AppSamurai
This is the home site for the AppSamurai system, which consists of the Apache::AppSamurai Perl modules and supporting files.
News
- 2008-05-03 - Version 1.01 released. (Added Auth::Simple, a Authen::Simple authentication wrapper. See Changes for more on what's new)
- 2007-10-04 - Added info on AppSamurai-misc mailing list
- 2007-10-01 - Version 1.00 released. (Now with mod_perl 1.x and mod_perl 2.x support)
- 2007-07-22 - Added basic overview diagram of use in a reverse proxy configuration
- 2007-07-14 - Version 0.9 released. (Initial public release of Apache::AppSamurai)
Overview
There are many ways to protect web applications from attack, but most have a weakness: they allow unauthenticated attackers to fire requests against the entire application. AppSamurai protects web applications from direct attack by unauthenticated users, preventing any access to any part of a protected web application unless the user is properly authenticated. It also adds a flexible authentication front end to applications with limited support for stronger authentication.
AppSamurai is primarily designed to be used as part of a Apache mod_perl proxy inside a DMZ protecting a backend web application in an internal network. It may also be used to protect web applications on AppSamurai server itself. It should also play nice with mod_security and other Apache modules.
Figure 1 shows how AppSamurai would fit into a reverse web proxy configuration to give access to an internal web application.
Example uses of AppSamurai include:
- Moving authentication in front of sensitive web applications, only allowing traffic from authenticated users to even touch the web applications.
- Adding a strong authentication factor to a network appliance's canned web interface.
- Protecting Exchange Outlook Web Access/ActiveSync with strong, multi-factor authentication, including dynamic tokens.
Finally, a quick note on the AppSamurai project's scope:
- Apache::AppSamurai should be relatively easy to configure and deploy for anyone familiar with Apache administration.
- Apache::AppSamurai is not a full request/response filtering system, but it should play nicely with them.
- Apache::AppSamurai is not a Single Sign On or Federation system, but it should be able tie into them.
- Apache::AppSamurai should remain simple, self contained, and light.
Features
AppSamurai features include:
- Modular multi-factor authentication system
- Form based or basic auth based logins
- Encrypted storage of session data on proxy
- Able to use any Apache::Session storage type (including MySQL or Postgress for clustered deployment)
- Configurable from httpd.conf (no coding required)
- Coded with security in mind
- Single code base support for Apache 1.x/mod_perl 1.x and Apache 2.x/mod_perl 2.x
Requirements
AppSamurai requires Apache HTTPD and mod_perl. (Apache 1.x/mod_perl 1.x and Apache 2.x/mod_perl 2.x are supported with the same code base.) In addition, the following are required to install and use Apache::AppSamurai:
- Apache::libapreq (Apache::Request) - Fast GET/POST access to Apache request tables
- Apache::Session - Flexible session storage system
- Digest::SHA - Provides SHA-1/224/256/384/512 cryptographic hash functions
- Crypt::CBC - Provides CBC block data encryption with your choice of encryption cipher (Note - Also requires a supported cipher module. See AppSamurai documentation for the current list.)
Module::Build is used for installation and packaging of Apache::AppSamurai, and is recommended. A simplified Makefile.PL (ExtUtils::MakeMaker) script is also provided in case you prefer the traditional perl Makefile.PL, make, make test, make install flow.
Main development and testing is done on OpenBSD, but Apache::AppSamurai should work on most modern UNIX-like operating systems.
Downloads (How To Get AppSamurai)
Apache::AppSamurai is available for direct download, or can be installed using CPAN.
Current Release: 1.01 (2008-05-03)
- AppSamurai Files on SourceForge
- Apache::AppSamurai on CPAN
- CVS Web (on SourceForge) - Note: Not currently used as primary CVS for development. SourceForge CVS will only be updated just before the next code release.
Documentation and Support
- FAQ - Current FAQ from distribution.
- README - Current README file from distribution.
- Apache::AppSamurai (1.01) - Man page for Apache::AppSamurai (includes links to other modules in package)
- AppSamurai-misc mailing list (subscription) - Please feel free to signup and direct any questions to this list.
- AppSamurai-misc mailing list archive - (Not much here yet)
Links and Other Information
- http://appsamurai.sourceforge.net - AppSamurai Homepage
- http://www.voltagenoir.org/appsamurai.html - AppSamurai Homepage (Voltage Noir mirror)
- http://sourceforge.net/projects/appsamurai - SourceForge project page
- Apache::AppSamurai was initially based on Apache::AuthCookie, which is a framework to add cookie based session support to mod_perl apps. AppSamurai no longer uses Apache::AuthCookie. However, if you need a session building block for your mod_perl app, Apache::AuthCookie is highly recommended.