error document & public directory

Václav Mach machv at cesnet.cz
Sun Sep 16 17:59:50 EDT 2018 

Hi,

my goal is to setup custom error document for my shibboleth SP.
Relevant part of my apache configuration attached.

The problem is if i comment line 64 and uncomment line 65, the "/test"
URL still requires sbibboleth session. It also seems that this specific
configuration prevents displaying of 401 error document. When accessing
/test I get:

"... Additionally, a 401 Unauthorized error was encountered while trying
to use an ErrorDocument to handle the request."

Can someone please explain this behavior?

According to
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
the Location directive configuration for /test should be fine and should
make the content publicly accessible. Why is it not working correctly?

I'm using apache and shib versions:
ii  apache2                              2.4.25-3+deb9u5
ii  libapache2-mod-shib2                 2.6.0+dfsg1-4+deb9u1
ii  shibboleth-sp2-common                2.6.0+dfsg1-4+deb9u1
ii  shibboleth-sp2-utils                 2.6.0+dfsg1-4+deb9u1

cheers,
Vaclav
-- 
Václav Mach
tel: +420 234 680 206
CESNET, z.s.p.o.
www.cesnet.cz


-------------- next part --------------
<VirtualHost *:80>
	ServerName ermon.cesnet.cz
	Redirect permanent "/" "https://ermon.cesnet.cz/"
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerName ermon.cesnet.cz
		DocumentRoot "/usr/share/icingaweb2/public"

		ErrorLog ${APACHE_LOG_DIR}/ermon_error.log
		CustomLog ${APACHE_LOG_DIR}/ermon_access.log combined
		SSLEngine on

		SSLProtocol All -SSLv2 -SSLv3
		SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
		SSLCertificateFile	/etc/ssl/certs/crt.pem
		SSLCertificateKeyFile /etc/ssl/private/key.pem

		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		# MSIE 7 and newer should be able to use keepalive
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        <Directory "/usr/share/icingaweb2/public">
            Options SymLinksIfOwnerMatch
            AllowOverride None

            SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

            EnableSendfile Off

            <IfModule mod_rewrite.c>
                RewriteEngine on
                RewriteBase /
                RewriteCond %{REQUEST_FILENAME} -s [OR]
                RewriteCond %{REQUEST_FILENAME} -l [OR]
                RewriteCond %{REQUEST_FILENAME} -d
                RewriteRule ^.*$ - [NC,L]
                RewriteRule ^.*$ index.php [NC,L]
            </IfModule>

            <IfModule !mod_rewrite.c>
                DirectoryIndex error_norewrite.html
                ErrorDocument 404 /error_norewrite.html
            </IfModule>
        </Directory>

	# exception from author for /test
	<Location "/test">
            AuthType shibboleth
            Require shibboleth
            ShibRequestSetting requireSession 0
	</Location>

        # external auth
        <Location "/">
            AuthType shibboleth

            <RequireAll>
                Require shibboleth
                ShibRequestSetting requireSession 1
                Require shib-attr perunUniqueGroupName cesnet:members eduroam:eduroam-admin einfra:eduroamAdmins
                #Require shib-attr perunUniqueGroupName test
            </RequireAll>
            ErrorDocument 401 /var/www/html/unauthorized.html
        </Location>

	</VirtualHost>
</IfModule>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3710 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20180916/923a2601/attachment.p7s>

More information about the users mailing list