error document & public directory

Václav Mach machv at
Sun Sep 16 17:59:50 EDT 2018


my goal is to setup custom error document for my shibboleth SP.
Relevant part of my apache configuration attached.

The problem is if i comment line 64 and uncomment line 65, the "/test"
URL still requires sbibboleth session. It also seems that this specific
configuration prevents displaying of 401 error document. When accessing
/test I get:

"... Additionally, a 401 Unauthorized error was encountered while trying
to use an ErrorDocument to handle the request."

Can someone please explain this behavior?

According to
the Location directive configuration for /test should be fine and should
make the content publicly accessible. Why is it not working correctly?

I'm using apache and shib versions:
ii  apache2                              2.4.25-3+deb9u5
ii  libapache2-mod-shib2                 2.6.0+dfsg1-4+deb9u1
ii  shibboleth-sp2-common                2.6.0+dfsg1-4+deb9u1
ii  shibboleth-sp2-utils                 2.6.0+dfsg1-4+deb9u1

Václav Mach
tel: +420 234 680 206
CESNET, z.s.p.o.

-------------- next part --------------
<VirtualHost *:80>
	Redirect permanent "/" ""

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		DocumentRoot "/usr/share/icingaweb2/public"

		ErrorLog ${APACHE_LOG_DIR}/ermon_error.log
		CustomLog ${APACHE_LOG_DIR}/ermon_access.log combined
		SSLEngine on

		SSLProtocol All -SSLv2 -SSLv3
		SSLCertificateFile	/etc/ssl/certs/crt.pem
		SSLCertificateKeyFile /etc/ssl/private/key.pem

		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		# MSIE 7 and newer should be able to use keepalive
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        <Directory "/usr/share/icingaweb2/public">
            Options SymLinksIfOwnerMatch
            AllowOverride None

            SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

            EnableSendfile Off

            <IfModule mod_rewrite.c>
                RewriteEngine on
                RewriteBase /
                RewriteCond %{REQUEST_FILENAME} -s [OR]
                RewriteCond %{REQUEST_FILENAME} -l [OR]
                RewriteCond %{REQUEST_FILENAME} -d
                RewriteRule ^.*$ - [NC,L]
                RewriteRule ^.*$ index.php [NC,L]

            <IfModule !mod_rewrite.c>
                DirectoryIndex error_norewrite.html
                ErrorDocument 404 /error_norewrite.html

	# exception from author for /test
	<Location "/test">
            AuthType shibboleth
            Require shibboleth
            ShibRequestSetting requireSession 0

        # external auth
        <Location "/">
            AuthType shibboleth

                Require shibboleth
                ShibRequestSetting requireSession 1
                Require shib-attr perunUniqueGroupName cesnet:members eduroam:eduroam-admin einfra:eduroamAdmins
                #Require shib-attr perunUniqueGroupName test
            ErrorDocument 401 /var/www/html/unauthorized.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3710 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list