Documentation On shib-attr allowed regex?

Boyd, Todd M. tmboyd1 at
Tue Aug 7 11:28:25 EDT 2018

I think the issue might be that the way it was originally set up, you were required to have *ALL* of those attribute values, not *AT LEAST ONE* of those attribute values. I'm not well-versed in the Apache modules for Shib, but my guess is that those rules are all evaluated independently of one another. If you had FNQM_CEJT but none of the others, all of the remaining rules would have failed.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Ferenc Wágner
Sent: Tuesday, August 07, 2018 10:21 AM
To: Shib Users <users at>
Subject: Re: Documentation On shib-attr allowed regex?

"Bryan K. Walton" <bwalton+1533146256 at> writes:

> On Wed, Aug 01, 2018 at 06:08:28PM -0400, Tom Scavo wrote:
>>> On 08/01/2018 11:22 AM, Bryan K. Walton wrote:
>>>> We setup our shib-attr strings like this:
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$ 
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$ 
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$ 
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$
>> Try this instead:
>> Require shib-attr carleton-ca-role ~
> Your suggestion of combing the regex into 1 regex seems to have 
> resolved the issue.

Looks like your original regexes weren't complicated enough..:) Seriously, such unexplained success makes me nervous, especially in security software.  Shouldn't the two approaches behave the same?  Who else might get access now? (BTW neither checks the boundaries, which is a common flaw.)

Looks like the regex engine in Xerces-C is totally undocumented.  Scott, wouldn't it make sense to use a documented regex library instead?
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list