More Secure Sub-directory

Aaron Roots aaron.roots at
Thu Jan 26 23:51:32 GMT 2012

This caused me a headache for a long long time.

The Location block directives override the .htaccess directives:

So the choices are:

  *   Use a location block in your apache conf for the more secured directory (may not want user accessing apache conf or continually needing to action requests on their behalf )
  *   Use the initial directive in a Directory block instead of Location (but this may break things like mod_rewrite)
  *   Use the XML permission format

For the later option – you provide a fairly rudimentary Shibboleth setup in the Location block:
<Location "/secure">
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user

Then you need a .htaccess in the /secure directory to provide the following
ShibAccessControl /var/www/html/secure/.htaccess.xml

The you specific the account control in the .htaccess.xml -

Then you repeat the .htaccess and .htaccess.xml steps for wherever you need to further restrict your options

As we couldn't use the first two options – have gone with the third option


From: Doug Pham <phamx039 at<mailto:phamx039 at>>
Reply-To: Shib Users <users at<mailto:users at>>
Date: Thu, 26 Jan 2012 17:20:23 -0600
To: <users at<mailto:users at>>
Subject: More Secure Sub-directory

Hi There,
     In my shib.conf file I have the following:
<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user

     I want to make a specific directory underneath /secure directory more secured using a list in a .htaccess directory:

AuthType Shibboleth
ShibRequireSession On
Require user joe
SSLOptions +StrictRequire

     This is not working.  I was able to login after authenticated and I am not "joe".  What am I missing?


-- To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list