Shibboleth Developers

[SCOTT CANTOR <>]

> I believe it should be showing me the contents of /foo - yes?

No, require valid-user has always meant "has session". You're thinking of 
require shibboleth (which means "Apache is broken, but make it work by 
sticking in a dummy require rule").

A proposal was made to optionally make static access control work by only 
enforcing it if a session is found, rather than no matter what, but I haven't 
yet implemented that (or decided whether I will).

For security reasons, the default behavior will remain as is, though. Lazy 
sessions were not designed to work with static enforcement.

-- Scott