More Secure Sub-directory

Aaron Roots aaron.roots at deakin.edu.au
Thu Jan 26 23:51:32 GMT 2012 

This caused me a headache for a long long time.

The Location block directives override the .htaccess directives: http://httpd.apache.org/docs/2.2/sections.html#mergin

So the choices are:

  *   Use a location block in your apache conf for the more secured directory (may not want user accessing apache conf or continually needing to action requests on their behalf )
  *   Use the initial directive in a Directory block instead of Location (but this may break things like mod_rewrite)
  *   Use the XML permission format

For the later option – you provide a fairly rudimentary Shibboleth setup in the Location block:
<Location "/secure">
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user
  </Location>

Then you need a .htaccess in the /secure directory to provide the following
ShibAccessControl /var/www/html/secure/.htaccess.xml

The you specific the account control in the .htaccess.xml - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPXMLAccessControl

Then you repeat the .htaccess and .htaccess.xml steps for wherever you need to further restrict your options

As we couldn't use the first two options – have gone with the third option

Cheers,
Aaron

From: Doug Pham <phamx039 at umn.edu<mailto:phamx039 at umn.edu>>
Reply-To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Thu, 26 Jan 2012 17:20:23 -0600
To: <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: More Secure Sub-directory

Hi There,
     In my shib.conf file I have the following:
<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

     I want to make a specific directory underneath /secure directory more secured using a list in a .htaccess directory:

AuthType Shibboleth
ShibRequireSession On
Require user joe
SSLOptions +StrictRequire
SSLRequireSSL

     This is not working.  I was able to login after authenticated and I am not "joe".  What am I missing?


Thanks,
Doug



-- To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120126/a4ad7b50/attachment.html

More information about the users mailing list