为什么启用cleartrust会覆盖我在Apache中的shibboleth设置?

时间:2018-11-12 12:23:18

标签: apache security configuration shibboleth

我想使用shibboleth保护我的一个虚拟主机,并使用cleartrust保护其他虚拟主机,但是一旦启用cleartrust,我就可以在未经授权的情况下访问shibboleth保护的虚拟主机。

这是我的shibboleth虚拟主机:

localhost.virtual-host.conf

<VirtualHost *:443>
    ServerName localhost
    SSLEngine on
    SSLProtocol all
    SSLCertificateFile conf/localhost.crt
    SSLCertificateKeyFile conf/localhost.key
    SSLCertificateChainFile "conf/localhost.crt"
    ErrorLog "logs/localhost-error_log"
    CustomLog "logs/localhost-access_log" common
    ProxyPreserveHost On

    ProxyPass "/Shibboleth.sso" !
    <Location />
        AuthType shibboleth
        Require shibboleth
        ShibRequestSetting applicationId localhost-saml
    </Location>
    <Location /group>
        ShibUseHeaders On
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting applicationId localhost-saml
        Require valid-user
    </Location>
    <Location /Shibboleth.sso>
        Satisfy Any
        Allow from all
    </Location>
</VirtualHost>

我的cleartrust httpd.conf

ct-httpd.conf

#
# This is a RSA Access Manager Agent 5.0 configuration file
#

# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so

<IfModule ct_apache_mod.c>

  # Where the agent configuration is located:
  CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15

  # Where the ClearTrust forms are located.  This directory must
  # always be configured for authentication, so the ClearTrust module
  # can intercept and handle the requests.
  #
  Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
  <Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
    AuthType Basic
    Require valid-user
    AuthName CT
    Order allow,deny
    Allow from all
  </Directory>

  # Any part of a web site to be protected by ClearTrust must be
  # configured for authentication.  See the Apache documentation
  # for details.
  #
  # This example will make ClearTrust protect the entire web site,
  # unless there are previous Location overriding directives.
  #
  <Location />
    AuthType Basic
    Require valid-user
    AuthName CT
  </Location>

</IfModule>

我的cleartrust webagent.conf默认情况下禁用cleartrust,因为我希望默认使用shibboleth。

webagent.conf

<VirtualHost address=* name=* port=*>
    cleartrust.agent.enabled=False
</VirtualHost>

问题是,当将ct-httpd.conf的内容加载到Apache中从而启用cleartrust时,我可以在localhost中访问/ group,而无需通过shibboleth进行授权,这是我不想要的。

其他任何人都有类似的问题,并且知道如何解决吗?提前致谢! :)

1 个答案:

答案 0 :(得分:0)

通读Access Manager文档之后,我发现如果禁用了cleartrust代理,则默认情况下它也将忽略所有其他潜在的身份验证模块,这些模块已加载到Apache中。为了使Access Manager可以将身份验证传递给其他模块,必须指定身份验证领域的列表,Access Manager代理允许对其进行请求,以供其他模块评估请求。

我通过将其添加到我的webagent.conf文件中来实现这一点:cleartrust.agent.apache.pass_realms = *

最终结果:

webagent.conf

<VirtualHost address=* name=* port=*>
    cleartrust.agent.enabled=False
    cleartrust.agent.apache.pass_realms=*
</VirtualHost>