Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Authenticating for multiple Catalyst apps

by sherab (Scribe)
on Apr 09, 2012 at 13:53 UTC ( [id://964131]=perlquestion: print w/replies, xml ) Need Help??

sherab has asked for the wisdom of the Perl Monks concerning the following question:

I am managing about 5 different Catalyst apps and we're now finally getting into a serious look at authentication.

The easiest thing would be to simply LDAP authenticate against Active Directory but the company doesn't even have roles set up. When authenticating against AD, it requires two binds, the first being a user and password that simply can bind to AD and the next being the actual user name and password. The company is happy with doing this single bind using the user name and password and I went ahead and built that using Net::LDAP. The idea being that if they have put in a valid user name and password that they are then authorized to use the app.

What they're after is the ability to authenticate once and then you can just redirect to whatever app you want to use.

I know using DBIC that I could just create one app and have it authenticate and we could just store the session id in a separate database and from there go on to whatever app they want to use. Question is jumping into a new catalyst app after authenticating from another one and I'm not so sure that just having that session id alone is enough.

The more I think about it the more that this seems to make sense.....
- Fire up the authentication app.
- Take the user name and password and upon successful login store the user name, password and session id in the authentication db
- Redirect to the requested app (sending the user name and password along with it somehow) and use the authentication db as the store.

Given that we're storing a user name, password and session id already in a table after initial authentication, could we just use that session id to bring someone entry into another catalyst app?

Anyone familiar enough with process to throw in some advice? I really appreciate it.

Replies are listed 'Best First'.
Re: Authenticating for multiple Catalyst apps
by sundialsvc4 (Abbot) on Apr 09, 2012 at 14:47 UTC

    I would just say that you ought to go ahead and use LDAP for what it was designed for, because it is able to “solve the authentication and authorization problem” for all purposes (Perl and otherwise, web-sites and otherwise), while having just one single point of management.   In a corporate setting of any size, management of the “auth/auth dataset” becomes a very significant problem as well as sometimes a very exploitable security hole.   If everything, everywhere, refers to a single secure source of authority (be it LDAP or Kerberos or what have you...), then you have “One Ring to Rule Them All,” and that becomes a very big win, if only from the day-to-day management perspective.   I would go down that pathway at the earliest opportunity, and stick with it in lieu of any home-grown system.

    I didn’t always feel this way, but when I saw how well it worked in a corporate setting I became very easily persuaded.   “Overhead” should not be a decision-factor.   Also, be sure to treat authentication and authorization as separate problems throughout.   Once the user has established his identity (authentication), this remains the same, even as he obtains authorization to do different things on the same and/or on different systems from time to time.   Where standardized mechanisms can be used to do this, as here they certainly can, use them.

      I completely agree with you, unfortunately the "company" in this case is "the government" and my hands are tied. Something must be said of letting someone else deal with passwords, roles, etc.

        Wow.   Ick.

        It would have seemed to me that “the government,” no matter whose government it is, would be even more up-tight about exactly how “auth/auth” is done for their systems.   (And of course, they would make their wishes known with perfect clarity and a single sense of direction ... ;-) ... your tax dollars etc.)

Re: Authenticating for multiple Catalyst apps
by Anonymous Monk on Apr 09, 2012 at 14:37 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://964131]
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (6)
As of 2024-03-28 19:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found