ShibDisable on breaks basic auth valid user

Closing on release.

http://svn.shibboleth.net/view/cpp-sp?rev=3864&view=rev

Not as bad as I thought, luckily. This extends the ShibCompatValidUser fix to encompass require user rules, and adds a "shib-user" rule label for the original features.

The difference is that mod_shib allows require user ~ regex and mod_authz_user doesn't. So I have to make sure I still support that if the compat flag is off.

The patch should fix your original ruleset.

Thank you, you caught this before I shipped it still broken.

This fix unfortunately isn't going to be so simple, but I know what to fix now, so I don't need independent confirmation over the weekend about it.

Correct I was using require user devusr

I can switch to using valid-user, and upon doing so it appears that my basic auth is working as intended now. I will post the trace in a new issue for SSI.

Thanks so much Scott!

Ok, I think I know why I was confused, you said "valid user", and I thought you meant "valid-user". The new setting has nothing to do with require user, it's only changing how require valid-user works.

There is a similar bug I didn't fix with "require user" and that's what I think you caught. Please confirm that you're not using "valid-user" but "user" in your rule.

Also, please open a separate bug if you could, with a trace of what happens with SSI with the disable option unset. That's unrelated to all this, and I don't want to conflate them.

I believe I can fix the "user" rule bug also, I'll check something in for you to try shortly.