Lua Server Pages- Authentication

Lua Server Pages - Authentication

Overview

LSP authentication and authorization is implemented using the Barracuda server library code. Hence the server documentation is largely applicable to LSP.
The authentication of a LSP application is initiated by providing a ".preload" file in the root of the application directory. The ".preload" file is executed when the Barracuda server starts and and can configure authentication/authorization via a single Lua function call.
The ".preload" file provides one additional (only available in .preload files) function call set_authenticate(), this function allows you to specify LSP functions that will be called for authorization and authentication, it also allows you specify responses that will be supplied for a login page or when a login fails.

Auth setup example


--
-- Authorization example
--
-- Install this as a .preload file
--
-- To use LSP authorization a set of auth functions must be
-- specified:
--
-- 1. For authentication (does this user exist)
--    function(username)
--    returns password [,maxusers [, recycle, timeoutinterval]]
--
-- 2. For Authorization
--    function()
--    function (user, method, path)
--      returns true or false
--
-- Note that these function are executed in the context of the global
-- environment.
--

set_authenticate(

  -- the authentication function
  function(user)
    -- allow any user wher the password is the same as the user
    return user -- return the password
  end,

  -- the authorizing function
  function (user, method, path, apptable)
   -- always authorize
   return true
  end,

  -- the following optional strings can be used to enable/disable form
  -- authentication
  {
     loginpage="/loginbody.shtml",
     errorpage="/errorpage.lsp",
     authtype="digest",
  }

);

set_authenticate(authenticate, authorize, parameter table)

function authenticate(user)

user: The username that is trying to authenticate
returns: password or false [, maxusers [, recycle, timeoutinterval]]: If the user is valid this function either returns the password of this user or false/nil to prevent the user completing the login. Setting maxusers to 0 will prevent the user logging in. Setting recycle to true will allow other currently logged in users to be logged out to allow this user to log in.
Return values
password: password of the user
maxusers: The current maximum number of instances of this user that are permitted to login. This can be changed with a return value.
recycle: Current value of a Boolean to a allow recycling of users
timeout interval: The maximum inactive time interval in seconds. Ifg this time elapses without any user activity then the user will be logged out.

function authorize(user, method, path)

user: The username that is trying to authorize
method: One of "GET", "POST" etc
path: The path that access is required
returns: true/false

parameter table

authtype=: Force the authentication type to one of 'basic', 'digest', 'form' or 'default'. The default is to attempt to use form authentication.
loginpage=: The name of HTML, CSP or LSP page to be displayed at login. If not specified the authentication type is forced to basic.
errorpage=: The name of HTML, CSP or LSP page to be displayed when a login fails . If not specified a default page is generated.