NAME

Plack::Middleware::Auth::Negotiate - Negotiate authentication middleware (SPNEGO)

VERSION

version 0.172130

SYNOPSIS

    use Plack::Builder;
    my $app = sub { ... };

    builder {
        enable 'Auth::Negotiate', keytab => 'FILE:www.keytab';
        $app;
    };

DESCRIPTION

Plack::Middleware::Auth::Negotiate provides Negotiate (SPNEGO) authentication for your Plack application (for use with Kerberos).

This is a very alpha module, and I am still testing some of the security corner cases. Help wanted.

CONFIGURATION

  • keytab: path to the keytab to use. This value is set as $ENV{KRB5_KTNAME} if provided.

Note that there is no option for matching URLs. You can do this yourself with Plack::Middleware::Conditional's enable_if syntax (for Plack::Builder).

TODO

  • More security testing.

  • Ability to specify a list of valid realms. If REALM.EXAMPLE.COM trusts REALM.FOOBAR.COM, and we don't want to allow REALM.FOOBAR.COM users, we have to check after accepting the ticket.

  • Option to automatically trim the @REALM.EXAMPLE.COM portion of the user value.

  • Method to also provide Basic auth if Negotiate fails.

  • Some way to cooperate with other Auth middleware. enable_if is your best bet right now (with different URLs for each type of authentication, and writing a session).

  • Better interaction with Plack::Middleware::Session, since this authentication is slow in my experience.

  • Better implementation of the actual RFC.

  • Custom "Authorization Required" message

SEE ALSO

Plack, Plack::Builder, Plack::Middleware::Auth::Basic

GSSAPI, mod_auth_kerb

ACKNOWLEDGEMENTS

This code is based off of Plack::Middleware::Auth::Basic and a sample script provided with GSSAPI.

AUTHOR

Adrian Kreher <avuserow@cpan.org>

COPYRIGHT AND LICENSE

This software is Copyright (c) 2011 by Adrian Kreher <avuserow@cpan.org>.

This is free software, licensed under:

  The (three-clause) BSD License