Rejecting unauthenticated requests from apache2
Jim Fox
fox at washington.edu
Fri May 15 12:37:01 EDT 2015
I think you could catch 302 errors, with "ErrorDocument 302", inspect the
request, and either pass along the 302 for normal access, or switch it
to 4xx for your ajax requests. I haven't tried this though. I usually
have access to the app.
Jim
On Wed, 13 May 2015, Cantor, Scott wrote:
> Date: Wed, 13 May 2015 14:50:42
> From: "Cantor, Scott" <cantor.2 at osu.edu>
> To: Shib Users <users at shibboleth.net>
> Reply-To: Shib Users <users at shibboleth.net>
> Subject: Re: Rejecting unauthenticated requests from apache2
>
> On 5/13/15, 9:26 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>
>
>
>> On 5/13/15, 9:04 PM, "Jeremy Shapiro" <jnshapiro at gmail.com> wrote:
>>
>>
>>> I'd like to have apache2 reject these ajax calls when they do not have
>>> a valid session, rather than using lazy sessions and relying on the
>>> application. Is there some sample apache config that would do this?
>>
>> You stop requiring a session. That's what you're describing.
>>
>> There are three possible options:
>>
>> - let the SP intercept the requests and require a session
>> - let the SP intercept the requests and don't require a session
>
> It does occur or to me though that what you're asking for it to do is
> possible, just don't require a session and set a require shib-session
> rule. No session, you should get a 403 back.
>
> I didn't really think about it initially because it's an unusual thing to
> do, it generally would work pretty badly in any given app.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
More information about the users
mailing list