ShibAccessControl requires ShibRequireAll to work

Description

As discussed in https://shibboleth.atlassian.net/browse/SSPCPP-315#icft=SSPCPP-315 it seems that the use of ShibAccessControl requires an Apache .htaccess file like the following in order to work:

AuthType shibboleth
ShibRequireAll On
ShibRequireSession On
ShibAccessControl /var/www/aai/shibacl.xml

If ShibRequireAll is missing or if ShibRequireAll is set to Off, every user will get access to the protected directory (and sub directories).

Environment

None

Activity

Scott Cantor 
January 28, 2011 at 1:59 PM

http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3394

I tested every combination I could think of, but if you could try this yourself, it would be good. The patch is intended to change "require shibboleth" so that it honors the external ACL command if it's present and RequireAll is off.

Scott Cantor 
January 24, 2011 at 9:05 PM

I'm not totally sure this will be fixable, but I'll put it to bed one way or the other in the next patch.

Lukas Hämmerle 
December 14, 2010 at 10:03 AM
(edited)

Yes, you are right. There seems to be a rule in the Apache conf for the parent directory 🙂

<Directory /var/www>
AuthType shibboleth
require shibboleth
</Directory>

Scott Cantor 
December 14, 2010 at 9:55 AM

The only way it would work is if there's a require rule in effect elsewhere. You can't get any Apache Auth module to run without both AuthType and require, no exceptions.

Lukas Hämmerle 
December 14, 2010 at 9:53 AM
(edited)

Right now with 2.4 it works exactly as I would expect it even without "require shibboleth" using:

AuthType shibboleth
ShibRequireAll On
ShibRequireSession On
ShibAccessControl /var/www/aai/shibacl.xml

Adding "require shibboleth" to this doesn't change anything it seems.

Fixed

Details

Assignee

Reporter

Fix versions

Affects versions

Created December 14, 2010 at 2:27 AM
Updated June 24, 2021 at 3:04 PM
Resolved January 28, 2011 at 1:59 PM