.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{
.    if \nF \{
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "Plack::Middleware::Auth::WebID 3pm"
.TH Plack::Middleware::Auth::WebID 3pm "2014-05-10" "perl v5.18.2" "User Contributed Perl Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
Plack::Middleware::Auth::WebID \- authentication middleware for WebID
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\&  use Plack::Builder;
\&  
\&  my $app   = sub { ... };
\&  my $cache = CHI\->new( ... );
\&  
\&  sub unauthenticated
\&  {
\&    my ($self, $env) = @_;
\&    return [
\&      403,
\&      [ \*(AqContent\-Type\*(Aq => \*(Aqtext/plain\*(Aq ],
\&      [ \*(Aq403 Forbidden\*(Aq ],
\&    ];
\&  }
\&  
\&  builder
\&  {
\&    enable "Auth::WebID",
\&        cache     => $cache,
\&        on_unauth => \e&unauthenticated;
\&    $app;
\&  };
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Plack::Middleware::Auth::WebID is a WebID handler for Plack.
.PP
If authentication is successful, then the handler sets \f(CW\*(C`$env\->{WEBID}\*(C'\fR
to the user's WebID \s-1URI,\s0 and sets \f(CW\*(C`$env\->{WEBID_OBJECT}\*(C'\fR to a
Web::ID object.
.SH "CONFIGURATION"
.IX Header "CONFIGURATION"
.IP "cache" 4
.IX Item "cache"
This may be set to an object that will act as a cache for Web::ID
objects.
.Sp
Plack::Middleware::Auth::WebID does not care what package you use for
your caching needs. \s-1CHI\s0, Cache::Cache and Cache should all
work. In fact, any package that provides a similar one-argument \f(CW\*(C`get\*(C'\fR
and a two-argument \f(CW\*(C`set\*(C'\fR ought to work. Which should you use? Well
\&\s-1CHI\s0 seems to be best, however it's Moose-based, so usually too slow
for \s-1CGI\s0 applications. Use Cache::Cache for \s-1CGI,\s0 and \s-1CHI\s0 otherwise.
.Sp
You don't need to set a cache at all, but if there's no cache, then
reauthentication (which is computationally expensive) happens for
every request. Use of a cache with an expiration time of around 15
minutes should significantly speed up the responsiveness of a
WebID-secured site. (For forking servers you probably want a cache
that is shared between processes, such as a memcached cache.)
.IP "on_unauth" 4
.IX Item "on_unauth"
Coderef that will be called if authentication is not successful. You
can use this to return a \*(L"403 Forbidden\*(R" page for example, or try an
alternative authentication method.
.Sp
The default coderef used will simply run the application as normal,
but setting \f(CW\*(C`$env\->{WEBID}\*(C'\fR to the empty string.
.IP "webid_class" 4
.IX Item "webid_class"
Name of an alternative class to use for WebID authentication instead
of Web::ID. Note that any such class would need to provide a compatible
\&\f(CW\*(C`new\*(C'\fR constructor.
.IP "certificate_env_key" 4
.IX Item "certificate_env_key"
The key within \f(CW$env\fR where Plack::Middleware::Auth::WebID can find
a PEM-encoded client \s-1SSL\s0 certificate.
.Sp
Apache keeps this information in \f(CW\*(C`$env\->{\*(AqSSL_CLIENT_CERT\*(Aq}\*(C'\fR, so
it should be no surprise that this setting defaults to '\s-1SSL_CLIENT_CERT\s0'.
.IP "no_object_please" 4
.IX Item "no_object_please"
Suppresses setting \f(CW\*(C`$env\->{WEBID_OBJECT}\*(C'\fR. \f(CW\*(C`$env\->{WEBID}\*(C'\fR will
still be set as usual.
.SH "SERVER SUPPORT"
.IX Header "SERVER SUPPORT"
WebID is an authentication system based on the Semantic Web and \s-1HTTPS.\s0
It relies on client certificates (but not on certification authorities;
self-signed certificates are \s-1OK\s0).
.PP
So for this authentication module to work...
.IP "\(bu" 4
You need to be using a server which supports \s-1HTTPS.\s0
.Sp
Many web \s-1PSGI\s0 web servers (e.g. HTTP::Server::Simple, Starman, etc) do
not support \s-1HTTPS\s0 natively. In some cases these are used with an \s-1HTTPS\s0
proxy in front of them.
.IP "\(bu" 4
Your \s-1HTTPS\s0 server needs to request a client certificate from the client.
.IP "\(bu" 4
Your \s-1HTTPS\s0 server needs to expose the client certificate to Plack via \f(CW$env\fR.
.Sp
If you're using an \s-1HTTPS\s0 proxy in front of a non-HTTPS web server,
then you might need to be creative to find a way to forward this
information to your backend web server.
.IP "\(bu" 4
The client browser needs to have a WebID-compatible certificate installed.
.Sp
Nuff said.
.SS "Apache2 (mod_perl and \s-1CGI\s0)"
.IX Subsection "Apache2 (mod_perl and CGI)"
The \fBSSLVerifyClient\fR directive can be used to tell Apache that you want it
to request a certificate from the client.
.PP
Apache is able to deposit the certifcate in an environment variable called
\&\s-1SSL_CLIENT_CERT.\s0 However by default it might not. Check out the \fBSSLOptions\fR
directive and enable the \f(CW\*(C`ExportCertData\*(C'\fR option, or if you're using mod_perl
try Plack::Middleware::Apache2::ModSSL.
.SS "Gepok"
.IX Subsection "Gepok"
Gepok is one of a very small number of PSGI-compatible web servers that
supports \s-1HTTPS\s0 natively. As of 0.20 it will request client certificates, but
you will need to use Plack::Middleware::GepokX::ModSSL in order to make
the certificate available in the \s-1PSGI \s0\f(CW$env\fR hashref.
.SH "BUGS"
.IX Header "BUGS"
Please report any bugs to
<http://rt.cpan.org/Dist/Display.html?Queue=Web\-ID>.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
Plack, Web::ID, Web::ID::FAQ.
.PP
General WebID information:
<http://webid.info/>,
<http://www.w3.org/wiki/WebID>,
<http://www.w3.org/2005/Incubator/webid/spec/>,
<http://lists.foaf\-project.org/mailman/listinfo/foaf\-protocols>.
.PP
Apache mod_ssl:
Plack::Middleware::Apache2::ModSSL,
Apache2::ModSSL,
<http://httpd.apache.org/docs/2.0/mod/mod_ssl.html>.
.PP
Gepok:
Gepok,
Plack::Middleware::GepokX::ModSSL.
.SH "AUTHOR"
.IX Header "AUTHOR"
Toby Inkster <tobyink@cpan.org>.
.SH "COPYRIGHT AND LICENCE"
.IX Header "COPYRIGHT AND LICENCE"
This software is copyright (c) 2012 by Toby Inkster.
.PP
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
.SH "DISCLAIMER OF WARRANTIES"
.IX Header "DISCLAIMER OF WARRANTIES"
\&\s-1THIS PACKAGE IS PROVIDED \*(L"AS IS\*(R" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.\s0