Giter Club home page Giter Club logo

mojolicious-plugin-spnego's Introduction

Mojolicious::Plugin::SPNEGO

use Mojolicious::Lite;

my $SERVER = $ENV{AD_SERVER} // die "AD_SERVER env variable not set";

app->secrets(['My secret passphrase here']);

plugin 'SPNEGO', ad_server => $SERVER;

get '/' => sub {
   my $c = shift;
   if (not $c->session('user')){
       $c->ntlm_auth({
           auth_success_cb => sub {
               my $c = shift;
               my $user = shift;
               my $ldap = shift; # bound Net::LDAP::SPNEGO connection
               $c->session('user',$user->{samaccountname});
               $c->session('name',$user->{displayname});
               my $groups = $ldap->get_ad_groups($user->{samaccountname});
               $c->session('groups',[ sort keys %$groups]);
               return 1;
           }
       }) or return;
   }
} => 'index';

app->start;

__DATA__

@@ index.html.ep
<!DOCTYPE html>
<html>
<head>
<title>NTLM Auth Test</title>
</head>
<body>
<h1>Hello <%= session 'name' %></h1>
<div>Your account '<%= session 'user' %>' belongs to the following groups:</div>
<ul>
% for my $group (@{session 'groups' }) {
   <li>'<%= $group %>'</li>
% }
</ul>
</body>
</html>

DESCRIPTION

The Mojolicious::Plugin::SPNEGO lets you provide NTLM SSO by using an active directory server as authentication provider. The plugin uses the Net::LDAP::SPNEGO module.

On loading the plugin default values for the helpers can be configured:

plugin 'SPNEGO', ad_server => $SERVER;

or

$app->plugin('SPNEGO',ad_server => $SERVER);

The plugin provides the following helper method:

$c->ntlm_auth(ad_server => $AD_SERVER, auth_success_cb => $cb)

The ntlm_auth method runs an NTLM authentication dialog with the browser by forwarding the tokens coming from the browser to the AD server specified in the ad_server argument.

If a auth_success_cb is specified it will be executed once the ntlm dialog has completed successfully. Depending on the return value of the callback the entire process will be considered successfull or not.

Since ntlm authentication is reather complex, you may want to save authentication success in a cookie.

Note that windows will only do automatic NTLM SSO with hosts in the local zone so you may have to add your webserver to this group of machines in the Internet Settings dialog.

EXAMPLE

The included example script eg/demo.pl shows how to use the plugin to implement NTLM authentication for a Mojolicious::Lite web application.

Use the following steps to run the demo:

$ perl Makefile.PL
$ make 3rd
$ env AD_SERVER=ad-server.example.com ./eg/demo.pl deamon

Now connect with your webbrowser to the webserver runing on port 3000. If you login from a Windows host and the url you are connecting resides in the local zone, you will see (or rather not see) seemless authentication taking place. Finally a webpage will be displayed showing a list of groups you are a member of.

The demo script stores your authentication in a cookie in your brower, so once you are authenticated, you will have to restart the browser or remove the cookie to force another authentication.

COPYRIGHT

Copyright OETIKER+PARTNER AG 2016. All rights reserved.

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

AUTHOR

Tobias Oetiker, [email protected]

HISTORY

2016-08-21 to 0.1.0 initial version

mojolicious-plugin-spnego's People

Contributors

manwar avatar oetiker avatar tomk3003 avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar

Forkers

manwar jguzej tubbz-alt doytsujin

mojolicious-plugin-spnego's Issues

example fails with "Can't use string ("1/8") as a HASH ref"

running the example from the Synopsis gives:

[Tue Oct 18 13:28:16 2016] [error] Can't use string ("1/8") as a HASH ref while "strict refs" in use at C:/Progs/Perl5222/perl/site/lib/Mojolicious/Plugin/SPNEG O.pm line 22, <DATA> line 755.

This is due to line 17:

my $helper_cfg = ref ${_}[0] ? %{${_}[0]} : { @_ };

witch should be

my $helper_cfg = ref ${_}[0] ? ${_}[0] : { @_ };

How to configure for strengthened AD LDAP

How to configure things when AD servers are updated with the GPO policy "Require NTLMv2 session security, Require 128-bit encryption". This was done recently and the plugin stopped working. I tried to enable TLS and this stops the error which mentions this particular change but doesn't work and I suspect that something need to be done to address this server change?

Unable to re-use auth code in full Mojo App

In a full Mojo App, the example code works well if copied it inside each controller. However, I can't figure out how to call it during application startup. For example, in my startup:

my $r = $self->routes;
$r->get   ('/')->to('NP#index');

my $auth = $r->under('/' => sub ($c) {
        # Authenticated
        return 1 if $self->session('user');
        # NTLM Auth
        $c->ntlm_auth({
            auth_success_cb => sub {
            my $c = shift;
            my $user = shift;
            my $ldap = shift; # bound Net::LDAP::SPNEGO connection
            $c->session('user',$user->{samaccountname});
            $c->session('name',$user->{displayname});
            my $groups = $ldap->get_ad_groups($user->{samaccountname});
            $c->session('groups',[ sort keys %$groups]);
            return 1;
               }
                  });
        # Not authenticated
        $c->render(text => "You're not Authenticated", status => 401);
        return undef;
        });

$auth->post('/')->to('NP#search');

When I perform POST, no authentication occurs and I get the following errors:

Mojo::Reactor::Poll: I/O watcher failed: A response has already been rendered at /Users/hq/perl5/lib/perl5/Mojolicious/Controller.pm line 154.
[2023-04-12 13:22:21.71712] [84671] [trace] Inactivity timeout

If I comment-out the $c->render line, authentication occurs, but I get:

 Nothing has been rendered, expecting delayed response

and no results are rendered.

Would you kindly point me to where I've gone wrong?

Thank you!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.