Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apache Config - Exclude Location from Authentication

I have a web application that is being protected by a Shibboleth authentication module. My current config is as below

<Location /MyApp>
 AuthType shibboleth
 ShibUseHeaders On
 ShibRequestSetting requireSession 1
 require shibboleth
</Location>

The shibboleth is an authentication module that provides SSO capability and the current flow directs the user to an Identity Provider for the user to enter the login credentials. I want to be able to open up a specific URL so that the URL gets bypassed by the authentication module. I tried the below but it doesn't seem to work and I get a blank page on loading the URL

Method 1

<Location /MyApp/Login.html>
  Satisfy Any
  Allow from all
  AuthType None
  Require all granted
</Location>

Method 2

<Location /MyApp/Login.html>
  AuthType shibboleth
  ShibRequestSetting requireSession 0
  require shibboleth
</Location>

I did some additional debugging and it appears that the problem is with additional files the Login.html loads - such as css, js etc. What is the correct way to configure this in Apache so that the Login.html can be bypassed from the authentication

Thanks

like image 674
mekatoka Avatar asked Oct 30 '12 19:10

mekatoka


2 Answers

When using Apache 2.4 instead of 2.2, in order to exclude "/server-status", the following was enough:

<LocationMatch "^(?!/server-status)">
    AuthType Basic
    AuthUserFile /etc/apache2/.htpasswd
    <RequireAll>
        Require ssl
        Require user valid_user_name
    </RequireAll>
</LocationMatch>

Analyzing:

  • <LocationMatch "regex"> is equivalent to <Location ~ "regex">.
  • The regex used, is pcre (perl compatible regular expressions).
  • ^(?!/server-status) means:
    • ^: "starts with"
    • (?!): "negative look ahead (instead of positive (?=))"
like image 61
Veles Avatar answered Sep 27 '22 21:09

Veles


My comment towards the end regarding the exclusion of additional files being loaded by Login.html ended up being correct. I used the following format to exclude the files that were being loaded by the html file

<Location ~ "/MyApp/(Login.html|SessionTimeout.html|accessDenied.html|/badRequest.html|status|css/*|login/*|images/*|style/*|js/*|javascript/*|)">   
  Satisfy Any   
  Allow from all   
  AuthType None   
  Require all granted   
</Location>
like image 42
mekatoka Avatar answered Sep 27 '22 23:09

mekatoka