Documentation On shib-attr allowed regex?
Boyd, Todd M.
tmboyd1 at ccis.edu
Tue Aug 7 11:28:25 EDT 2018
I think the issue might be that the way it was originally set up, you were required to have *ALL* of those attribute values, not *AT LEAST ONE* of those attribute values. I'm not well-versed in the Apache modules for Shib, but my guess is that those rules are all evaluated independently of one another. If you had FNQM_CEJT but none of the others, all of the remaining rules would have failed.
-Todd
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Ferenc Wágner
Sent: Tuesday, August 07, 2018 10:21 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Documentation On shib-attr allowed regex?
"Bryan K. Walton" <bwalton+1533146256 at leepfrog.com> writes:
> On Wed, Aug 01, 2018 at 06:08:28PM -0400, Tom Scavo wrote:
>
>>> On 08/01/2018 11:22 AM, Bryan K. Walton wrote:
>>>
>>>> We setup our shib-attr strings like this:
>>>>
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$
>>
>> Try this instead:
>>
>> Require shib-attr carleton-ca-role ~
>> ^.*(FNQM_(ADMIN_CASUAL|ADMIN_CONTINUING|ACAD_CONTINUING|CEJT).*$
>
> Your suggestion of combing the regex into 1 regex seems to have
> resolved the issue.
Looks like your original regexes weren't complicated enough..:) Seriously, such unexplained success makes me nervous, especially in security software. Shouldn't the two approaches behave the same? Who else might get access now? (BTW neither checks the boundaries, which is a common flaw.)
Looks like the regex engine in Xerces-C is totally undocumented. Scott, wouldn't it make sense to use a documented regex library instead?
--
Regards,
Feri
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list