More Secure Sub-directory

Aaron Roots aaron.roots at deakin.edu.au
Sun Jan 29 11:12:07 GMT 2012 

Hey Doug,

Am happy to help out more – but will need to see some of the config you are trying to use

Cheers
Aaron

From: Doug Pham <phamx039 at umn.edu<mailto:phamx039 at umn.edu>>
Reply-To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Fri, 27 Jan 2012 11:56:40 -0600
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: More Secure Sub-directory

Aaron,
     I tried this but still not working for me.  It does not seem like the directive is being executed.

Thanks,
Doug

On Thu, Jan 26, 2012 at 5:51 PM, Aaron Roots <aaron.roots at deakin.edu.au<mailto:aaron.roots at deakin.edu.au>> wrote:
This caused me a headache for a long long time.

The Location block directives override the .htaccess directives: http://httpd.apache.org/docs/2.2/sections.html#mergin

So the choices are:

  *   Use a location block in your apache conf for the more secured directory (may not want user accessing apache conf or continually needing to action requests on their behalf )
  *   Use the initial directive in a Directory block instead of Location (but this may break things like mod_rewrite)
  *   Use the XML permission format

For the later option – you provide a fairly rudimentary Shibboleth setup in the Location block:
<Location "/secure">
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user
  </Location>

Then you need a .htaccess in the /secure directory to provide the following
ShibAccessControl /var/www/html/secure/.htaccess.xml

The you specific the account control in the .htaccess.xml - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPXMLAccessControl

Then you repeat the .htaccess and .htaccess.xml steps for wherever you need to further restrict your options

As we couldn't use the first two options – have gone with the third option

Cheers,
Aaron

From: Doug Pham <phamx039 at umn.edu<mailto:phamx039 at umn.edu>>
Reply-To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Thu, 26 Jan 2012 17:20:23 -0600
To: <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: More Secure Sub-directory

Hi There,
     In my shib.conf file I have the following:
<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

     I want to make a specific directory underneath /secure directory more secured using a list in a .htaccess directory:

AuthType Shibboleth
ShibRequireSession On
Require user joe
SSLOptions +StrictRequire
SSLRequireSSL

     This is not working.  I was able to login after authenticated and I am not "joe".  What am I missing?


Thanks,
Doug



-- To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-- To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120129/363f8de3/attachment.html

More information about the users mailing list