|
230
|
1 package IMPL::Web::Handler::SecureCookie;
|
|
196
|
2 use strict;
|
|
|
3
|
|
230
|
4
|
|
196
|
5 use Digest::MD5 qw(md5_hex);
|
|
230
|
6 use IMPL::Const qw(:prop);
|
|
|
7 use IMPL::Security::Auth qw(:Const GenSSID);
|
|
|
8 use IMPL::declare {
|
|
|
9 require => {
|
|
|
10 SecurityContext => 'IMPL::Security::Context',
|
|
238
|
11 User => 'IMPL::Security::Principal',
|
|
230
|
12 AuthSimple => 'IMPL::Security::Auth::Simple',
|
|
231
|
13 Exception => 'IMPL::Exception',
|
|
|
14 OperationException => '-IMPL::InvalidOperationException',
|
|
|
15 HttpResponse => '-IMPL::Web::HttpResponse'
|
|
230
|
16 },
|
|
|
17 base => {
|
|
|
18 'IMPL::Object' => undef,
|
|
|
19 'IMPL::Object::Autofill' => '@_',
|
|
|
20 'IMPL::Object::Serializable' => undef
|
|
|
21 },
|
|
|
22 props => [
|
|
|
23 salt => PROP_RO,
|
|
238
|
24 _manager => PROP_RO,
|
|
230
|
25 _cookies => PROP_RW
|
|
|
26 ]
|
|
|
27 };
|
|
196
|
28
|
|
|
29 sub CTOR {
|
|
|
30 my ($this) = @_;
|
|
|
31
|
|
|
32 $this->salt('DeadBeef') unless $this->salt;
|
|
|
33 }
|
|
|
34
|
|
230
|
35 sub Invoke {
|
|
196
|
36 my ($this,$action,$nextHandler) = @_;
|
|
|
37
|
|
230
|
38 return unless $nextHandler;
|
|
|
39
|
|
|
40 my $context;
|
|
238
|
41 $this->_manager($action->application->security);
|
|
196
|
42
|
|
230
|
43
|
|
|
44 my $sid = $action->cookie('sid',qr/(\w+)/);
|
|
|
45 my $cookie = $action->cookie('sdata',qr/(\w+)/);
|
|
239
|
46 my $sign = $action->cookie('sign',qw/(\w+)/);
|
|
196
|
47
|
|
230
|
48 if (
|
|
|
49 $sid and
|
|
|
50 $cookie and
|
|
|
51 $sign and
|
|
|
52 $sign eq md5_hex(
|
|
|
53 $this->salt,
|
|
|
54 $sid,
|
|
|
55 $cookie,
|
|
|
56 $this->salt
|
|
|
57 )
|
|
|
58 ) {
|
|
|
59 # TODO: add a DefferedProxy to deffer a request to a data source
|
|
238
|
60 if ( $context = $this->_manager->GetSession($sid) ) {
|
|
230
|
61 if ( eval { $context->auth->isa(AuthSimple) } ) {
|
|
|
62 my ($result,$challenge) = $context->auth->DoAuth($cookie);
|
|
239
|
63
|
|
|
64 $context->authority($this);
|
|
|
65
|
|
230
|
66 if ($result == AUTH_FAIL) {
|
|
|
67 $context = undef;
|
|
|
68 }
|
|
239
|
69 } else {
|
|
|
70 undef $context;
|
|
196
|
71 }
|
|
|
72 }
|
|
230
|
73
|
|
196
|
74 }
|
|
230
|
75
|
|
231
|
76 $context ||= SecurityContext->new(principal => User->nobody, authority => $this);
|
|
230
|
77
|
|
238
|
78 my $httpResponse = $context->Impersonate($nextHandler,$action);
|
|
230
|
79
|
|
231
|
80 die OperationException->new("A HttpResponse instance is expected")
|
|
|
81 unless ref $httpResponse && eval { $httpResponse->isa(HttpResponse) };
|
|
230
|
82
|
|
231
|
83 return $this->WriteResponse($httpResponse);
|
|
230
|
84 }
|
|
|
85
|
|
231
|
86 sub InitSession {
|
|
239
|
87 my ($this,$user,$roles,$auth,$challenge) = @_;
|
|
230
|
88
|
|
239
|
89 my ($status,$answer) = $auth->DoAuth($challenge);
|
|
|
90
|
|
|
91 die OperationException->new("This provider doesn't support multiround auth")
|
|
|
92 if ($status == AUTH_INCOMPLETE || $answer);
|
|
230
|
93
|
|
239
|
94 if ($status == AUTH_SUCCESS) {
|
|
|
95 my $sid = GenSSID();
|
|
|
96 my $cookie = GenSSID();
|
|
|
97
|
|
|
98 $this->_cookies({
|
|
|
99 sid => $sid,
|
|
|
100 sdata => $cookie
|
|
|
101 });
|
|
|
102
|
|
|
103 my $context = $this->_manager->CreateSession(
|
|
|
104 sessionId => $sid,
|
|
|
105 principal => $user,
|
|
|
106 auth => AuthSimple->Create(password => $cookie),
|
|
|
107 authority => $this,
|
|
|
108 rolesAssigned => $roles
|
|
|
109 );
|
|
|
110
|
|
|
111 $context->Apply();
|
|
|
112
|
|
|
113 $this->_manager->SaveSession($context);
|
|
|
114 }
|
|
|
115
|
|
|
116 return $status;
|
|
|
117 }
|
|
230
|
118
|
|
239
|
119 sub CloseSession {
|
|
|
120 my ($this) = @_;
|
|
|
121 if(my $session = SecurityContext->current) {
|
|
|
122 $this->_cookies({
|
|
|
123 sid => undef,
|
|
|
124 sdata => undef
|
|
|
125 })
|
|
|
126 }
|
|
196
|
127 }
|
|
|
128
|
|
|
129 sub WriteResponse {
|
|
230
|
130 my ($this,$response) = @_;
|
|
|
131
|
|
238
|
132 if (my $data = $this->_cookies) {
|
|
196
|
133
|
|
239
|
134 my $sign = $data->{sid} && md5_hex(
|
|
230
|
135 $this->salt,
|
|
|
136 $data->{sid},
|
|
|
137 $data->{sdata},
|
|
|
138 $this->salt
|
|
|
139 );
|
|
|
140
|
|
|
141 $response->cookies->{sid} = $data->{sid};
|
|
|
142 $response->cookies->{sdata} = $data->{sdata};
|
|
|
143 $response->cookies->{sign} = $sign;
|
|
|
144 }
|
|
231
|
145
|
|
|
146 return $response;
|
|
196
|
147 }
|
|
|
148
|
|
|
149 1;
|
|
|
150
|
|
|
151 __END__
|
|
|
152
|
|
|
153 =pod
|
|
|
154
|
|
|
155 =head1 NAME
|
|
|
156
|
|
230
|
157 C<IMPL::Web::Handler::SecureCookie>
|
|
196
|
158
|
|
|
159 =head1 DESCRIPTION
|
|
|
160
|
|
|
161 Возобновляет сессию пользователя на основе информации переданной через Cookie.
|
|
|
162
|
|
|
163 Использует механизм подписи информации для проверки верности входных данных перед
|
|
|
164 началом каких-либо действий.
|
|
|
165
|
|
|
166 Данный обработчик возвращает результат выполнения следдующего обработчика.
|
|
|
167
|
|
230
|
168
|
|
|
169
|
|
196
|
170 =head1 MEMBERS
|
|
|
171
|
|
231
|
172 =head2 C<[get,set] salt>
|
|
196
|
173
|
|
|
174 Скаляр, использующийся для подписи данных.
|
|
|
175
|
|
233
|
176
|
|
231
|
177 =head2 C<InitSession($user,$auth,$roles)>
|
|
196
|
178
|
|
|
179 =cut
|
