AppSamurai

This is the home site for the AppSamurai system, which consists of the Apache::AppSamurai Perl modules and supporting files.

News

• 2008-05-03 - Version 1.01 released. (Added Auth::Simple, a Authen::Simple authentication wrapper. See Changes for more on what's new)
• 2007-10-04 - Added info on AppSamurai-misc mailing list
• 2007-10-01 - Version 1.00 released. (Now with mod_perl 1.x and mod_perl 2.x support)
• 2007-07-22 - Added basic overview diagram of use in a reverse proxy configuration
• 2007-07-14 - Version 0.9 released. (Initial public release of Apache::AppSamurai)

---

Overview

There are many ways to protect web applications from attack, but most have a weakness: they allow unauthenticated attackers to fire requests against the entire application. AppSamurai protects web applications from direct attack by unauthenticated users, preventing any access to any part of a protected web application unless the user is properly authenticated. It also adds a flexible authentication front end to applications with limited support for stronger authentication.

AppSamurai is primarily designed to be used as part of a Apache mod_perl proxy inside a DMZ protecting a backend web application in an internal network. It may also be used to protect web applications on AppSamurai server itself. It should also play nice with mod_security and other Apache modules.

Figure 1 shows how AppSamurai would fit into a reverse web proxy configuration to give access to an internal web application.

Example uses of AppSamurai include:

• Moving authentication in front of sensitive web applications, only allowing traffic from authenticated users to even touch the web applications.
• Adding a strong authentication factor to a network appliance's canned web interface.
• Protecting Exchange Outlook Web Access/ActiveSync with strong, multi-factor authentication, including dynamic tokens.

Finally, a quick note on the AppSamurai project's scope:

• Apache::AppSamurai should be relatively easy to configure and deploy for anyone familiar with Apache administration.
• Apache::AppSamurai is not a full request/response filtering system, but it should play nicely with them.
• Apache::AppSamurai is not a Single Sign On or Federation system, but it should be able tie into them.
• Apache::AppSamurai should remain simple, self contained, and light.

---

Features

AppSamurai features include:

• Modular multi-factor authentication system
• Form based or basic auth based logins
• Encrypted storage of session data on proxy
• Able to use any Apache::Session storage type (including MySQL or Postgress for clustered deployment)
• Configurable from httpd.conf (no coding required)
• Coded with security in mind
• Single code base support for Apache 1.x/mod_perl 1.x and Apache 2.x/mod_perl 2.x

---

Requirements

AppSamurai requires Apache HTTPD and mod_perl. (Apache 1.x/mod_perl 1.x and Apache 2.x/mod_perl 2.x are supported with the same code base.) In addition, the following are required to install and use Apache::AppSamurai:

• Apache::libapreq (Apache::Request) - Fast GET/POST access to Apache request tables
• Apache::Session - Flexible session storage system
• Digest::SHA - Provides SHA-1/224/256/384/512 cryptographic hash functions
• Crypt::CBC - Provides CBC block data encryption with your choice of encryption cipher (Note - Also requires a supported cipher module. See AppSamurai documentation for the current list.)

Module::Build is used for installation and packaging of Apache::AppSamurai, and is recommended. A simplified Makefile.PL (ExtUtils::MakeMaker) script is also provided in case you prefer the traditional perl Makefile.PL, make, make test, make install flow.

Main development and testing is done on OpenBSD, but Apache::AppSamurai should work on most modern UNIX-like operating systems.

---

Downloads (How To Get AppSamurai)

Apache::AppSamurai is available for direct download, or can be installed using CPAN.

Current Release: 1.01 (2008-05-03)

• AppSamurai Files on SourceForge
• Apache::AppSamurai on CPAN
• CVS Web (on SourceForge) - Note: Not currently used as primary CVS for development. SourceForge CVS will only be updated just before the next code release.

---

Documentation and Support

• FAQ - Current FAQ from distribution.
• README - Current README file from distribution.
• Apache::AppSamurai (1.01) - Man page for Apache::AppSamurai (includes links to other modules in package)
• AppSamurai-misc mailing list (subscription) - Please feel free to signup and direct any questions to this list.
• AppSamurai-misc mailing list archive - (Not much here yet)

---

Links and Other Information

• http://appsamurai.sourceforge.net - AppSamurai Homepage
• http://www.voltagenoir.org/appsamurai.html - AppSamurai Homepage (Voltage Noir mirror)
• http://sourceforge.net/projects/appsamurai - SourceForge project page
• Apache::AppSamurai was initially based on Apache::AuthCookie, which is a framework to add cookie based session support to mod_perl apps. AppSamurai no longer uses Apache::AuthCookie. However, if you need a session building block for your mod_perl app, Apache::AuthCookie is highly recommended.