Shib SP config breaking ServerSideIncludes on vhosts not using Shib authentication

Paul Beckett paul_beckett at outlook.com
Thu Jul 11 04:20:56 EDT 2013 

I am experiencing problems using SSI includes on some virtual hosts, which seems to be related in some way to my ShibSP configuration. I am using Apache 2.4.4, Shib SP 2.5.1.
My Shibboleth2.xml config(sanitised to remove domain names) is included at the end. I have a number of virtual hosts in Apache, each of these that requires shib authentication is configured with an application override:<ApplicationOverride id="service2" entityID="https://service2.domain.com/shibboleth"/>Server Side Includes (SSI) work fine on virtual-hosts I've configured to use Shib authentication. virtual-hosts that have not been configured to use Shib authentication work in general, but SSI's fail (apache error log messages below).
All my Shib configuration in Apache, is contained within virtual hosts (not done anything globally). Is there something I need to do to explicitly disable Shib on a virtual host that doesn't need it?
Any thoughts / advice on how to solve or debug this further would be greatly appreciated.Thanks,Paul
Apache Error Log:
[Thu Jul 11 08:59:54.084076 2013] [mod_shib:error] [pid 64992:tid 140036716484352] [client XXX.XXX.XXX.XXX:51502] shib_handler found no per-request structure[Thu Jul 11 08:59:54.084119 2013] [include:error] [pid 64992:tid 140036716484352] [client XXX.XXX.XXX.XXX:51502] unable to include "./header.htm" in parsed file /apache/content/error/503.err, subrequest returned 500[Thu Jul 11 08:59:54.084362 2013] [mod_shib:error] [pid 64992:tid 140036716484352] [client XXX.XXX.XXX.XXX:51502] shib_handler found no per-request structure[Thu Jul 11 08:59:54.084392 2013] [include:error] [pid 64992:tid 140036716484352] [client XXX.XXX.XXX.XXX:51502] unable to include "./footer.htm" in parsed file /apache/content/error/503.err, subrequest returned 500

Apache include config:
ErrorDocument 404 /error/404.errErrorDocument 503 /error/503.err<Location /error>        Options IncludesNOEXEC        AddType text/html .err        AddOutputFilter INCLUDES .err</Location>

ShibSP Config:<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"    clockSkew="180">
    <ApplicationDefaults entityID="https://service1.domain.com/shibboleth"                         REMOTE_USER="username">        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"                  checkAddress="false" handlerSSL="true" cookieProps="https">
            <SSO entityID="https://login.domain.com/entity">              SAML2            </SSO>
            <Logout>SAML2 Local</Logout>
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>        </Sessions>
        <Errors supportContact="help at domain.com"            helpLocation="/about.html"            styleSheet="/shibboleth-sp/main.css"/>
        <MetadataProvider type="XML" uri="https://login.domain.com/entity"              backingFilePath="testlogin-metadata.xml" reloadInterval="7200">        </MetadataProvider>
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        <!-- Additional Applications : vhosts -->        <ApplicationOverride id="service2" entityID="https://service2.domain.com/shibboleth"/>        <ApplicationOverride id="service3" entityID="https://service3.domain.com/shibboleth"/>        <ApplicationOverride id="service4" entityID="https://service4.domain.com/shibboleth"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130711/78b77521/attachment.html

More information about the users mailing list