lazy sessions and .htaccess

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

lazy sessions and .htaccess

Bill Tantzen
I am using lazy sessions for my site, and as such have a section like this:

<Location />
  AuthType shibboleth
  ShibRequireSession Off
  Require shibboleth
</Location>

This works as expected, but I would like to further configure a subdirectory with a .htaccess file (which, as the documentation states, impossible in combination with the above <Location> block.

My workaround was to place the directives in a <Directory> block, configuring the webroot.

This *does* work, but I'm wondering if it is the best way to accomplish what I want (to use .htaccess files).

I have httpd 2.4.6 and shibd 2.6.1

Any pointers here would be appreciated!
Regards,
Bill

--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: lazy sessions and .htaccess

Nate Klingenstein-5
RE: lazy sessions and .htaccess

Bill,

 

It's one way to do it.  For the gory details:

 

https://wiki.shibboleth.net/confluence/display/SP3/Apache

 

Take care,

Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Bill Tantzen
Sent: Tuesday, December 17 2019, 1:49 pm
To: [hidden email]
Subject: lazy sessions and .htaccess

I am using lazy sessions for my site, and as such have a section like this:
 
<Location />
  AuthType shibboleth
  ShibRequireSession Off
  Require shibboleth
</Location>
 
This works as expected, but I would like to further configure a subdirectory with a .htaccess file (which, as the documentation states, impossible in combination with the above <Location> block.
 
My workaround was to place the directives in a <Directory> block, configuring the webroot.
 
This *does* work, but I'm wondering if it is the best way to accomplish what I want (to use .htaccess files).
 
I have httpd 2.4.6 and shibd 2.6.1
 
Any pointers here would be appreciated!
Regards,
Bill
 
--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)
-- 

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: lazy sessions and .htaccess

Bill Tantzen
Thanks for the quick reply Nate!

I guess what I am wondering is if my approach is the best way, or at least the standard way (or simply the way everybody does it).  I looked over the docs again, in particular the page you cited and I don't see anything helpful, although I may be a little slow...

Specifically, what I am trying to accomplish is to be able to quickly add "require not ip xx.xx.xx" directives to an .htaccess file for a handful of locations.  It would seem that apache consults <Location> blocks after .htaccess, which is why I opted to configure my lazy sessions in a <Directory> block instead.  If that works, and it's not too weird, I'm happy with it but you seem to hint that there is more than one way to do it.  Can you suggest another way?

I am also curious about what lazy sessions actually do; my application seems to work fine without them!  What is the upside to using them when they seem to do nothing!

Thanks again for taking the time to help out!
~~ Bill

On Tue, Dec 17, 2019 at 3:32 PM Nate Klingenstein <[hidden email]> wrote:

Bill,

 

It's one way to do it.  For the gory details:

 

https://wiki.shibboleth.net/confluence/display/SP3/Apache

 

Take care,

Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Bill Tantzen
Sent: Tuesday, December 17 2019, 1:49 pm
To: [hidden email]
Subject: lazy sessions and .htaccess

I am using lazy sessions for my site, and as such have a section like this:
 
<Location />
  AuthType shibboleth
  ShibRequireSession Off
  Require shibboleth
</Location>
 
This works as expected, but I would like to further configure a subdirectory with a .htaccess file (which, as the documentation states, impossible in combination with the above <Location> block.
 
My workaround was to place the directives in a <Directory> block, configuring the webroot.
 
This *does* work, but I'm wondering if it is the best way to accomplish what I want (to use .htaccess files).
 
I have httpd 2.4.6 and shibd 2.6.1
 
Any pointers here would be appreciated!
Regards,
Bill
 
--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)
-- 

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: lazy sessions and .htaccess

Peter Schober
* Bill Tantzen <[hidden email]> [2019-12-18 15:42]:
> Specifically, what I am trying to accomplish is to be able to quickly add
> "require not ip xx.xx.xx" directives to an .htaccess file for a handful of
> locations.

FWIW, if an admin is able to do those changes I'd move all those into
the httpd configuration and disable htaccess globally. Saves httpd
from traversing file systems (possibly even slow network/remote ones)
looking for .htaccess files everywhere.
(Also makes for an easier audit what the current effective config is
without having to search all those files yourself.)

> If that works, and it's not too weird, I'm happy with it but you
> seem to hint that there is more than one way to do it.

If it works it works. Also seems to be more of an httpd question, less
of a Shibboleth one.

> I am also curious about what lazy sessions actually do; my
> application seems to work fine without them!  What is the upside to
> using them when they seem to do nothing!

With neither lazy sessions nor active protection (require something
specific, not "shibboleth") httpd wouldn't even call into the Shib SP
so you'd never see any attributes anywhere, even if you din't care
about access control enforced by the web server itself.

So the only way for "works fine without" to make sense (to me) is if
you have areas with active protection (that work).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: lazy sessions and .htaccess

Cantor, Scott E.
In reply to this post by Bill Tantzen
On 12/18/19, 9:42 AM, "users on behalf of Bill Tantzen" <[hidden email] on behalf of [hidden email]> wrote:

> I am also curious about what lazy sessions actually do

The self-invented term simply refers to content that does not require a session but consumes data from one if it exists so the SP has to know to process the requests in a different way than an active content rule. It cannot do anything useful unless something else causes the user to be logged in when that's necessary, and the use of them is tied into the nature of the application/content and how it's integrated with the SP.

> my application seems to work fine without them!  What is the upside to using them when they seem to do nothing!

They simply ensure the SP will process and attach user data to requests for the content when a session exists and ignore the requests if no session exists.

As Peter said, using them with no application doing explicit redirects to cause a login and/or no "active" session rules in place for some related content by definition means the SP is never actually used and should just be removed.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: lazy sessions and .htaccess

Bill Tantzen
Scott, Peter,

Right on -- the protected endpoints in my application do consult the SP when needed (with or without lazy sessions), so that is another way to accomplish what I need.

Yes, I realize that .htaccess introduces some inefficiencies but my goal is to be able to quickly respond to spam, etc in what needs to be an unprotected endpoint without restarting apache and interrupting active users (moving those directives to the main configuration periodically).

Thanks for all you help everybody -- it is appreciated!
~~ Bill

On Wed, Dec 18, 2019 at 9:54 AM Cantor, Scott <[hidden email]> wrote:
On 12/18/19, 9:42 AM, "users on behalf of Bill Tantzen" <[hidden email] on behalf of [hidden email]> wrote:

> I am also curious about what lazy sessions actually do

The self-invented term simply refers to content that does not require a session but consumes data from one if it exists so the SP has to know to process the requests in a different way than an active content rule. It cannot do anything useful unless something else causes the user to be logged in when that's necessary, and the use of them is tied into the nature of the application/content and how it's integrated with the SP.

> my application seems to work fine without them!  What is the upside to using them when they seem to do nothing!

They simply ensure the SP will process and attach user data to requests for the content when a session exists and ignore the requests if no session exists.

As Peter said, using them with no application doing explicit redirects to cause a login and/or no "active" session rules in place for some related content by definition means the SP is never actually used and should just be removed.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]