Plack::Middleware::Auth::Digest - Digest authentication

Plack-Middleware-Auth-Digest documentation  | view source Contained in the Plack-Middleware-Auth-Digest distribution.

Index

NAME

Top

Plack::Middleware::Auth::Digest - Digest authentication

SYNOPSIS

Top

  enable "Auth::Digest", realm => "Secured", secret => "blahblahblah",
      authenticator => sub {
          my ($username, $env) = @_;
          return $password; # for $username
      };

  # Or return MD5 hash of "$username:$realm:$password"
  enable "Auth::Digest", realm => "Secured", secret => "blahblahblah",
      password_hashed => 1,
      authenticator => sub { return $password_hashed };

DESCRIPTION

Top

Plack::Middleware::Auth::Digest is a Plack middleware component that enables Digest authentication. Your authenticator callback is called using two parameters: a username as a string and the PSGI $env hash. Your callback should return a password, either as a raw password or a hashed password.

CONFIGURATIONS

Top

authenticator

A callback that takes a username and PSGI $env hash and returns a password for the user, either in a plaintext password or a MD5 hash of "username:realm:password" (quotes not included) when password_hashed option is enabled.

password_hashed

A boolean (0 or 1) to indicate whether authenticator callback returns passwords in a plaintext or hashed. Defaults to 0 (plaintext).

realm

A string to represent the realm. Defaults to restricted area.

secret

Server secret text string that is used to sign nonce. Required.

nonce_ttl

Time-to-live seconds to prevent replay attacks. Defaults to 60.

LIMITATIONS

Top

This middleware expects that the application has a full access to the headers sent by clients in PSGI environment. That is normally the case with standalone Perl PSGI web servers such as Starman or HTTP::Server::Simple::PSGI.

However, in a web server configuration where you can't achieve this (i.e. using your application via mod_perl, CGI or FastCGI), this middleware does not work since your application can't know the value of Authorization: header.

If you use Apache as a web server and CGI or mod_perl to run your PSGI application, you can use mod_rewrite to pass the Authorization header to the application with the rewrite rule like following.

  RewriteEngine on
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

AUTHOR

Top

Yuji Shimada <xaicron@cpan.org>

Tatsuhiko Miyagawa

SEE ALSO

Top

Plack::Middleware::Auth::Basic

LICENSE

Top

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

Plack-Middleware-Auth-Digest documentation  | view source Contained in the Plack-Middleware-Auth-Digest distribution.