line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
|
2
|
|
|
|
|
|
|
=head1 NAME |
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
WebService::TicketAuth - Ticket-based authentication module for SOAP services |
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
=head1 SYNOPSIS |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
@WebService::MyService::ISA = qw(WebService::TicketAuth); |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
=head1 DESCRIPTION |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
B is an authentication system for SOAP-based web |
13
|
|
|
|
|
|
|
services, that provides a signature token (like a cookie) to the client |
14
|
|
|
|
|
|
|
that it can use for further interactions with the server. This means |
15
|
|
|
|
|
|
|
that the user can login and establish their credentials for their |
16
|
|
|
|
|
|
|
session, then use various tools without having to provide a password for |
17
|
|
|
|
|
|
|
each operation. Sessions can be timed out, to mitigate against a ticket |
18
|
|
|
|
|
|
|
being used inappropriately. |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
This is similar in philosophy to authenticated web sessions where the |
21
|
|
|
|
|
|
|
user logs in and gains a cookie that it can use for further |
22
|
|
|
|
|
|
|
interactions. For example, see Apache::AuthTicket. However, such |
23
|
|
|
|
|
|
|
systems require a web server such as Apache to handle the |
24
|
|
|
|
|
|
|
authentication. This module provides a mechanism that can be used |
25
|
|
|
|
|
|
|
outside of a web server. In particular, it is designed for use with |
26
|
|
|
|
|
|
|
a SOAP daemon architecture. |
27
|
|
|
|
|
|
|
|
28
|
|
|
|
|
|
|
This module was originally developed by Paul Kulchenko in 2001. See |
29
|
|
|
|
|
|
|
guide.soaplite.com for more info. |
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
=head1 FUNCTIONS |
32
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
=cut |
34
|
|
|
|
|
|
|
|
35
|
|
|
|
|
|
|
package WebService::TicketAuth; |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
# we will need to manage Header information to get a ticket |
38
|
|
|
|
|
|
|
@WebService::TicketAuth::ISA = qw(SOAP::Server::Parameters); |
39
|
|
|
|
|
|
|
|
40
|
1
|
|
|
1
|
|
29586
|
use strict; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
46
|
|
41
|
1
|
|
|
1
|
|
6
|
use Digest::MD5 qw(md5); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
82
|
|
42
|
|
|
|
|
|
|
|
43
|
1
|
|
|
1
|
|
7
|
use vars qw($VERSION %FIELDS); |
|
1
|
|
|
|
|
5
|
|
|
1
|
|
|
|
|
206
|
|
44
|
|
|
|
|
|
|
our $VERSION = '1.05'; |
45
|
|
|
|
|
|
|
|
46
|
1
|
|
|
|
|
9
|
use fields qw( |
47
|
|
|
|
|
|
|
_error_msg |
48
|
|
|
|
|
|
|
_debug |
49
|
1
|
|
|
1
|
|
1112
|
); |
|
1
|
|
|
|
|
2131
|
|
50
|
|
|
|
|
|
|
|
51
|
|
|
|
|
|
|
my $calculateAuthInfo = sub { |
52
|
|
|
|
|
|
|
return md5(join '', 'WebService::TicketAuth', $VERSION, @_); |
53
|
|
|
|
|
|
|
}; |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
my $makeAuthInfo = sub { |
56
|
|
|
|
|
|
|
my $username = shift; |
57
|
|
|
|
|
|
|
my $duration = shift || 20*60; |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
if (! $username) { |
60
|
|
|
|
|
|
|
return undef; |
61
|
|
|
|
|
|
|
} |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
# Length of time signature will be valid |
64
|
|
|
|
|
|
|
my $time = time() + $duration; |
65
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
# Create the signature |
67
|
|
|
|
|
|
|
my $signature = $calculateAuthInfo->($username, $time); |
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
return +{time => $time, username => $username, signature => $signature}; |
70
|
|
|
|
|
|
|
}; |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
my $checkAuthInfo = sub { |
73
|
|
|
|
|
|
|
my $authInfo = shift; |
74
|
|
|
|
|
|
|
if (! $authInfo) { |
75
|
|
|
|
|
|
|
return undef; |
76
|
|
|
|
|
|
|
} |
77
|
|
|
|
|
|
|
|
78
|
|
|
|
|
|
|
my $signature = $calculateAuthInfo->(@{$authInfo}{qw(username time)}); |
79
|
|
|
|
|
|
|
|
80
|
|
|
|
|
|
|
if ($signature ne $authInfo->{signature}) { |
81
|
|
|
|
|
|
|
return undef; |
82
|
|
|
|
|
|
|
} elsif (time() > $authInfo->{time}) { |
83
|
|
|
|
|
|
|
return undef; |
84
|
|
|
|
|
|
|
} else { |
85
|
|
|
|
|
|
|
return $authInfo->{username}; |
86
|
|
|
|
|
|
|
} |
87
|
|
|
|
|
|
|
}; |
88
|
|
|
|
|
|
|
|
89
|
|
|
|
|
|
|
|
90
|
|
|
|
|
|
|
=head2 new() |
91
|
|
|
|
|
|
|
|
92
|
|
|
|
|
|
|
Creates a new instance of TicketAuth. Establishes several private member |
93
|
|
|
|
|
|
|
functions for authentication, to calculate, make, and check the authInfo. |
94
|
|
|
|
|
|
|
|
95
|
|
|
|
|
|
|
=cut |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
sub new { |
98
|
0
|
|
|
0
|
1
|
|
my WebService::TicketAuth $self = shift; |
99
|
0
|
0
|
|
|
|
|
if (! ref $self) { |
100
|
0
|
|
|
|
|
|
$self = fields::new($self); |
101
|
|
|
|
|
|
|
} |
102
|
0
|
|
|
|
|
|
return $self; |
103
|
|
|
|
|
|
|
} |
104
|
|
|
|
|
|
|
|
105
|
|
|
|
|
|
|
# Internal routine for setting the error message |
106
|
|
|
|
|
|
|
sub _set_error { |
107
|
0
|
|
|
0
|
|
|
my $self = shift; |
108
|
0
|
|
|
|
|
|
$self->{'_error_msg'} = shift; |
109
|
|
|
|
|
|
|
} |
110
|
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
=head2 get_error() |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
Returns the most recent error message. If any of this module's routines |
114
|
|
|
|
|
|
|
return undef, this routine can be called to retrieve a message about |
115
|
|
|
|
|
|
|
what happened. If several errors have occurred, this will only return |
116
|
|
|
|
|
|
|
the most recently encountered one. |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
=cut |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
sub get_error { |
121
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
122
|
0
|
|
|
|
|
|
return $self->{'_error_msg'}; |
123
|
|
|
|
|
|
|
} |
124
|
|
|
|
|
|
|
|
125
|
|
|
|
|
|
|
=head2 ticket_duration($username) |
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
This routine defines how long a ticket should last. Override it to |
128
|
|
|
|
|
|
|
customize the ticket lengths. The username is provided when requesting |
129
|
|
|
|
|
|
|
this information, to permit applications to vary ticket length based |
130
|
|
|
|
|
|
|
on the user's access level, if desired. If $username is undef, then a |
131
|
|
|
|
|
|
|
generic duration should be returned. |
132
|
|
|
|
|
|
|
|
133
|
|
|
|
|
|
|
By default, the ticket duration is defined to be 20 minutes (or 20*60 |
134
|
|
|
|
|
|
|
seconds). |
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
=cut |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
sub ticket_duration { |
139
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
140
|
0
|
|
|
|
|
|
my $username = shift; |
141
|
0
|
|
|
|
|
|
return 20*60; |
142
|
|
|
|
|
|
|
} |
143
|
|
|
|
|
|
|
|
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
=head2 get_username($header) |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
Retrieves the username from the auth section of the SOAP header |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
=cut |
150
|
|
|
|
|
|
|
|
151
|
|
|
|
|
|
|
sub get_username { |
152
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
153
|
0
|
|
0
|
|
|
|
my $header = shift || return undef; |
154
|
|
|
|
|
|
|
|
155
|
0
|
|
|
|
|
|
return $checkAuthInfo->($header->valueof('//authInfo')); |
156
|
|
|
|
|
|
|
} |
157
|
|
|
|
|
|
|
|
158
|
|
|
|
|
|
|
=head2 is_valid($username, $password) |
159
|
|
|
|
|
|
|
|
160
|
|
|
|
|
|
|
Routine to determine if the given user credentials are valid. Returns 1 |
161
|
|
|
|
|
|
|
to indicate if the credentials are accepted, or undef if not. Error |
162
|
|
|
|
|
|
|
messages can be retrieved from the get_error() routine. |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
Override this member function to implement your own authentication system. |
165
|
|
|
|
|
|
|
This base class function always returns false. |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
=cut |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
sub is_valid { |
170
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
171
|
0
|
|
|
|
|
|
my ($username, $password) = @_; |
172
|
|
|
|
|
|
|
|
173
|
0
|
|
|
|
|
|
$self->_set_error("Error: Base class is_valid() called. ". |
174
|
|
|
|
|
|
|
"Validation must be performed by a derived class.\n"); |
175
|
|
|
|
|
|
|
|
176
|
0
|
|
|
|
|
|
return undef; |
177
|
|
|
|
|
|
|
} |
178
|
|
|
|
|
|
|
|
179
|
|
|
|
|
|
|
=head2 login() |
180
|
|
|
|
|
|
|
|
181
|
|
|
|
|
|
|
This routine is called by users to establish their credentials. It |
182
|
|
|
|
|
|
|
returns an AuthInfo ticket on success, or undef if the login failed |
183
|
|
|
|
|
|
|
for any reason. The error message can be retrieved from get_error(). |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
It checks credentials by calling the is_valid() routine, which should be |
186
|
|
|
|
|
|
|
overridden to hook in your own authentication system. |
187
|
|
|
|
|
|
|
|
188
|
|
|
|
|
|
|
=cut |
189
|
|
|
|
|
|
|
|
190
|
|
|
|
|
|
|
sub login { |
191
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
192
|
|
|
|
|
|
|
|
193
|
0
|
|
|
|
|
|
pop; # Last parameter is the SOAP envelope - we ignore it |
194
|
0
|
|
|
|
|
|
my ($username, $password) = @_; |
195
|
|
|
|
|
|
|
|
196
|
|
|
|
|
|
|
# Check credentials |
197
|
0
|
0
|
|
|
|
|
if (! $self->is_valid($username, $password)) { |
198
|
0
|
|
|
|
|
|
return undef; |
199
|
|
|
|
|
|
|
} else { |
200
|
0
|
|
|
|
|
|
return $makeAuthInfo->($username, $self->ticket_duration()); |
201
|
|
|
|
|
|
|
} |
202
|
|
|
|
|
|
|
} |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
1; |
206
|
|
|
|
|
|
|
__END__ |