为什么启用 cleartrust 会覆盖我在 Apache 中的 shibboleth 设置?
Why does enabling cleartrust override my shibboleth settings in Apache?
我想用 shibboleth 保护我的一个虚拟主机,并用 cleartrust 保护其他虚拟主机,但是一旦启用 cleartrust,我就可以在未经授权的情况下访问受 shibboleth 保护的虚拟主机。
这是我的虚拟主机:
localhost.virtual-host.conf
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLProtocol all
SSLCertificateFile conf/localhost.crt
SSLCertificateKeyFile conf/localhost.key
SSLCertificateChainFile "conf/localhost.crt"
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
ProxyPreserveHost On
ProxyPass "/Shibboleth.sso" !
<Location />
AuthType shibboleth
Require shibboleth
ShibRequestSetting applicationId localhost-saml
</Location>
<Location /group>
ShibUseHeaders On
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId localhost-saml
Require valid-user
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
</VirtualHost>
我的信任httpd.conf
ct-httpd.conf
#
# This is a RSA Access Manager Agent 5.0 configuration file
#
# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so
<IfModule ct_apache_mod.c>
# Where the agent configuration is located:
CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15
# Where the ClearTrust forms are located. This directory must
# always be configured for authentication, so the ClearTrust module
# can intercept and handle the requests.
#
Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
<Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
AuthType Basic
Require valid-user
AuthName CT
Order allow,deny
Allow from all
</Directory>
# Any part of a web site to be protected by ClearTrust must be
# configured for authentication. See the Apache documentation
# for details.
#
# This example will make ClearTrust protect the entire web site,
# unless there are previous Location overriding directives.
#
<Location />
AuthType Basic
Require valid-user
AuthName CT
</Location>
</IfModule>
我的 cleartrust webagent.conf,我默认禁用 cleartrust,因为我希望默认使用 shibboleth。
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
</VirtualHost>
问题是,当 ct-httpd.conf 的内容加载到 Apache 中,从而启用 cleartrust 时,我可以在本地主机中访问 /group 而无需通过 shibboleth 授权,这是我不想要的。
有没有其他人遇到过类似的问题并且知道如何解决这个问题?提前致谢! :)
通读 Access Manager 文档后,我发现如果禁用了 cleartrust 代理,它还会忽略默认情况下加载到 Apache 中的所有其他潜在身份验证模块。为了让 Access Manager 将验证传递给其他模块,您必须指定一个验证领域的列表,Access Manager Agent 允许其他模块对其请求进行评估。
我通过将此添加到我的 webagent.conf 文件来实现此目的:cleartrust.agent.apache.pass_realms=*
最终结果:
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
cleartrust.agent.apache.pass_realms=*
</VirtualHost>
我想用 shibboleth 保护我的一个虚拟主机,并用 cleartrust 保护其他虚拟主机,但是一旦启用 cleartrust,我就可以在未经授权的情况下访问受 shibboleth 保护的虚拟主机。
这是我的虚拟主机:
localhost.virtual-host.conf
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLProtocol all
SSLCertificateFile conf/localhost.crt
SSLCertificateKeyFile conf/localhost.key
SSLCertificateChainFile "conf/localhost.crt"
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
ProxyPreserveHost On
ProxyPass "/Shibboleth.sso" !
<Location />
AuthType shibboleth
Require shibboleth
ShibRequestSetting applicationId localhost-saml
</Location>
<Location /group>
ShibUseHeaders On
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId localhost-saml
Require valid-user
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
</VirtualHost>
我的信任httpd.conf
ct-httpd.conf
#
# This is a RSA Access Manager Agent 5.0 configuration file
#
# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so
<IfModule ct_apache_mod.c>
# Where the agent configuration is located:
CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15
# Where the ClearTrust forms are located. This directory must
# always be configured for authentication, so the ClearTrust module
# can intercept and handle the requests.
#
Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
<Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
AuthType Basic
Require valid-user
AuthName CT
Order allow,deny
Allow from all
</Directory>
# Any part of a web site to be protected by ClearTrust must be
# configured for authentication. See the Apache documentation
# for details.
#
# This example will make ClearTrust protect the entire web site,
# unless there are previous Location overriding directives.
#
<Location />
AuthType Basic
Require valid-user
AuthName CT
</Location>
</IfModule>
我的 cleartrust webagent.conf,我默认禁用 cleartrust,因为我希望默认使用 shibboleth。
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
</VirtualHost>
问题是,当 ct-httpd.conf 的内容加载到 Apache 中,从而启用 cleartrust 时,我可以在本地主机中访问 /group 而无需通过 shibboleth 授权,这是我不想要的。
有没有其他人遇到过类似的问题并且知道如何解决这个问题?提前致谢! :)
通读 Access Manager 文档后,我发现如果禁用了 cleartrust 代理,它还会忽略默认情况下加载到 Apache 中的所有其他潜在身份验证模块。为了让 Access Manager 将验证传递给其他模块,您必须指定一个验证领域的列表,Access Manager Agent 允许其他模块对其请求进行评估。
我通过将此添加到我的 webagent.conf 文件来实现此目的:cleartrust.agent.apache.pass_realms=*
最终结果:
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
cleartrust.agent.apache.pass_realms=*
</VirtualHost>