I tested every combination I could think of, but if you could try this yourself, it would be good. The patch is intended to change "require shibboleth" so that it honors the external ACL command if it's present and RequireAll is off.
Scott Cantor
January 24, 2011 at 9:05 PM
I'm not totally sure this will be fixable, but I'll put it to bed one way or the other in the next patch.
Lukas Hämmerle
December 14, 2010 at 10:03 AM
(edited)
Yes, you are right. There seems to be a rule in the Apache conf for the parent directory 🙂
The only way it would work is if there's a require rule in effect elsewhere. You can't get any Apache Auth module to run without both AuthType and require, no exceptions.
Lukas Hämmerle
December 14, 2010 at 9:53 AM
(edited)
Right now with 2.4 it works exactly as I would expect it even without "require shibboleth" using:
AuthType shibboleth ShibRequireAll On ShibRequireSession On ShibAccessControl /var/www/aai/shibacl.xml
Adding "require shibboleth" to this doesn't change anything it seems.
As discussed in https://shibboleth.atlassian.net/browse/SSPCPP-315#icft=SSPCPP-315 it seems that the use of ShibAccessControl requires an Apache .htaccess file like the following in order to work:
AuthType shibboleth
ShibRequireAll On
ShibRequireSession On
ShibAccessControl /var/www/aai/shibacl.xml
If ShibRequireAll is missing or if ShibRequireAll is set to Off, every user will get access to the protected directory (and sub directories).