error document & public directory
Peter Schober
peter.schober at univie.ac.at
Mon Sep 17 09:27:26 EDT 2018
* Václav Mach <machv at cesnet.cz> [2018-09-17 14:46]:
> > That should be irrelevant for a <Location> directive.
> > Protection would be enforced even if after auth passes you'd get a 404
> > Not Found error.
>
> Solved by:
>
> <Location "/">
> AuthType shibboleth
> <RequireAll>
> Require shibboleth
> ShibRequestSetting requireSession 1
> Require shib-attr perunUniqueGroupName test
> </RequireAll>
> ErrorDocument 401 /unauthorized.html
> </Location>
Neither this nor the originally posted version makes much sense to me.
If you'd need the RequireAll wrapper at all I'd move the AuthType
within it, next to Require.
Also you'd only use "Require shibboleth" if you wanted to make sure
the module is active for a given resource, but does *not* enforce
authentication or authorisation. But on the next line you require
sessions and below you even require a specific attribute value. So why
"Require shibboleth" there?
> <Location "/unauthorized.html">
> AuthType shibboleth
> Require shibboleth
> ShibRequestSetting requireSession 0
> </Location>
In my own config I used "Require all granted" for such cases, and had
such sections before ones with protection enabled, but YMMV.
> I assume i should use Files directive instead of Location for the
> unauthorized.html file, but this does not work.
Note the red warning at the end of that section
https://wiki.shibboleth.net/confluence/display/SP3/Apache#Apache-EnablingtheModuleforAuthentication
about mixing "Location" with "Directory" (and "File", though not
explicitly mentioned there) directives.
-peter
More information about the users
mailing list