NAME
Plack::Middleware::Auth::Negotiate - Negotiate authentication middleware (SPNEGO)
VERSION
version 0.172130
SYNOPSIS
use Plack::Builder;
my $app = sub { ... };
builder {
enable 'Auth::Negotiate', keytab => 'FILE:www.keytab';
$app;
};DESCRIPTION
Plack::Middleware::Auth::Negotiate provides Negotiate (SPNEGO) authentication for your Plack application (for use with Kerberos).
This is a very alpha module, and I am still testing some of the security corner cases. Help wanted.
CONFIGURATION
keytab: path to the keytab to use. This value is set as
$ENV{KRB5_KTNAME}if provided.
Note that there is no option for matching URLs. You can do this yourself with Plack::Middleware::Conditional's enable_if syntax (for Plack::Builder).
TODO
More security testing.
Ability to specify a list of valid realms. If REALM.EXAMPLE.COM trusts REALM.FOOBAR.COM, and we don't want to allow REALM.FOOBAR.COM users, we have to check after accepting the ticket.
Option to automatically trim the @REALM.EXAMPLE.COM portion of the user value.
Method to also provide Basic auth if Negotiate fails.
Some way to cooperate with other Auth middleware.
enable_ifis your best bet right now (with different URLs for each type of authentication, and writing a session).Better interaction with Plack::Middleware::Session, since this authentication is slow in my experience.
Better implementation of the actual RFC.
Custom "Authorization Required" message
SEE ALSO
Plack, Plack::Builder, Plack::Middleware::Auth::Basic
GSSAPI, mod_auth_kerb
ACKNOWLEDGEMENTS
This code is based off of Plack::Middleware::Auth::Basic and a sample script provided with GSSAPI.
AUTHOR
Adrian Kreher <avuserow@cpan.org>
COPYRIGHT AND LICENSE
This software is Copyright (c) 2011 by Adrian Kreher <avuserow@cpan.org>.
This is free software, licensed under:
The (three-clause) BSD License