Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Apache Config - Exclude Location from Authentication

Tags:

authentication

apache

location

single-sign-on

shibboleth

I have a web application that is being protected by a Shibboleth authentication module. My current config is as below

<Location /MyApp>
 AuthType shibboleth
 ShibUseHeaders On
 ShibRequestSetting requireSession 1
 require shibboleth
</Location>

The shibboleth is an authentication module that provides SSO capability and the current flow directs the user to an Identity Provider for the user to enter the login credentials. I want to be able to open up a specific URL so that the URL gets bypassed by the authentication module. I tried the below but it doesn't seem to work and I get a blank page on loading the URL

Method 1

<Location /MyApp/Login.html>
  Satisfy Any
  Allow from all
  AuthType None
  Require all granted
</Location>

Method 2

<Location /MyApp/Login.html>
  AuthType shibboleth
  ShibRequestSetting requireSession 0
  require shibboleth
</Location>

I did some additional debugging and it appears that the problem is with additional files the Login.html loads - such as css, js etc. What is the correct way to configure this in Apache so that the Login.html can be bypassed from the authentication

Thanks

like image 674
mekatoka Avatar asked Oct 30 '12 19:10

mekatoka

2 Answers

When using Apache 2.4 instead of 2.2, in order to exclude "/server-status", the following was enough:

<LocationMatch "^(?!/server-status)">
    AuthType Basic
    AuthUserFile /etc/apache2/.htpasswd
    <RequireAll>
        Require ssl
        Require user valid_user_name
    </RequireAll>
</LocationMatch>

Analyzing:

  • <LocationMatch "regex"> is equivalent to <Location ~ "regex">.
  • The regex used, is pcre (perl compatible regular expressions).
  • ^(?!/server-status) means:
    • ^: "starts with"
    • (?!): "negative look ahead (instead of positive (?=))"
like image 61
Veles Avatar answered Sep 27 '22 21:09

Veles

My comment towards the end regarding the exclusion of additional files being loaded by Login.html ended up being correct. I used the following format to exclude the files that were being loaded by the html file

<Location ~ "/MyApp/(Login.html|SessionTimeout.html|accessDenied.html|/badRequest.html|status|css/*|login/*|images/*|style/*|js/*|javascript/*|)">   
  Satisfy Any   
  Allow from all   
  AuthType None   
  Require all granted   
</Location>
like image 42
mekatoka Avatar answered Sep 27 '22 23:09

mekatoka
Sign in to Comment

Related questions

What would cause PHP variables to be rewritten by the server?
Invalid cookie header : Unable to parse expires attribute when expires attribute is empty
Flowplayer Secure Streaming with Apache
httpd mod_proxy_balancer failover failonstatus - transparent switching
Apache jsvc fails to stop daemon
How to run apache nutch different jobs in parallel manner
High load average zf2 + doctrine on simple page
OpenSSL Header Version != OpenSSL Library Version affecting HTTP/2 for APNS
Apache / PHP Disable Cookies for Subdomain?
Understanding apache RewriteLog
Limiting Membership By Bandwidth
AWS-EC2, how to set multiple public sites with just one instance?
Apache ERR_INCOMPLETE_CHUNKED_ENCODING
How to redirect to 404 when url is pointing to an existing folder (no trailing slash). HAproxy or mod-rewrite related
How to force httpd to use rh-php56 from red hat software collections
Apache proxypass IP addresses cached
Getting existing mapreduce job from cluster (the job could be running or completed)
NodeJS HTTP - listen on other port than 80
Django/Mod_WSGI 'client denied by server configuration'
What's a good Flask/Python/WSGI analog to the PHP Apache shared memory stores like apc_store/apc_fetch?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!