Using Shibboleth environment variables in RewriteEngine

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Shibboleth environment variables in RewriteEngine

Philip Brusten-3
Hi,

I was wondering if it is possible to use Shibboleth environment variables in the RewriteEngine of Apache.
If a user is from a certain home organization I would like to redirect him to a certain location.

I tried something like this:

RewriteEngine On
RewriteCond %{ENV:Shib-Identity-Provider} ="urn:mace:kuleuven.be:kulassoc:kuleuven.be"
RewriteRule /.* http://servername/$1 [L,R]

My RewriteLog contains the following, which means the environment variable is empty and not (yet) set:

RewriteCond: input='' pattern='="urn:mace:kuleuven.be:kulassoc:kuleuven.be"' => not-matched

I was however able to evaluate the REMOTE_USER, by using RewriteCond ${LA-U:REMOTE_USER}. Unfortunately this doesn't match my use case.

Thanks,

Philip


Reply | Threaded
Open this post in threaded view
|

RE: Using Shibboleth environment variables in RewriteEngine

Cantor, Scott E.
> I was wondering if it is possible to use Shibboleth environment variables
in
> the RewriteEngine of Apache.

I suspect not, because of the practice of deferring the creation of the data
until a later stage of the processing. You'll see it in the source of
mod_apache.cpp. I believe there was an Apache limitation that required doing
that for certain versions.

> I was however able to evaluate the REMOTE_USER, by using RewriteCond ${LA-
> U:REMOTE_USER}. Unfortunately this doesn't match my use case.

REMOTE_USER is explicitly set on the request object, so that probably shows
up earlier.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Using Shibboleth environment variables in RewriteEngine

E. Stuart Hicks-2


On 06/25/2010 10:35 AM, Scott Cantor wrote:

>> I was wondering if it is possible to use Shibboleth environment variables
>>    
> in
>  
>> the RewriteEngine of Apache.
>>    
> I suspect not, because of the practice of deferring the creation of the data
> until a later stage of the processing. You'll see it in the source of
> mod_apache.cpp. I believe there was an Apache limitation that required doing
> that for certain versions.
>
>  

I found that, if I enabled ShibUseHeaders, I was able to use them in my
rewrite rules as %{HTTP:attribute}


Reply | Threaded
Open this post in threaded view
|

RE: Using Shibboleth environment variables in RewriteEngine

Philip Brusten-3
> -----Original Message-----
> From: [hidden email] [mailto:shibboleth-users-
> [hidden email]] On Behalf Of E. Stuart Hicks
> Sent: vrijdag 25 juni 2010 17:21
> To: [hidden email]
> Subject: Re: [Shib-Users] Using Shibboleth environment variables in
> RewriteEngine
>
>
>
> On 06/25/2010 10:35 AM, Scott Cantor wrote:
> >> I was wondering if it is possible to use Shibboleth environment
> variables
> >>
> > in
> >
> >> the RewriteEngine of Apache.
> >>
> > I suspect not, because of the practice of deferring the creation of
> the data
> > until a later stage of the processing. You'll see it in the source of
> > mod_apache.cpp. I believe there was an Apache limitation that
> required doing
> > that for certain versions.
> >
> >
>
> I found that, if I enabled ShibUseHeaders, I was able to use them in my
> rewrite rules as %{HTTP:attribute}
>

I've tried this, but every time the header was empty. So either the header isn't set yet, or the I'm using the wrong name.

I tried:
RewriteCond %{HTTP:HTTP_SHIB_PERSON_UID}
RewriteCond %{HTTP:HTTP_SHIB_IDENTITY_PROVIDER}
RewriteCond %{HTTP:Shib-Identity-Provider}
... and other aliases that were present in the attribute-map.



Reply | Threaded
Open this post in threaded view
|

Re: Using Shibboleth environment variables in RewriteEngine

E. Stuart Hicks-2
On 06/25/2010 11:51 AM, Philip Brusten wrote:

> I've tried this, but every time the header was empty. So either the header isn't set yet, or the I'm using the wrong name.
>
> I tried:
> RewriteCond %{HTTP:HTTP_SHIB_PERSON_UID}
> RewriteCond %{HTTP:HTTP_SHIB_IDENTITY_PROVIDER}
> RewriteCond %{HTTP:Shib-Identity-Provider}
> ... and other aliases that were present in the attribute-map.
>
>
>  

ShibUseHeaders is off by default so you need to explicitly enable it if
you haven't already.  (Please also see
https://spaces.internet2.edu/display/SHIB2/NativeSPSpoofChecking before
doing so - it's off for a good reason)

I'm only aware of IdP-provided attributes working so Scott may be
correct about the internally-produced stuff.  I have not yet had the
need to try.

Reply | Threaded
Open this post in threaded view
|

RE: Using Shibboleth environment variables in RewriteEngine

Cantor, Scott E.
> I'm only aware of IdP-provided attributes working so Scott may be
> correct about the internally-produced stuff.  I have not yet had the
> need to try.

I was confusing some things, actually. It's not the environment that's
deferred, it's the response headers, but that has nothing to do with this
topic.

Basically, the headers do get added to the internal header table
immediately, and there's no difference between any of them, they're all set
the same way. But you'd have to guarantee that the mod_rewrite hook runs
after the SP sets them, since it would be spoofable otherwise. That may be a
question for Apache internals.

The environment variables are "deferred" in a sense, because they don't get
overlaid on the subprocess until the "fixups" hook, which is fairly late and
that's probably why they aren't visible to mod_rewrite.

-- Scott



Reply | Threaded
Open this post in threaded view
|

RE: Using Shibboleth environment variables in RewriteEngine

jeffreyai
This post has NOT been accepted by the mailing list yet.
So to make this working, how can I configure Apache to make the mod_rewrite hook runs
after the Shibboleth module?

Thanks,
Reply | Threaded
Open this post in threaded view
|

Re: Using Shibboleth environment variables in RewriteEngine

Bradley Schwoerer
In reply to this post by Cantor, Scott E.
I looked into this very extensively over the weekend to hopefully meet some
time and role based access control needs for our PeopleSoft HR role out.
Certain roles should not have access during certain time blocks, while other
roles do have access.


To implement a rule that allows access to people with the givenName that
starts with 'brad' outside of the hours of 07:00-19:00, but allows everyone
else access during those hours would look like the following depending upon
what you are protecting and with what mechanism.

If you use .htaccess files or <Directory> blocks, you have to reference HTTP
headers (ShibUseHeaders On). mod_rewrite under this condition runs in the
fixup hook stage which has allowed shib to populate the headers

    RewriteEngine on
    RewriteCond  %{REQUEST_URI} ^/secure.*
    RewriteCond  %{TIME_HOUR}%{TIME_MIN} <0700 [OR]
    RewriteCond  %{TIME_HOUR}%{TIME_MIN} >1900
    RewriteCond  %{HTTP:givenName}  !^brad.*    [NC]
    RewriteRule  .*   http://www.wisc.edu/ [L]


If you are going to proxy content using something like mod_wl, you need to
use the forward looking option in mod_rewrite and use the environment
variables.  This is because by default mod_rewrite works at the url
translation hook when outside of .htaccess or <Directory> blocks which is
well before the other hooks where shib populates the environment.  The
forward looking option creates a sub request for each RewriteCond
{LA-U:ENV:YYY} that runs through the necessary hooks.

    RewriteCond  %{REQUEST_URI} ^/secure.*
    RewriteCond  %{TIME_HOUR}%{TIME_MIN} <0700 [OR]
    RewriteCond  %{TIME_HOUR}%{TIME_MIN} >1900
    RewriteCond  %{LA-U:ENV:Shib-Authentication-Instant}  ^20.*
    RewriteCond  %{LA-U:ENV:givenName}  !^brad.*  [NC]
    RewriteRule  .*   http://www.wisc.edu/ [L]

MAJOR note, because of the processing order of requests/sub-requests, you
need to add something like:
  RewriteCond  %{LA-U:ENV:Shib-Authentication-Instant}  ^20.*
This is needed to evaluate to true after the session is created but false
before. This is to allow the content rendering hook to evaluate in the Shib
SP to render the redirect page.


I hope this is helpful to others. This is also just an example and I do not
place any guarantees.  This is especially true on the scalability or overall
security of these mechanisms.


-Bradley Schwoerer




On 6/25/10 1:36 PM, "Scott Cantor" <[hidden email]> wrote:

>> I'm only aware of IdP-provided attributes working so Scott may be
>> correct about the internally-produced stuff.  I have not yet had the
>> need to try.
>
> I was confusing some things, actually. It's not the environment that's
> deferred, it's the response headers, but that has nothing to do with this
> topic.
>
> Basically, the headers do get added to the internal header table
> immediately, and there's no difference between any of them, they're all set
> the same way. But you'd have to guarantee that the mod_rewrite hook runs
> after the SP sets them, since it would be spoofable otherwise. That may be a
> question for Apache internals.
>
> The environment variables are "deferred" in a sense, because they don't get
> overlaid on the subprocess until the "fixups" hook, which is fairly late and
> that's probably why they aren't visible to mod_rewrite.
>
> -- Scott
>
>
>