.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "Plack::Middleware::Auth::WebID 3pm" .TH Plack::Middleware::Auth::WebID 3pm "2021-01-08" "perl v5.32.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Plack::Middleware::Auth::WebID \- authentication middleware for WebID .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& use Plack::Builder; \& \& my $app = sub { ... }; \& my $cache = CHI\->new( ... ); \& \& sub unauthenticated \& { \& my ($self, $env) = @_; \& return [ \& 403, \& [ \*(AqContent\-Type\*(Aq => \*(Aqtext/plain\*(Aq ], \& [ \*(Aq403 Forbidden\*(Aq ], \& ]; \& } \& \& builder \& { \& enable "Auth::WebID", \& cache => $cache, \& on_unauth => \e&unauthenticated; \& $app; \& }; .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" Plack::Middleware::Auth::WebID is a WebID handler for Plack. .PP If authentication is successful, then the handler sets \f(CW\*(C`$env\->{WEBID}\*(C'\fR to the user's WebID \s-1URI,\s0 and sets \f(CW\*(C`$env\->{WEBID_OBJECT}\*(C'\fR to a Web::ID object. .SH "CONFIGURATION" .IX Header "CONFIGURATION" .IP "cache" 4 .IX Item "cache" This may be set to an object that will act as a cache for Web::ID objects. .Sp Plack::Middleware::Auth::WebID does not care what package you use for your caching needs. \s-1CHI\s0, Cache::Cache and Cache should all work. In fact, any package that provides a similar one-argument \f(CW\*(C`get\*(C'\fR and a two-argument \f(CW\*(C`set\*(C'\fR ought to work. Which should you use? Well \&\s-1CHI\s0 seems to be best, however it's Moose-based, so usually too slow for \s-1CGI\s0 applications. Use Cache::Cache for \s-1CGI,\s0 and \s-1CHI\s0 otherwise. .Sp You don't need to set a cache at all, but if there's no cache, then reauthentication (which is computationally expensive) happens for every request. Use of a cache with an expiration time of around 15 minutes should significantly speed up the responsiveness of a WebID-secured site. (For forking servers you probably want a cache that is shared between processes, such as a memcached cache.) .IP "on_unauth" 4 .IX Item "on_unauth" Coderef that will be called if authentication is not successful. You can use this to return a \*(L"403 Forbidden\*(R" page for example, or try an alternative authentication method. .Sp The default coderef used will simply run the application as normal, but setting \f(CW\*(C`$env\->{WEBID}\*(C'\fR to the empty string. .IP "webid_class" 4 .IX Item "webid_class" Name of an alternative class to use for WebID authentication instead of Web::ID. Note that any such class would need to provide a compatible \&\f(CW\*(C`new\*(C'\fR constructor. .IP "certificate_env_key" 4 .IX Item "certificate_env_key" The key within \f(CW$env\fR where Plack::Middleware::Auth::WebID can find a PEM-encoded client \s-1SSL\s0 certificate. .Sp Apache keeps this information in \f(CW\*(C`$env\->{\*(AqSSL_CLIENT_CERT\*(Aq}\*(C'\fR, so it should be no surprise that this setting defaults to '\s-1SSL_CLIENT_CERT\s0'. .IP "no_object_please" 4 .IX Item "no_object_please" Suppresses setting \f(CW\*(C`$env\->{WEBID_OBJECT}\*(C'\fR. \f(CW\*(C`$env\->{WEBID}\*(C'\fR will still be set as usual. .SH "SERVER SUPPORT" .IX Header "SERVER SUPPORT" WebID is an authentication system based on the Semantic Web and \s-1HTTPS.\s0 It relies on client certificates (but not on certification authorities; self-signed certificates are \s-1OK\s0). .PP So for this authentication module to work... .IP "\(bu" 4 You need to be using a server which supports \s-1HTTPS.\s0 .Sp Many web \s-1PSGI\s0 web servers (e.g. HTTP::Server::Simple, Starman, etc) do not support \s-1HTTPS\s0 natively. In some cases these are used with an \s-1HTTPS\s0 proxy in front of them. .IP "\(bu" 4 Your \s-1HTTPS\s0 server needs to request a client certificate from the client. .IP "\(bu" 4 Your \s-1HTTPS\s0 server needs to expose the client certificate to Plack via \f(CW$env\fR. .Sp If you're using an \s-1HTTPS\s0 proxy in front of a non-HTTPS web server, then you might need to be creative to find a way to forward this information to your backend web server. .IP "\(bu" 4 The client browser needs to have a WebID-compatible certificate installed. .Sp Nuff said. .SS "Apache2 (mod_perl and \s-1CGI\s0)" .IX Subsection "Apache2 (mod_perl and CGI)" The \fBSSLVerifyClient\fR directive can be used to tell Apache that you want it to request a certificate from the client. .PP Apache is able to deposit the certifcate in an environment variable called \&\s-1SSL_CLIENT_CERT.\s0 However by default it might not. Check out the \fBSSLOptions\fR directive and enable the \f(CW\*(C`ExportCertData\*(C'\fR option, or if you're using mod_perl try Plack::Middleware::Apache2::ModSSL. .SS "Gepok" .IX Subsection "Gepok" Gepok is one of a very small number of PSGI-compatible web servers that supports \s-1HTTPS\s0 natively. As of 0.20 it will request client certificates, but you will need to use Plack::Middleware::GepokX::ModSSL in order to make the certificate available in the \s-1PSGI\s0 \f(CW$env\fR hashref. .SH "BUGS" .IX Header "BUGS" Please report any bugs to . .SH "SEE ALSO" .IX Header "SEE ALSO" Plack, Web::ID, Web::ID::FAQ. .PP General WebID information: , , , . .PP Apache mod_ssl: Plack::Middleware::Apache2::ModSSL, Apache2::ModSSL, . .PP Gepok: Gepok, Plack::Middleware::GepokX::ModSSL. .SH "AUTHOR" .IX Header "AUTHOR" Toby Inkster . .SH "COPYRIGHT AND LICENCE" .IX Header "COPYRIGHT AND LICENCE" This software is copyright (c) 2012 by Toby Inkster. .PP This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. .SH "DISCLAIMER OF WARRANTIES" .IX Header "DISCLAIMER OF WARRANTIES" \&\s-1THIS PACKAGE IS PROVIDED \*(L"AS IS\*(R" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.\s0