Rejecting unauthenticated requests from apache2

Cantor, Scott cantor.2 at
Wed May 13 17:26:31 EDT 2015

On 5/13/15, 9:04 PM, "Jeremy Shapiro" <jnshapiro at> wrote:

>  I'd like to have apache2 reject these ajax calls when they do not have 
>a valid session, rather than using lazy sessions and relying on the 
>application.   Is there some sample apache config that would do this?

You stop requiring a session. That's what you're describing.

There are three possible options:

- let the SP intercept the requests and require a session
- let the SP intercept the requests and don't require a session
- bypass the SP

The first is a 302 by definition because that's how a session is initiated 
(leaving edge cases like ECP aside). The others are whatever you program 
them to be. There are no other possible choices.

>I would prefer to have apache return an error code when there's no valid 
>session for a particular location match, rather than trying to rewrite 
>any 302 to a 401.

You've seemingly ruled that out by saying you don't want to rely on the 
application. Only the application could possibly know to do that, that's 
what the "lazy" session idea is referring to. Whether it's Apache rules or 
SP settings, those are all or nothing because they don't know anything 
about the state of the application. Apache itself is more sophisticated 
because a rewrite rule has access to a lot of request state, and the SP 
doesn't try and reimplement all that.

-- Scott

More information about the users mailing list