More Secure Sub-directory
Aaron Roots
aaron.roots at deakin.edu.au
Wed Feb 8 01:56:57 GMT 2012
I only just realised that I had a slight woops in my config I posted – didn't want to get anyone confused when googling or anything
The location section should not have require valid-user but require shibboleth. Otherwise require valid-user will override any further restrictions. Sorry if that is what wasn't working for you there Doug.
<Location "/secure">
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shibboleth
</Location>
Cheers
Aaron
From: Aaron Roots <aaron.roots at deakin.edu.au<mailto:aaron.roots at deakin.edu.au>>
Reply-To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Sun, 29 Jan 2012 11:12:07 +0000
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: More Secure Sub-directory
Hey Doug,
Am happy to help out more – but will need to see some of the config you are trying to use
Cheers
Aaron
From: Doug Pham <phamx039 at umn.edu<mailto:phamx039 at umn.edu>>
Reply-To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Fri, 27 Jan 2012 11:56:40 -0600
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: More Secure Sub-directory
Aaron,
I tried this but still not working for me. It does not seem like the directive is being executed.
Thanks,
Doug
On Thu, Jan 26, 2012 at 5:51 PM, Aaron Roots <aaron.roots at deakin.edu.au<mailto:aaron.roots at deakin.edu.au>> wrote:
This caused me a headache for a long long time.
The Location block directives override the .htaccess directives: http://httpd.apache.org/docs/2.2/sections.html#mergin
So the choices are:
* Use a location block in your apache conf for the more secured directory (may not want user accessing apache conf or continually needing to action requests on their behalf )
* Use the initial directive in a Directory block instead of Location (but this may break things like mod_rewrite)
* Use the XML permission format
For the later option – you provide a fairly rudimentary Shibboleth setup in the Location block:
<Location "/secure">
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Location>
Then you need a .htaccess in the /secure directory to provide the following
ShibAccessControl /var/www/html/secure/.htaccess.xml
The you specific the account control in the .htaccess.xml - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPXMLAccessControl
Then you repeat the .htaccess and .htaccess.xml steps for wherever you need to further restrict your options
As we couldn't use the first two options – have gone with the third option
Cheers,
Aaron
From: Doug Pham <phamx039 at umn.edu<mailto:phamx039 at umn.edu>>
Reply-To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Thu, 26 Jan 2012 17:20:23 -0600
To: <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: More Secure Sub-directory
Hi There,
In my shib.conf file I have the following:
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
I want to make a specific directory underneath /secure directory more secured using a list in a .htaccess directory:
AuthType Shibboleth
ShibRequireSession On
Require user joe
SSLOptions +StrictRequire
SSLRequireSSL
This is not working. I was able to login after authenticated and I am not "joe". What am I missing?
Thanks,
Doug
-- To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-- To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-- To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120208/d7138b70/attachment.html
More information about the users
mailing list