documentation:1.3:selfmadeapplication

Protect your application

Your application can know the connected user using:

  • REMOTE_USER environment variable (with local Handler or SetEnvIf trick)
  • HTTP header (in all cases)

To get more information on user (name, mail, etc.), you have to read HTTP headers.

If your application is based on Perl CGI package, you can simply replace CGI by Lemonldap::NG::Handler::CGI

Examples with a configured header named 'Auth-User':

print "Connected user: ".$ENV{HTTP_AUTH_USER};
print "Connected user: ".$_SERVER{HTTP_AUTH_USER};

Using this feature, you don't have to use virtual host protection: protection is embedded in Lemonldap::NG::Handler::CGI.

Lemonldap::NG::Handler::CGI adds some functions to CGI:

  • authenticate: check if user is authenticated; if not, redirect it to the portal
  • authorize: check if user is authorizated to access to this URL

Example:

  • Code to replace:
my $cgi = new CGI;
...
  • New code:
my $cgi = Lemonldap::NG::Handler::CGI->new ({});
$cgi->authenticate();
$cgi->authorize();
...

Then you can access to user datas

# Get attributes (or macros)
my $cn = $cgi->user->{cn}
 
# Test if user is member of a Lemonldap::NG group (or LDAP mapped group)
if( $cgi->group('admin') ) {
  # special html code for admins
}
else {
  # another HTML code
}

You can test any URL to see if it's protected using testUri(). It returns:

  • 1 if user is authorizated to access to it
  • 0 if not
  • -1 if this URL is not known by LL::NG configuration
if($cgi->testUri('http://test3.example.com/') {
  print '<a href="http://test3.example.com/">click here</a>';
}