Apache Config - Exclude Location from Authentication

Asked 30/10, 2012 at 19:39 Answered 14/12, 2020 at 5:22

Solved apache authentication location single-sign-on shibboleth

I have a web application that is being protected by a Shibboleth authentication module. My current config is as below

<Location /MyApp>
 AuthType shibboleth
 ShibUseHeaders On
 ShibRequestSetting requireSession 1
 require shibboleth
</Location>

The shibboleth is an authentication module that provides SSO capability and the current flow directs the user to an Identity Provider for the user to enter the login credentials. I want to be able to open up a specific URL so that the URL gets bypassed by the authentication module. I tried the below but it doesn't seem to work and I get a blank page on loading the URL

Method 1

<Location /MyApp/Login.html>
  Satisfy Any
  Allow from all
  AuthType None
  Require all granted
</Location>

Method 2

<Location /MyApp/Login.html>
  AuthType shibboleth
  ShibRequestSetting requireSession 0
  require shibboleth
</Location>

I did some additional debugging and it appears that the problem is with additional files the Login.html loads - such as css, js etc. What is the correct way to configure this in Apache so that the Login.html can be bypassed from the authentication

Thanks

Ploch answered 30/10, 2012 at 19:39 Comment(0)

My comment towards the end regarding the exclusion of additional files being loaded by Login.html ended up being correct. I used the following format to exclude the files that were being loaded by the html file

<Location ~ "/MyApp/(Login.html|SessionTimeout.html|accessDenied.html|/badRequest.html|status|css/*|login/*|images/*|style/*|js/*|javascript/*|)">   
  Satisfy Any   
  Allow from all   
  AuthType None   
  Require all granted   
</Location>

Ploch answered 8/11, 2012 at 19:28 Comment(0)

When using Apache 2.4 instead of 2.2, in order to exclude "/server-status", the following was enough:

<LocationMatch "^(?!/server-status)">
    AuthType Basic
    AuthUserFile /etc/apache2/.htpasswd
    <RequireAll>
        Require ssl
        Require user valid_user_name
    </RequireAll>
</LocationMatch>

Analyzing:

<LocationMatch "regex"> is equivalent to <Location ~ "regex">.
The regex used, is pcre (perl compatible regular expressions).
^(?!/server-status) means:
- ^: "starts with"
- (?!): "negative look ahead (instead of positive (?=))"

Purtenance answered 14/12, 2020 at 5:22 Comment(0)

Recommended topics

Hot tags