Documentation On shib-attr allowed regex?

Boyd, Todd M. tmboyd1 at ccis.edu
Tue Aug 7 11:28:25 EDT 2018 

I think the issue might be that the way it was originally set up, you were required to have *ALL* of those attribute values, not *AT LEAST ONE* of those attribute values. I'm not well-versed in the Apache modules for Shib, but my guess is that those rules are all evaluated independently of one another. If you had FNQM_CEJT but none of the others, all of the remaining rules would have failed.

-Todd


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Ferenc Wágner
Sent: Tuesday, August 07, 2018 10:21 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Documentation On shib-attr allowed regex?

"Bryan K. Walton" <bwalton+1533146256 at leepfrog.com> writes:

> On Wed, Aug 01, 2018 at 06:08:28PM -0400, Tom Scavo wrote:
>
>>> On 08/01/2018 11:22 AM, Bryan K. Walton wrote:
>>>
>>>> We setup our shib-attr strings like this:
>>>>
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$ 
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$ 
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$ 
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$
>>
>> Try this instead:
>> 
>> Require shib-attr carleton-ca-role ~
>> ^.*(FNQM_(ADMIN_CASUAL|ADMIN_CONTINUING|ACAD_CONTINUING|CEJT).*$
>
> Your suggestion of combing the regex into 1 regex seems to have 
> resolved the issue.

Looks like your original regexes weren't complicated enough..:) Seriously, such unexplained success makes me nervous, especially in security software.  Shouldn't the two approaches behave the same?  Who else might get access now? (BTW neither checks the boundaries, which is a common flaw.)

Looks like the regex engine in Xerces-C is totally undocumented.  Scott, wouldn't it make sense to use a documented regex library instead?
--
Regards,
Feri
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list