
version 0.172130
use Plack::Builder;
my $app = sub { ... };
builder {
enable 'Auth::Negotiate', keytab => 'FILE:www.keytab';
$app;
};
Plack::Middleware::Auth::Negotiate provides Negotiate (SPNEGO) authentication for your Plack application (for use with Kerberos).
This is a very alpha module, and I am still testing some of the security corner cases. Help wanted.
- keytab: path to the keytab to use. This value is set as
$ENV{KRB5_KTNAME}
if provided.
Note that there is no option for matching URLs. You can do this yourself with
Plack::Middleware::Conditional's enable_if
syntax (for Plack::Builder).
- More security testing.
- Ability to specify a list of valid realms. If REALM.EXAMPLE.COM trusts REALM.FOOBAR.COM, and we don't want to allow REALM.FOOBAR.COM users, we have to check after accepting the ticket.
- Option to automatically trim the @REALM.EXAMPLE.COM portion of the user value.
- Method to also provide Basic auth if Negotiate fails.
- Some way to cooperate with other Auth middleware.
enable_if
is your best bet right now (with different URLs for each type of authentication, and writing a session). - Better interaction with Plack::Middleware::Session, since this authentication is slow in my experience.
- Better implementation of the actual RFC.
- Custom "Authorization Required" message
Plack, Plack::Builder, Plack::Middleware::Auth::Basic
GSSAPI, mod_auth_kerb
This code is based off of Plack::Middleware::Auth::Basic and a sample script provided with GSSAPI.
Adrian Kreher [email protected]
This software is Copyright (c) 2011 by Adrian Kreher [email protected].
This is free software, licensed under:
The (three-clause) BSD License