Daniel P. Berrangé


Authen::PAAS::Context - authentication a subject using login modules


  use Authen::PAAS::Context;
  use Authen::PAAS::SimpleCallback;
  use Config::Record;

  my $config = Config::Record->new("/etc/myapp.cfg");

  my $context = Authen::PAAS::Context->new($config, "myapp");

  my $callbacks = {
    "username" => Authen::PAAS::SimpleCallback->new("joeblogs"),
    "password" => Authen::PAAS::SimpleCallback->new("123456"),

  my $subject = $context->login($callbacks);

  unless ($subject) {
     die "could not authenticate subject"

  .. do some work using the subject ..



The Authen::PAAS::Context module provides the controller for invoking a number of login modules, and having them populate a subject with principals and credentials. The authentication process consists of two stages. In the first phase the login method is invoked on all modules to perform the actual authentication process. If a module's authentication process succeded, then it may wish to store state to represent the result of authentication in the supplied instance of Authen::PAAS::State. If the first phase was successful overall, then the commit method will be invoked on all modules. The module's commit method will check the stored state for the result of the first phase, and if it was successful, then it will add one or more principals and zero or more credentials to the subject. If there is a terminal failure of the authentication process at any point, the abort() method will be invoked on all modules


The Config::Record module is used for accessing configuration file information. The configuration file defines the set of login modules used for performing authentication. The modules have associated flags controlling operation of the login process upon success/failure of a module. The configuration is stored in a single list, named auth.$APP where $APP is the name token passed into the constructor of the Authen::PAAS::Context object. Each element in the list is a dictionary, with the key module defining the class name of the login module, the key flags defining the login flags and options defining any module specific options. For example, a web application may have a a username/password in the main login page, but elsewhere use a cookie as the authentication data. In this case, a configuration look like

  auth.mail-archive = (
      module = Authen::PAAS::DB::PasswdLogin
      flags = optional
      module = Authen::PAAS::CGI::CookieLogin
      flags = requisite
      options = {
        secret = /etc/authen-paas/authen-paas-cgi-secret.dat
        user-module = Authen::PAAS::DB::User


$obj = Authen::PAAS::Context->new();


my $subject = $ctx->login(\%callbacks);

Attempt to authenticate the user, using data obtained from the callbacks passed in as the first parameter. The callbacks should be a hash reference, where keys are the callback name, and the values are instances of the Authen::PAAS::Callback module. If authentication succeeded, an instance of the Authen::PAAS::Subject module will be returned, otherwise an undefined value will be returned.


Takes an authenticated subject and performs a logout operation. This method would typically destroy any tokens / credentials that might exist beyond the lifetime of the current process.


Daniel Berrange <dan@berrange.com>


Copyright (C) 2004-2006 Daniel Berrange


Authen::PAAS, Authen::PAAS::LoginModule, Authen::PAAS::Subject