<Location> and .htaccess

Cantor, Scott cantor.2 at osu.edu
Thu Nov 3 04:24:39 GMT 2011


On 11/3/11 12:01 AM, "Aaron Roots" <aaron.roots at deakin.edu.au> wrote:
>
>So I have this config as indicated in the wiki:
>https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
><Location />
>AuthType shibboleth
>ShibRequestSetting requireSession 1
>Require shibboleth
></Location>

You can, but normal Apache usage like require valid-user is more typical,
for clarity if nothing else. The "shibboleth" rule is a dummy that's
supported in order for lazy sessions to work without forcing a session.

>I then try to further restrict the access in a .htaccess file within the
>file system
>Require user notaaron

You can't do that, because that's not how Apache combines settings.

>I see on
>https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPhtaccess that
>Location block will take precedence

I put that there because people kept getting it wrong. The actual rules
are described in the Apache documentation and are entirely up to it.

> - but I couldn't take this config out
>of the Locations as mod_rewrite is also being used within the application.
>Which will only set the Environment Variables as expected when using in a
>Location block. 
>
>I am thinking this is going to be rock and hard place kind of issue

You could choose instead to move your authorization requirements into the
XML domain, but you'd have to add a RequestMap to the mix. I believe that
an Access Control plugin attached to the map would run regardless of what
Apache does otherwise, but to be honest, I don't know for sure without
trying it.

-- Scott



More information about the users mailing list