Reputation: 598
Apache mellon authorization condition / whitelist
I have implemented mellon (SAML2) authorization for apache web server, which works fine. Now I need to exclude API folder (URL) from this authorization, because API has it's own auth mechanism.
The application is running on CodeIgniter, so the %{REQUEST_URI} is always /index.php, so I'm using %{QUERY_STRING} for the condition. I started with simple test, and it works great, for URLs beginning with api, there is no header set, for other URLs it is.
<Location />
<If "!%{QUERY_STRING} =~ /api/">
Header set FOO "NOT API - Authorization will be required"
</If>
</Location>
But when I add SAML commands inside the condition, they are executed also for API calls (I'm redirected to /mellon/ with Internal server error). Other than API calls works as normal - I'm redirected to authentication page.
<Location />
<If "!%{QUERY_STRING} =~ /api/">
Header set FOO "inside SAM request"
MellonEnable auth
MellonEndpointPath /mellon/
MellonSPMetadataFile /home/mellon_metadata.xml
MellonSPPrivateKeyFile /home/mellon_metadata.key
MellonSPCertFile /home/mellon_metadata.cert
MellonIdPMetadataFile /home/Entity_2023.xml
AuthType Mellon
Require valid-user
MellonUser "UID"
</If>
</Location>
The question is - why are Mellon commands processed when the condition is not met?
Upvotes: 0
Views: 643
Answers (0)
Related Questions
- How to solve "Error: Apache shutdown unexpectedly"?
- Apache and Node.js on the Same Server
- Django + Okta + django_saml2_auth Forbidden (CSRF cookie not set.) 403
- mod_auth_mellon not populating environment variables
- How to enable mod_rewrite for Apache 2.2
- mod_auth_mellon environment variables are null