Lazy Sessions and /secure

[Mr. Christopher Bland]

Hi Scott,

Did a little more digging and reading and my primary issue is
Overlapping Webspace

In order to have two overlapping URLs one has to consider the order in which certain sections or directives are evaluated. For<Location><http://httpd.apache.org/docs/current/mod/core.html#location> this would be:

<Location "/foo">
</Location>
<Location "/foo/bar">
</Location>

After moving my location directive around I started getting

AH01629: authorization failure (no authenticated user): /secure/

I changed /secure to what’s below and it works now.  I

<Location />
  AuthType shibboleth
  ShibRequireSession Off
  ShibUseHeaders On
  Require shibboleth
</Location>

<Location /secure>
  AuthType shibboleth
  ShibRequireSession On
  ShibUseHeaders On
</Location>

Hope this helps anyone else that hits this problem.


-Chris

On Nov 14, 2017, at 10:03 AM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:

I didn’t set up a different Session Initiator so I don’t think I need
requireSessionWith.  I also didn’t set up a RequestMap thinking I should be
able to accomplish this in the shib.conf file.

Location settings merge in very complex ways, I would imagine you're seeing the effect of that. I believe Location / will usually trump just about everything.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171115/f2ab5e5c/attachment-0001.html>