[Melbourne-pm] Perl web application framework recommendations

Scott Penrose scottp at dd.com.au
Tue Aug 17 17:58:02 CDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 18/08/2004, at 6:58 AM, David Dick wrote:

>
>>>>> single sign on is a necessary thing sometimes thou, and as 
>>>>> mentioned by paul the mod_perl.com example is a good one.  It just 
>>>>> depends on whether your application needs to jump across multiple 
>>>>> domains.
>>>>>
>>>> Actually using Basic Auth still allows single sign on. You simply 
>>>> check for that before returning the 401.
>>>
>>>
>>> my bad english... i meant single sign on for multiple servers...
>> Yeah, that is what I mean. Single sign on is usually done by adding a 
>> special header (ala passport).
>>> eg. get a auth ticket from security.example.com, and use it to visit 
>>> application.example.com and mail.example.com...
>> Exactly :-)
>
> Ok.  Happy to concede you've impressed the hell outta me.  You have 
> strange and mysterious powers beyond the ken of mortal man.  Can you 
> show me how the following should play out?
>
> GET / HTTP/1.1
> Host: london.gov.uk
>
> HTTP/1.1 401 Authorisation Required
> Content-Type: text/html
> WWW-Authenticate: Basic Realm="Rogue Robots"
>
> GET / HTTP/1.1
> Host: london.gov.uk
> Authorization: Basic cGVuZm9sZDpwZW5mb2xk
>
> HTTP/1.1 200 OK
> Content-Type: text/html
>
> GET /baron/greenback HTTP/1.1
> Host: london.gov.uk
> Authorization: Basic cGVuZm9sZDpwZW5mb2xk
>
> HTTP/1.1 200 OK
> Content-Type: text/html
>
> GET /silas/greenback HTTP/1.1
> Host: scotland.org
>
> HTTP/1.1 401 Authorisation Required
> Content-Type: text/html
> WWW-Authenticate: Basic Realm="Who Stole the Bagpipes?"
>
> GET /silas/greenback HTTP/1.1
> Host: scotland.org
> Authorization: Basic cGVuZm9sZDpwZW5mb2xk
>
> What did i miss?

It all depends how you do your single sign on.

The problem with single sign on is there is no easy / standard way of 
doing it due to the fact that you can't add headers or cookies globally 
across domains. Passport does this by altering IE so that it does send 
the passport key each time, which you can then lookup on a server to 
check it is valid.

That particular problem is not solved by or hindered by BasicAuth.

So for a simple example I am going to actually use a cookie in a URL...


> GET / HTTP/1.1
> Host: london.gov.uk
>
> HTTP/1.1 401 Authorisation Required
> Content-Type: text/html
> WWW-Authenticate: Basic Realm="Rogue Robots"
>
> GET / HTTP/1.1
> Host: london.gov.uk
> Authorization: Basic cGVuZm9sZDpwZW5mb2xk
>
> HTTP/1.1 200 OK
> Content-Type: text/html
>
> GET /baron/greenback HTTP/1.1
> Host: london.gov.uk
> Authorization: Basic cGVuZm9sZDpwZW5mb2xk
>
> HTTP/1.1 200 OK
> Content-Type: text/html
>
> GET /silas/greenback?mykey=ABC123 HTTP/1.1
> Host: scotland.org

Auth module does these three things

	* Check cookie - if set and valid continue to next apache stage
	* Check URL for temporary cookie
		- If valid do a redirect including normal cookie for future requests
		(note we just need to check ABC123 is valid)
	* Finally, do a 401 Auth required if above two fail.

> HTTP/1.1 307 Moved Temporarily
> Location: http://scotland.org/silas/greenback
> Set-Cookie: auth=XYZ321; expires...
> Content-Type: text/html

(please note, my redirect above is just from my head and is probably 
wrong)

> What did i miss?

Only that a Auth Module is not REQUIRED to do Basic Auth. Apache does 
not distinguish between authentication types. Basic Auth (via 401) is 
only internal to that module. The standard apache module will return a 
401 unless there is a basic auth header. But that does not mean you 
have to do that.

The module I use does not do it the same way. In my case I use no 
cookies, and no special URLs, but instead the proxy (which has already 
authenticated the user) passes in an extra header containing the users 
login name and customer name (or domain). The proxy only sends this 
header to trusted web servers, the web server only accepts the header 
from trusted proxy servers.

This is only two examples of many for single sign on.

My example uses a header each time and is not really a comparison to 
other systems.

The example I went through above is sort of a mix between Basic Auth 
and Cookie Authentication.

Scott
- -- 
* - *  http://www.osdc.com.au - Open Source Developers Conference * - *
Scott Penrose
Anthropomorphic Personification Expert
http://search.cpan.org/search?author=SCOTT
scott at cpan.org

Dismaimer: While every attempt has been made to make sure that this 
email only contains zeros and ones, there has been no effort made to 
guarantee the quantity or the order.

Please do not send me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBIo19DCFCcmAm26YRAg5TAJwL0hC0Dv7yUUT0ukjXcn1wUZGnjwCgiQbU
nk+5GEkV55vcCoBQSQxK4Sk=
=8izm
-----END PGP SIGNATURE-----

More information about the Melbourne-pm mailing list