httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tommy Peterson <Tommy.Peter...@xpandcorp.com>
Subject [users@httpd] FW: What triggers AUTH_TYPE to show up?
Date Wed, 08 Jun 2011 19:43:09 GMT
From: Tommy Peterson
Sent: Tuesday, June 07, 2011 4:22 PM
To: 'users@httpd.apache.org'
Subject: What triggers AUTH_TYPE to show up?

If I have the following Location directive and in the headers the Auth Type shows up accordingly
it says [AUTH_TYPE] => shibboleth
<Location /drupal>
  AuthType shibboleth
  ShibRequireSession On
  ShibUseHeaders On
  Require shibboleth
</Location>

What triggers the "AUTH_TYPE" header variable to show up?

I have another <Location> directive for another directory. It is locked down with the
log in prompt as above and the headers show up the problem is that that AUTH_TYPE=> shibboleth
doesn't show up. It is the only difference. I know it authenticated as the header also shows
the attributes.

So I am confused as to why this one variable (AUTH_TYPE) isn't showing up.

And there is not "AUTH TYPE not set " in the log or anything else referencing the AUTH TYPE.

Any thoughts?

Thanks.

________________________________________________________________________________________________________________________________________________

OK. Attached are my httpd.conf file, a related shibd.conf file that is pulled into the httpd.conf
via the conf.d directory that is read in the httpd.conf file, and an .htaccess file that sites
in my main application directory (/Drupal).

Basically the application hits index.php every time a page is requested/loaded (ie a link
clicked). And it grabs the query string "?q=something" and uses mod rewrite to rewrite the
URL (which is a .htaccess file in the same directory as index.php--attached). Somehow (that
I have yet to figure out) the page is actually redirected . . . I think. It ahs been pointed
out that rewrite doesn't mean redirect.

Anyway, what I want to happen is that every time HTTPD gets a request for let say http://rt-hvcp1-test.hvcp.local/findwork
the user is forced to authenticate as indicated below:
  AuthType shibboleth
  ShibRequireSession On
  ShibUseHeaders On
  Require shibboleth

I put
<LocationMatch "findwork" >
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
Require shibboleth
</LocationMatch>
In the shibd.conf file as you can see.
Right now, with the <Location> directives in shibd.conf I can get the shibboleth login
form to pop up. The user authenticates successfully against a backend database and the web
site page  requested shows up. The headers show the session has been set. But I see no AUTH_TYPE=>shibboleth
set. And the user is not logged in.  If they click on another link on the site the session
disappears from the headers.

However,  if I have
<Location /drupal>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
Require shibboleth
</Location>

And access http://rt-hvcp1-test.hvcp.local/drupal (which is my main application directory
in htdocs ) I get the pop up window, log in, authenticate, and am returned to my destination
page logged in. And if I click around the site I am still logged in. The headers show the
session as long as I don't close the browser or clear the cache. So locking down the entire
site works just fine.

But I do not want to force authentication to get to the site-any of it. I want to force this
authentication on sub-sections . . . like the /Drupal/findwork section.

It just won't work with what I have tied so far.

Can someone help me understand how to accomplish this with the httpd.conf,shibd.conf, and
the .htaccess files? Or does this involve something else all together?

Thanks.


This is a header from  the <Location /Drupal>

Array ( [OPENSSL_CONF] => ../../conf/openssl.cnf [SSLEAY_CONF] => ../../conf/openssl.cnf
[Shib-Application-ID] => default [Shib-Session-ID] => _1c672d35c00b5005f49f6000fb382ada
[Shib-Identity-Provider] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth [Shib-Authentication-Instant]
=> 2011-06-08T19:03:41.443Z [Shib-Authentication-Method] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
[Shib-AuthnContext-Class] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
[Shib-Session-Index] => bbbbde5abb538fadd5fd1bf06dc72dd56abf099606fdf70a58fb7e67cb41f43a
[address] => 12354 Main Street Suite 330 [city] => Sterling [country] => US [cphone]
=> 4085551212 [fname] => Tommy [lname] => Peterson [mail] => blah@something.com[name]
=> tommytest [pass] => e06b00d698892623960f9d46efb29533 [transientID] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth!https://rt-hvcp1-test.hvcp.local/moodle!_2c8ae73555b6c97717fcd8d591c49789
[wphone] => 4085551212 [HTTP_HOST] => rt-hvcp1-test.hvcp.local [HTTP_USER_AGENT] =>
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 [HTTP_ACCEPT] =>
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_LANGUAGE] =>
en-us,en;q=0.5 [HTTP_ACCEPT_ENCODING] => gzip, deflate [HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
[HTTP_KEEP_ALIVE] => 115 [HTTP_CONNECTION] => keep-alive [HTTP_REFERER] => http://rt-hvcp1-test.hvcp.local/drupal/findwork
[HTTP_COOKIE] => _shibsession_64656661756c7468747470733a2f2f72742d68766370312d746573742e687663702e6c6f63616c2f6d6f6f646c65=_1c672d35c00b5005f49f6000fb382ada;
SESS492c5bf24be32ee326896d01b447e0b8=03dstpumo80nb88712b7kaq434; has_js=1 [HTTP_IF_MODIFIED_SINCE]
=> Wed, 08 Jun 2011 19:03:41 GMT [HTTP_SHIB_SESSION_ID] => _1c672d35c00b5005f49f6000fb382ada
[HTTP_SHIB_SESSION_INDEX] => bbbbde5abb538fadd5fd1bf06dc72dd56abf099606fdf70a58fb7e67cb41f43a
[HTTP_SHIB_IDENTITY_PROVIDER] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth [HTTP_SHIB_AUTHENTICATION_METHOD]
=> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [HTTP_SHIB_AUTHENTICATION_INSTANT]
=> 2011-06-08T19:03:41.443Z [HTTP_SHIB_AUTHNCONTEXT_CLASS] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
[HTTP_SHIB_AUTHNCONTEXT_DECL] => [HTTP_SHIB_ASSERTION_COUNT] => [HTTP_NAME] => tommytest
[HTTP_PASS] => e06b00d698892623960f9d46efb29533 [HTTP_FNAME] => Tommy [HTTP_LNAME] =>
Peterson [HTTP_ADDRESS] => 12354 Main Street Suite 330 [HTTP_CITY] => Sterling [HTTP_COUNTRY]
=> US [HTTP_DESCRIPTION] => [HTTP_WEBPAGE] => [HTTP_WPHONE] => 4085551212 [HTTP_CPHONE]
=> 4085551212 [HTTP_MAIL] => blah@something.com[HTTP_LANGUAGE] => [HTTP_UNITID] =>
[HTTP_TRANSIENTID] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth!https://rt-hvcp1-test.hvcp.local/moodle!_2c8ae73555b6c97717fcd8d591c49789
[HTTP_PERSISTENTID] => [HTTP_SHIB_APPLICATION_ID] => default [HTTP_REMOTE_USER] =>
[PATH] => /sbin:/bin:/usr/sbin:/usr/bin [SERVER_SIGNATURE] =>
Apache/2.2.15 (Red Hat) Server at rt-hvcp1-test.hvcp.local Port 80
[SERVER_SOFTWARE] => Apache/2.2.15 (Red Hat) [SERVER_NAME] => rt-hvcp1-test.hvcp.local
[SERVER_ADDR] => 172.16.1.84 [SERVER_PORT] => 80 [REMOTE_ADDR] => 172.16.1.15 [DOCUMENT_ROOT]
=> /var/www/html [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/html/drupal/index.php
[REMOTE_PORT] => 16766 [AUTH_TYPE] => shibboleth [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL]
=> HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => /drupal/
[SCRIPT_NAME] => /drupal/index.php [PHP_SELF] => /drupal/index.php [REQUEST_TIME] =>
1307560048 )



This is a header from the <LocationMatch "findwork">

Array ( [REDIRECT_OPENSSL_CONF] => ../../conf/openssl.cnf [REDIRECT_SSLEAY_CONF] =>
../../conf/openssl.cnf [REDIRECT_Shib-Application-ID] => default [REDIRECT_Shib-Session-ID]
=> _6921dbc24eb23746ccb4b06b85705741 [REDIRECT_Shib-Identity-Provider] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth
[REDIRECT_Shib-Authentication-Instant] => 2011-06-08T19:14:24.786Z [REDIRECT_Shib-Authentication-Method]
=> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [REDIRECT_Shib-AuthnContext-Class]
=> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [REDIRECT_Shib-Session-Index]
=> b69390b5d5087a807247c7732efb62b3fe8437b4090040646259e7d5fc9f1ff1 [REDIRECT_address]
=> 12354 Main Street Suite 330 [REDIRECT_city] => Sterling [REDIRECT_country] =>
US [REDIRECT_cphone] => 4085551212 [REDIRECT_fname] => Tommy [REDIRECT_lname] =>
Peterson [REDIRECT_mail] => blah@something.com[REDIRECT_name] => tommytest [REDIRECT_pass]
=> e06b00d698892623960f9d46efb29533 [REDIRECT_transientID] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth!https://rt-hvcp1-test.hvcp.local/moodle!_2c8ae73555b6c97717fcd8d591c49789
[REDIRECT_wphone] => 4085551212 [REDIRECT_STATUS] => 200 [OPENSSL_CONF] => ../../conf/openssl.cnf
[SSLEAY_CONF] => ../../conf/openssl.cnf [HTTP_HOST] => rt-hvcp1-test.hvcp.local [HTTP_USER_AGENT]
=> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 [HTTP_ACCEPT]
=> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_LANGUAGE]
=> en-us,en;q=0.5 [HTTP_ACCEPT_ENCODING] => gzip, deflate [HTTP_ACCEPT_CHARSET] =>
ISO-8859-1,utf-8;q=0.7,*;q=0.7 [HTTP_KEEP_ALIVE] => 115 [HTTP_CONNECTION] => keep-alive
[HTTP_COOKIE] => SESS492c5bf24be32ee326896d01b447e0b8=d2bg00lug244k3lsfs0vqmdeu5; has_js=1;
_shibsession_64656661756c7468747470733a2f2f72742d68766370312d746573742e687663702e6c6f63616c2f6d6f6f646c65=_6921dbc24eb23746ccb4b06b85705741
[HTTP_SHIB_SESSION_ID] => _6921dbc24eb23746ccb4b06b85705741 [HTTP_SHIB_SESSION_INDEX] =>
b69390b5d5087a807247c7732efb62b3fe8437b4090040646259e7d5fc9f1ff1 [HTTP_SHIB_IDENTITY_PROVIDER]
=> https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth [HTTP_SHIB_AUTHENTICATION_METHOD]
=> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport [HTTP_SHIB_AUTHENTICATION_INSTANT]
=> 2011-06-08T19:14:24.786Z [HTTP_SHIB_AUTHNCONTEXT_CLASS] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
[HTTP_SHIB_AUTHNCONTEXT_DECL] => [HTTP_SHIB_ASSERTION_COUNT] => [HTTP_NAME] => tommytest
[HTTP_PASS] => e06b00d698892623960f9d46efb29533 [HTTP_FNAME] => Tommy [HTTP_LNAME] =>
Peterson [HTTP_ADDRESS] => 12354 Main Street Suite 330 [HTTP_CITY] => Sterling [HTTP_COUNTRY]
=> US [HTTP_DESCRIPTION] => [HTTP_WEBPAGE] => [HTTP_WPHONE] => 4085551212 [HTTP_CPHONE]
=> 4085551212 [HTTP_MAIL] => blah@blah.com [HTTP_LANGUAGE] => [HTTP_UNITID] =>
[HTTP_TRANSIENTID] => https://rt-hvcp1-test.hvcp.local:8443/idp/shibboleth!https://rt-hvcp1-test.hvcp.local/moodle!_2c8ae73555b6c97717fcd8d591c49789
[HTTP_PERSISTENTID] => [HTTP_SHIB_APPLICATION_ID] => default [HTTP_REMOTE_USER] =>
[PATH] => /sbin:/bin:/usr/sbin:/usr/bin [SERVER_SIGNATURE] =>
Apache/2.2.15 (Red Hat) Server at rt-hvcp1-test.hvcp.local Port 80
[SERVER_SOFTWARE] => Apache/2.2.15 (Red Hat) [SERVER_NAME] => rt-hvcp1-test.hvcp.local
[SERVER_ADDR] => 172.16.1.84 [SERVER_PORT] => 80 [REMOTE_ADDR] => 172.16.1.15 [DOCUMENT_ROOT]
=> /var/www/html [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/html/drupal/index.php
[REMOTE_PORT] => 17010 [REDIRECT_QUERY_STRING] => q=findwork [REDIRECT_URL] => /drupal/findwork
[GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] =>
GET [QUERY_STRING] => q=findwork [REQUEST_URI] => /drupal/findwork [SCRIPT_NAME] =>
/drupal/index.php [PHP_SELF] => /drupal/index.php [REQUEST_TIME] => 1307560464 )

Again the only difference is the the missing AUTH_TYPE=>shibboleth which both directives
have.

________________________________
This message contains Devin Group confidential information and is intended only for the individual
named. If you are not the named addressee you should not disseminate, distribute or copy this
e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and
delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free
and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete,
or contain viruses. The sender therefore does not accept liability for errors or omissions
in the contents of this message which may arise as result of transmission. If verification
is required please request hard-copy version.

Mime
View raw message