Clever Geek Handbook

Disable Shibboleth logic one by one url in Apache mod_rewrite

I have a web application running on PHP Codeigniter framework that uses rewrite rules to rewrite routes in front controller index.php. I want to exclude one route from shibboleth authentication.

Example:
We have 2 routes https://example.com/view/1457 and https://example.com/public/view/1457 . The first link should require the user to log in through Shibbo, while the second should not. Both routes are rewritten to https://example.com/index.php?/view/1457 and https://example.com/index.php?/public/view/1457.I have one redirect rule in apache conf for redirecting view / public / 12345 to public / view / 12345. Another non-shibbo route is / assets, which contains static files (css, js, ...)

My problem is that public routes and route redirection to public (view / public / 12345) end up in the shibbo login system. But the asset route is not.

To me, it looks like the request https://example.com/public/view/1457 is rewritten to https://example.com/index.php?/public/view/1457 and that route is not whitelisted. But after registering I am redirected to this url https://example.com/public/view/1457

.htaccess

Options -Indexes 
DirectoryIndex index.php index.html index.htm

RewriteEngine On

#Removes access to the system folder by users.
#Additionally this will allow you to create a System.php controller,
#previously this would not have been possible.
#'system' can be replaced if you have renamed your system folder.
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]

RewriteCond %{REQUEST_URI} ^application.*
RewriteRule ^(.*)$ /index.php?/$1 [L]

#Checks to see if the user is attempting to access a valid file,
#such as an image or css document, if this isn't true it sends the
#request to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?/$1 [L]

Apache vhost conf

<VirtualHost *:443>
        ServerName example.com

        #legacy redirection
        Redirect /view/public/12345 https://example.com/public/view/12345

        DocumentRoot /var/www/html
        <Directory />
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        <Location /public>
                AuthType shibboleth
                ShibRequireSession Off
                require shibboleth
        </Location>

        <Location /assets>
                AuthType shibboleth
                ShibRequireSession Off
                require shibboleth
        </Location>

        <Location />
                AuthType shibboleth
                ShibRequireSession On
                ShibUseHeaders On
                require valid-user
                require shibboleth
        </Location>
</VirtualHost>
+3


source to share


1 answer


I think you should use

ShibRequestSetting requireSession false

instead

ShibRequireSession Off


But this may just be a version - I'm not familiar with Shibboleth.

Also, it can be helpful to know which version of Apache you are using. The reason I am asking is because you are using a combination of Order/Allow/Deny

and Require

. The last one for Apache 2.4, and the first one for 2.2.

The past, I'm afraid I don't know how else to help.

0


source






More articles:


All Articles