I want to protect one of my virtual hosts with shibboleth and others with cleartrust, but as soon as I enable cleartrust I can access the shibboleth protected virtual hosts without being authorized.
This is my shibboleth virtual host:
localhost.virtual-host.conf
<VirtualHost *:443>
ServerName localhost
SSLEngine on
SSLProtocol all
SSLCertificateFile conf/localhost.crt
SSLCertificateKeyFile conf/localhost.key
SSLCertificateChainFile "conf/localhost.crt"
ErrorLog "logs/localhost-error_log"
CustomLog "logs/localhost-access_log" common
ProxyPreserveHost On
ProxyPass "/Shibboleth.sso" !
<Location />
AuthType shibboleth
Require shibboleth
ShibRequestSetting applicationId localhost-saml
</Location>
<Location /group>
ShibUseHeaders On
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId localhost-saml
Require valid-user
</Location>
<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>
</VirtualHost>
My cleartrust httpd.conf
ct-httpd.conf
#
# This is a RSA Access Manager Agent 5.0 configuration file
#
# Load and add the ClearTrust authorization module.
# For Apache 1.3, it should be the last one added (the first one
# to be invoked by Apache)
#
LoadModule ct_auth_module /opt/rsa-axm/agent-50-apache/lib/libct_apache24_agent.so
<IfModule ct_apache_mod.c>
# Where the agent configuration is located:
CTAgentRoot /opt/rsa-axm/agent-50-apache/webservers/Apache_2.2.15
# Where the ClearTrust forms are located. This directory must
# always be configured for authentication, so the ClearTrust module
# can intercept and handle the requests.
#
Alias /cleartrust/ "/opt/rsa-axm/agent-50-apache/htdocs/"
<Directory "/opt/rsa-axm/agent-50-apache/htdocs/">
AuthType Basic
Require valid-user
AuthName CT
Order allow,deny
Allow from all
</Directory>
# Any part of a web site to be protected by ClearTrust must be
# configured for authentication. See the Apache documentation
# for details.
#
# This example will make ClearTrust protect the entire web site,
# unless there are previous Location overriding directives.
#
<Location />
AuthType Basic
Require valid-user
AuthName CT
</Location>
</IfModule>
My cleartrust webagent.conf, by default I disable cleartrust, because I want shibboleth to be used by default instead.
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
</VirtualHost>
The problem is that when the contents of ct-httpd.conf are loaded into Apache, thus enabling cleartrust, then I can access /group in localhost without authorizing via shibboleth, which I do not want.
Have anyone else had a similar issue and knows how to fix this? Thanks in advance! :)
After reading through the Access Manager documentation I found that if cleartrust agent is disabled, it also ignores all other potential authentication modules loaded into Apache by default. In order for Access Manager to pass the authentication to other modules, you must specify a list of authentication realms for which the Access Manager Agent allows requests to be evaluated by other modules.
I achieved this by adding this to my webagent.conf file: cleartrust.agent.apache.pass_realms=*
Final result:
webagent.conf
<VirtualHost address=* name=* port=*>
cleartrust.agent.enabled=False
cleartrust.agent.apache.pass_realms=*
</VirtualHost>