Genius !
Yes, I'll try that.
Why did I not think of that myself ?
If anything, it'll be fun to watch the log lines of authz_core and try to make
sense of them.
I don't even think that I have to extend our module, it should work just as well with
"require UMA-user valid-user" in both cases.
One more question : why the top-level <RequireAll> ?
On 07.03.2020 00:59, Paul B. Henson wrote:
On Sat, Mar 07, 2020 at 12:22:35AM +0100, André Warnier (tomcat/perl) wrote:
Does anyone have an idea how I could do the equivalent of a "pop the
'require shibboleth' but just for this request" ?
Would you be willing to extend your local custom module to achieve this?
You could do something like:
<RequireAll>
<RequireAny>
Require UMA-token
<RequireAll>
Require shibboleth
Require UMA-user valid-user
</RequireAll>
</RequireAny>
</RequireAll>
Your custom module would get called first, which would check to see if
your custom session token was valid. If so, it would return success and
nothing else would be processed. Otherwise, the shibboleth module would
run, then your custom module which would establish your session token so
on the next access the shib auth would be bypassed.
ShibRequestMapperAuthz Off
ShibUseHeaders On
ShibUseEnvironment Off
PerlSetVar UMA_Debug 3
<RequireAll>
Require UMA-user valid-user
Require shibboleth
</RequireAll>
...
</Location>
which basically means :
we combine 2 AAA methods :
- one is our own (AUTH::UMA2 above, mod_perl based)
- the other is SAML, via Shibboleth (and all the directives above with
"shib" in them, correspond to the Shibboleth installation instructions)
(The reason being : the corporate user authentication happens via SAML, but
it does not provide us enough information about the user. So we run another
additional scheme, which supplements the user information, in order to feed
more complete data to our applications.)
Our own AAA method is such, that once the user has been authenticated once,
we set a token, such that for subsequent requests we do not need to
re-authenticate the user.
But no matter what we do at that level, the Shibboleth authentication runs
anyway.(*)
And my question is : considering the above setup, would mod_perl provide a
way, through some mod_perl API, to disable the Shibboleth authentication (on
a request-by-request base), when our own authz module determines that we do
not need it to run anymore for the current request ?
(replace Shibboleth by any other authentication that would be configured in
addition to our own; I'm looking for some "generic" mechanism, not only for
Shibboleth).
Or is it so that different authentication methods/modules don't insert
themselves in any standard way which can easily be interfaced with in order
to dynamically disable them ?
Note: Shibboleth itself does caching of its prior authentication, and it is
not really a big performance hit to re-run it each time, and we can live
with it as it is. But in the absolute, it is unnecessary for 90% of the
accesses to the applications, so it just sounds like disabling it would be a
nice/efficient thing to do.
I thought of dynamically removing the "Require shibboleth" e.g., but there
does not seem to be an API to do that.
