Protect your application

Presentation

Your application can know the connected user using:

  • REMOTE_USER environment variable (with local Handler or SetEnvIf trick)
  • HTTP header (in all cases)

To get more information on user (name, mail, etc.), you have to read HTTP headers.

If your application is based on Perl CGI package, you can simply replace CGI by Lemonldap::NG::Handler::CGI

Code snippet

Examples with a configured header named 'Auth-User':

Perl

print "Connected user: ".$ENV{HTTP_AUTH_USER};

PHP

print "Connected user: ".$_SERVER["HTTP_AUTH_USER"];

Perl auto-protected CGI

LL::NG now uses FastCGI instead of CGI, but you still can write your own protected CGI.

First create a PSGI module based on Lemonldap::NG::Handler:

package My::PSGI;
 
use base "Lemonldap::NG::Handler::PSGI";
 
sub init {
    my ($self,$args) = @_;
    $self->protection('manager');
    $self->SUPER::init($args) or return 0;
    $self->staticPrefix("/static");
    $self->templateDir("/usr/share/lemonldap-ng/portal/templates");
    # See Lemonldap::NG::Common::PSGI for more
    #...
    # Return a boolean. If false, then error message has to be stored in
    # $self->error
    return 1;
}
 
sub handler {
    my ( $self, $req ) = @_;
 
    # Will be called only if authorisated
    my $userId = $self->userId($req);
    #...
 
    # Return JSON
    # $self->sendJSONresponse(...);
 
    # or Return HTML
    $self->sendHtml($req, "myskin/mytemplate", ( params => { 'userId' => $userId }) );
}

They create a FCGI script like this:

#!/usr/bin/env perl
 
use My::PSGI;
use Plack::Handler::FCGI;
 
Plack::Handler::FCGI->new->run( My::PSGI->run() );

See our LLNG Nginx/Apache configurations to see how to launch it or read PSGI/Plack documentation.

The protection parameter must be set when calling the init() method:

  • none: no protection
  • authenticate: check authentication but do not manage authorization
  • manager: rely on virtual host configuration in Manager
  • rule: xxx: apply a specific rule