Rejecting unauthenticated requests from apache2
Cantor, Scott
cantor.2 at osu.edu
Wed May 13 17:26:31 EDT 2015
On 5/13/15, 9:04 PM, "Jeremy Shapiro" <jnshapiro at gmail.com> wrote:
> I'd like to have apache2 reject these ajax calls when they do not have
>a valid session, rather than using lazy sessions and relying on the
>application. Is there some sample apache config that would do this?
You stop requiring a session. That's what you're describing.
There are three possible options:
- let the SP intercept the requests and require a session
- let the SP intercept the requests and don't require a session
- bypass the SP
The first is a 302 by definition because that's how a session is initiated
(leaving edge cases like ECP aside). The others are whatever you program
them to be. There are no other possible choices.
>I would prefer to have apache return an error code when there's no valid
>session for a particular location match, rather than trying to rewrite
>any 302 to a 401.
You've seemingly ruled that out by saying you don't want to rely on the
application. Only the application could possibly know to do that, that's
what the "lazy" session idea is referring to. Whether it's Apache rules or
SP settings, those are all or nothing because they don't know anything
about the state of the application. Apache itself is more sophisticated
because a rewrite rule has access to a lot of request state, and the SP
doesn't try and reimplement all that.
-- Scott
More information about the users
mailing list