shibboleth-dev - Re: Shib 2.0 ShibRequireSession off?
Subject: Shibboleth Developers
List archive
- From: "Michael R. Gettes" <>
- To:
- Subject: Re: Shib 2.0 ShibRequireSession off?
- Date: Tue, 25 Sep 2007 22:33:30 -0400
Very helpful - I didn't realize the subtly of require shibboleth - thanks!
/mrg
On Sep 25, 2007, at 17:07, SCOTT CANTOR wrote:
I believe it should be showing me the contents of /foo - yes?
No, require valid-user has always meant "has session". You're thinking of require shibboleth (which means "Apache is broken, but make it work by sticking in a dummy require rule").
A proposal was made to optionally make static access control work by only enforcing it if a session is found, rather than no matter what, but I haven't yet implemented that (or decided whether I will).
For security reasons, the default behavior will remain as is, though. Lazy sessions were not designed to work with static enforcement.
-- Scott
- Shib 2.0 ShibRequireSession off?, Michael R. Gettes, 09/25/2007
- <Possible follow-up(s)>
- Re: Shib 2.0 ShibRequireSession off?, SCOTT CANTOR, 09/25/2007
- Re: Shib 2.0 ShibRequireSession off?, Michael R. Gettes, 09/25/2007
Archive powered by MHonArc 2.6.16.