1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
#!/usr/bin/perl
=pod
=head1 NON AUTHENTICATING PORTAL TO USE WITH OTHER WEB-SSO
If Lemonldap::NG has to operate with another Web-SSO without any interworking
system, Lemonldap::NG can be used as slave.
Install :
=over
=item * Install and adapt this file in an area protected by the master SSO
=item * Use L<Lemonldap::NG::Handler::CDA> to protect Lemonldap::NG area if
this area is not in the same DNS domain than the portal
=back
Authentication scheme :
=over
=item * a user that wants to access to a protected url, Lemonldap::NG::Handler
redirect it to the portal
=item * the portal creates the Lemonldap::NG session with the parameters given
by the master SSO
=item * the user is redirected to the wanted application. If it is not in the
same domain, the handler detects the session id with the Lemonldap::NG
cross-domain-authentication mechanism and generates the cookie
=back
=cut
use Lemonldap::NG::Portal::SharedConf;
my $portal = Lemonldap::NG::Portal::SharedConf->new(
{
cda => 1,
# SUBROUTINES OVERLOAD
# 2 cases :
# 1 - If LDAP search is not needed (the master SSO gives all
# that we need)
extractFormInfo => sub { PE_OK },
connectLDAP => sub { PE_OK },
bind => sub { PE_OK },
search => sub { PE_OK },
setSessionInfo => sub {
my $self = shift;
# TODO: You have to set $self->{sessionInfo}
# hash table with user attributes
# Example:
# $self->{sessionInfo}->{uid} = $ENV{REMOTE_USER};
PE_OK,;
},
unbind => sub { PE_OK },
# 2 - Else, LDAP will do its job, but we have to set UID or
# what is needed by C<formateFilter> subroutine.
extractFormInfo => sub {
my $self = shift;
# EXAMPLE with $ENV{REMOTE_USER}
$self->{user} = $ENV{REMOTE_USER};
PE_OK;
},
# In the 2 cases, authentication phase has to be avoided
authenticate => sub { PE_OK },
# If no Lemonldap::NG protected application is in the same domaine than
# the portal, it is recommended to not set a lemonldap::NG cookie in the
# other domain :
# Lemonldap::NG::Handler protect its cookie from remote application
# (to avoid developers to spoof an identity), but the master SSO
# will probably keep it.
buildCookie => sub {
my $self = shift;
$self->{cookie} = $self->cookie(
-name => $self->{cookieName},
# null value instead of de $self->{id}
-value => '',
-domain => $self->{domain},
-path => "/",
-secure => $self->{securedCookie},
@_,
);
PE_OK;
},
}
);
# Else, we process as usual, but without prompting users with a form
if ( $portal->process() ) {
print $portal->header('text/html; charset=utf-8');
print $portal->start_html;
print "<h1>You are well authenticated !</h1>";
print $portal->end_html;
}
else {
print $portal->header('text/html; charset=utf-8');
print $portal->start_html;
print qq#<h2>Authentication failed</h2>
Portal is not able to recognize you
<br />
Contact your administrator (Error: # . $portal->error . ')';
print $portal->end_html;
}
1;
|
