AnsweredAssumed Answered

Enabling cleartrust overrides shibboleth authentication for my other virtual hosts

Question asked by Andreas Hansson on Nov 13, 2018

Hi! I have a case were I need to protect my virtual hosts with different methods. Some virtual hosts should be protected with Shibboleth and others should be protected with Access Manager. However, when I enable Access Manager, the Shibboleth authentication is ignored and the users of these virtual hosts can access it directly without authentication.

 

 

 

Here is an example of one of my virtual hosts:

 

localhost.virtual-host.conf

 

<VirtualHost *:443> ServerName localhost SSLEngine on SSLProtocol all SSLCertificateFile conf/localhost.crt SSLCertificateKeyFile conf/localhost.key SSLCertificateChainFile "conf/localhost.crt" ErrorLog "logs/localhost-error_log" CustomLog "logs/localhost-access_log" common ProxyPreserveHost On ProxyPass "/Shibboleth.sso" ! <Location /> AuthType shibboleth Require shibboleth ShibRequestSetting applicationId localhost-saml </Location> <Location /group> ShibUseHeaders On AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting applicationId localhost-saml Require valid-user </Location> <Location /Shibboleth.sso> Satisfy Any Allow from all </Location> </VirtualHost>

My ct-httpd.conf which I include in my httpd.conf:

ct-httpd.conf

# # This is a RSA Access Manager Agent 5.0 configuration file # # Load and add the ClearTrust authorization module. # For Apache 1.3, it should be the last one added (the first one # to be invoked by Apache) # LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so <IfModule ct_apache_mod.c> # Where the agent configuration is located: CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15 # Where the ClearTrust forms are located. This directory must # always be configured for authentication, so the ClearTrust module # can intercept and handle the requests. # Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/" <Directory "/opt/rsa-axm/agent-50-apache/htdocs/"> AuthType Basic Require valid-user AuthName CT Order allow,deny Allow from all </Directory> # Any part of a web site to be protected by ClearTrust must be # configured for authentication. See the Apache documentation # for details. # # This example will make ClearTrust protect the entire web site, # unless there are previous Location overriding directives. # <Location /> AuthType Basic Require valid-user AuthName CT </Location> </IfModule>

 


By default I disable cleartrust agent in webagent.conf, my intention is that Shibboleth should be the default authentication method and that Access Manager should be used only for some virtual hosts:

 

webagent.conf

 

<VirtualHost address=* name=* port=*> cleartrust.agent.enabled=False </VirtualHost>

The problem is that when the contents of ct-httpd.conf are loaded into Apache, thus enabling cleartrust, then I can access /group in localhost without authorizing via shibboleth, which I do not want. When ct-httpd.conf is not included, Shibboleth authentication works as intended.

Does anyone have a clue on how I can fix this issue? Thanks in advance!

Outcomes