Documentation On shib-attr allowed regex?
Ferenc Wágner
wferi at niif.hu
Tue Aug 7 11:20:52 EDT 2018
"Bryan K. Walton" <bwalton+1533146256 at leepfrog.com> writes:
> On Wed, Aug 01, 2018 at 06:08:28PM -0400, Tom Scavo wrote:
>
>>> On 08/01/2018 11:22 AM, Bryan K. Walton wrote:
>>>
>>>> We setup our shib-attr strings like this:
>>>>
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$
>>
>> Try this instead:
>>
>> Require shib-attr carleton-ca-role ~
>> ^.*(FNQM_(ADMIN_CASUAL|ADMIN_CONTINUING|ACAD_CONTINUING|CEJT).*$
>
> Your suggestion of combing the regex into 1 regex seems to have resolved
> the issue.
Looks like your original regexes weren't complicated enough..:)
Seriously, such unexplained success makes me nervous, especially in
security software. Shouldn't the two approaches behave the same? Who
else might get access now? (BTW neither checks the boundaries, which is
a common flaw.)
Looks like the regex engine in Xerces-C is totally undocumented. Scott,
wouldn't it make sense to use a documented regex library instead?
--
Regards,
Feri
More information about the users
mailing list