On 09/08/07, Patrick McDonnell <[EMAIL PROTECTED]> wrote:
> Hello -
>
> I'm working on a Catalyst app, mostly just to amuse myself, that is supposed
> to be a webmail/calendar/address book/user account management app. All of
> the user account information, as well as the address book, is stored in an
> LDAP directory, so authenticating against that is not a problem. I am
> running into a problem if I want the user to be able to connect to an IMAP
> server, as that would require that user provide their username/password
> again. Here's basically how my app is currently working:
>
> User logs in, auth data is checked against LDAP. Once logged in, the user
> is trusted to do various things based on my authorization scheme.
> Say the user wants to check his email. I'm trying to use Net::IMAP::Simple
> to connect to my IMAP server. However, to log in, the module needs the
> username and password. So, the two most obvious options are to 1) have the
> user provide his authentication data again; or 2) store the user's password
> in the session. Neither sounds like a good idea, the first is just
> annoying, and the second seems like a security vulnerability.
>
> So, does anyone have any advice on how to procede. One idea I had was the
> login to the IMAP server the first time the user logs in to the web app, and
> then pass around the IMAP object with the session, but that seems kind of
> ugly. Any ideas?
>
> Thanks.
>
You can create a second IMAP server that uses a secret token as the
user password.
Then you just need to auth against that server with the user login and
a password like sha1_hex($username, $your_secret), or something like
that.
Cheers,
--
Jonas
___
List: Catalyst@lists.rawmode.org
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/
