Reputation: 283
Apache Config - Exclude Location from Authentication
I have a web application that is being protected by a Shibboleth authentication module. My current config is as below
<Location /MyApp>
AuthType shibboleth
ShibUseHeaders On
ShibRequestSetting requireSession 1
require shibboleth
</Location>
The shibboleth is an authentication module that provides SSO capability and the current flow directs the user to an Identity Provider for the user to enter the login credentials. I want to be able to open up a specific URL so that the URL gets bypassed by the authentication module. I tried the below but it doesn't seem to work and I get a blank page on loading the URL
Method 1
<Location /MyApp/Login.html>
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
Method 2
<Location /MyApp/Login.html>
AuthType shibboleth
ShibRequestSetting requireSession 0
require shibboleth
</Location>
I did some additional debugging and it appears that the problem is with additional files the Login.html loads - such as css, js etc. What is the correct way to configure this in Apache so that the Login.html can be bypassed from the authentication
Thanks
Upvotes: 12
Views: 14098
Answers (2)
Reputation: 155
When using Apache 2.4 instead of 2.2, in order to exclude "/server-status", the following was enough:
<LocationMatch "^(?!/server-status)">
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
<RequireAll>
Require ssl
Require user valid_user_name
</RequireAll>
</LocationMatch>
Analyzing:
<LocationMatch "regex">is equivalent to<Location ~ "regex">.- The regex used, is
pcre(perl compatible regular expressions). ^(?!/server-status)means:^: "starts with"(?!): "negative look ahead (instead of positive(?=))"
Upvotes: 3
Reputation: 283
My comment towards the end regarding the exclusion of additional files being loaded by Login.html ended up being correct. I used the following format to exclude the files that were being loaded by the html file
<Location ~ "/MyApp/(Login.html|SessionTimeout.html|accessDenied.html|/badRequest.html|status|css/*|login/*|images/*|style/*|js/*|javascript/*|)">
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
Upvotes: 7
Related Questions
- Apache Deny <Location> but allow to sub Location
- Unprotect a particular <Location> when the entire site is protected with mod-auth-openidc
- Apache2 - classification/authentication per location
- Apache authentication except localhost
- .htaccess Auth and exclude one location (with mod_rewrite)
- How to configure in Apache an exception to password protection for a CakePhp App?
- Can the Apache <Location> directive be safely used to configure access to a server?
- apache LocationMatch and Basic Auth
- apache rewrite before authentication of location
- Apache2 - authorize users against a Location using BasicAuth but ONLY for users outside local subnet