Skip to content
This repository has been archived by the owner on Jan 24, 2023. It is now read-only.

sophos/Plack-Middleware-Auth-Negotiate

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

NAME

Plack::Middleware::Auth::Negotiate - Negotiate authentication middleware (SPNEGO)

VERSION

version 0.172130

SYNOPSIS

use Plack::Builder;
my $app = sub { ... };

builder {
    enable 'Auth::Negotiate', keytab => 'FILE:www.keytab';
    $app;
};

DESCRIPTION

Plack::Middleware::Auth::Negotiate provides Negotiate (SPNEGO) authentication for your Plack application (for use with Kerberos).

This is a very alpha module, and I am still testing some of the security corner cases. Help wanted.

CONFIGURATION

  • keytab: path to the keytab to use. This value is set as $ENV{KRB5_KTNAME} if provided.

Note that there is no option for matching URLs. You can do this yourself with Plack::Middleware::Conditional's enable_if syntax (for Plack::Builder).

TODO

  • More security testing.
  • Ability to specify a list of valid realms. If REALM.EXAMPLE.COM trusts REALM.FOOBAR.COM, and we don't want to allow REALM.FOOBAR.COM users, we have to check after accepting the ticket.
  • Option to automatically trim the @REALM.EXAMPLE.COM portion of the user value.
  • Method to also provide Basic auth if Negotiate fails.
  • Some way to cooperate with other Auth middleware. enable_if is your best bet right now (with different URLs for each type of authentication, and writing a session).
  • Better interaction with Plack::Middleware::Session, since this authentication is slow in my experience.
  • Better implementation of the actual RFC.
  • Custom "Authorization Required" message

SEE ALSO

Plack, Plack::Builder, Plack::Middleware::Auth::Basic

GSSAPI, mod_auth_kerb

ACKNOWLEDGEMENTS

This code is based off of Plack::Middleware::Auth::Basic and a sample script provided with GSSAPI.

AUTHOR

Adrian Kreher [email protected]

COPYRIGHT AND LICENSE

This software is Copyright (c) 2011 by Adrian Kreher [email protected].

This is free software, licensed under:

The (three-clause) BSD License