我想使用shibboleth保护我的一个虚拟主机,并使用cleartrust保护其他虚拟主机,但是一旦启用cleartrust,我就可以在未经授权的情况下访问shibboleth保护的虚拟主机。
这是我的shibboleth虚拟主机:
localhost.virtual-host.conf
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLProtocol all
SSLCertificateFile conf/localhost.crt
SSLCertificateKeyFile conf/localhost.key
SSLCertificateChainFile "conf/localhost.crt"
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
ProxyPreserveHost On
ProxyPass "/Shibboleth.sso" !
<Location />
AuthType shibboleth
Require shibboleth
ShibRequestSetting applicationId localhost-saml
</Location>
<Location /group>
ShibUseHeaders On
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId localhost-saml
Require valid-user
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
</VirtualHost>
我的cleartrust httpd.conf
ct-httpd.conf
#
# This is a RSA Access Manager Agent 5.0 configuration file
#
# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so
<IfModule ct_apache_mod.c>
# Where the agent configuration is located:
CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15
# Where the ClearTrust forms are located. This directory must
# always be configured for authentication, so the ClearTrust module
# can intercept and handle the requests.
#
Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
<Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
AuthType Basic
Require valid-user
AuthName CT
Order allow,deny
Allow from all
</Directory>
# Any part of a web site to be protected by ClearTrust must be
# configured for authentication. See the Apache documentation
# for details.
#
# This example will make ClearTrust protect the entire web site,
# unless there are previous Location overriding directives.
#
<Location />
AuthType Basic
Require valid-user
AuthName CT
</Location>
</IfModule>
我的cleartrust webagent.conf默认情况下禁用cleartrust,因为我希望默认使用shibboleth。
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
</VirtualHost>
问题是,当将ct-httpd.conf的内容加载到Apache中从而启用cleartrust时,我可以在localhost中访问/ group,而无需通过shibboleth进行授权,这是我不想要的。
其他任何人都有类似的问题,并且知道如何解决吗?提前致谢! :)
答案 0 :(得分:0)
通读Access Manager文档之后,我发现如果禁用了cleartrust代理,则默认情况下它也将忽略所有其他潜在的身份验证模块,这些模块已加载到Apache中。为了使Access Manager可以将身份验证传递给其他模块,必须指定身份验证领域的列表,Access Manager代理允许对其进行请求,以供其他模块评估请求。
我通过将其添加到我的webagent.conf文件中来实现这一点:cleartrust.agent.apache.pass_realms = *
最终结果:
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
cleartrust.agent.apache.pass_realms=*
</VirtualHost>