Paul M. Hirsch

Changes for version 1.01

  • REQUIRED CHANGE - The new login form signature check (described below) require changes to and login.html. It is recommended that you replace your existing with examples/htdocs/ To preserve your customizations to login.html, it is recommended that you add in changes manually. For most cases, you should be able to add lines right after:
    • <input type="hidden" name="destination" value="__URI__" />
    • to support the changes. Add the following to your login.html:
      • <input type="hidden" name="nonce" value="__NONCE__" /> <input type="hidden" name="sig" value="__SIG__" />
  • Added nonce and signature to login form and checking in Apache::AppSamurai::login(). All form logins must now provide a valid nonce and signature. This is a Cross Site Request Forgery style protection, but since the user is not yet logged in, does not ACTUALLY provide CSRF protection. Instead, it is a additional bar to raise and prevent some types of scripted brute force/DoS attempts.
  • Added, a authentication module for the Authen::Simple authentication framework, which supports numerous authentication methods (Kerberos, LDAP, PAM, etc.)
  • Changed Build.PL to attempt to pre-detect mod_perl version installed, adding requirement for mod_perl 2 if nothing is found
  • Changed Build.PL to attempt to pre-detect cipher module for use with Crypt::CBC, adding requirement for Crypt::Rijndael if none are found
  • Added "use warnings" to all modules
  • Added Pod test (Pod Coverage test left disabled until more methods are documented or set to ignore)