ShibAccessControl Relative Paths

[Aaron Roots]

Howdy,

We have started using the ShibAccessControl in our .htaccess files – finding it most appropriate for our circumstances. From testing it appears that relative paths do not work with it. Just wanting to confirm that it definitely requires an absolute path and I am not missing something entirely.

Then asking the next few questions I'd have. Am also wondering if there any reason this couldn't use a relative path? Would it be appropriate to log this as a "Improvement"?

Cheers

Aaron

[Cantor, Scott]

On 2/20/12 10:09 PM, "Aaron Roots" <aaron...@deakin.edu.au> wrote:
>
>We have started using the ShibAccessControl in our .htaccess files ­
>finding it most appropriate for our circumstances. From testing it
>appears that relative paths do not work with it. Just wanting to confirm
>that it definitely requires an absolute path
> and I am not missing something entirely.

Relative paths should work fine, but they're relative to the standard
configuration location, etc/shibboleth.

>Then asking the next few questions I'd have. Am also wondering if there
>any reason this couldn't use a relative path? Would it be appropriate to
>log this as a "Improvement"?

I can't really change the relative path base, it would break existing
configurations. I suppose additional commands could be worked in to
override that. That all assumes that Apache even gives me the information
needed to establish a path. I don't know how to do that, so a pointer or
patch would need to be supplied by somebody.

-- Scott

--
To unsubscribe from this list send an email to users-un...@shibboleth.net

[Aaron Roots]

Cheers Scott

Unfortunately for me - I don't think I could sell going relatively from /etc/shibboleth to ../../var/www/html/vhost/etc/etc as a better option to the end users. :)
I also don't believe that it would be a good idea to open up the /etc/shibboleth location to the end users to write to either - just for access control to their webcontent

You will have to excuse my Apache module ignorance here - I may not be reading these right - but I hope this is the sort of info you would be looking for:
"A cmd_parms structure is the first argument passed to all directive handlers"
"char* path"
"If the handler is being called to process a directive located in an access control file, 'path' will contain the path to the directory containing the .htaccess file"

>From pages 581-582 of
http://books.google.com.au/books?id=5jAuQBe2EsMC&pg=PA448&lpg=PA448&dq=writing+apache+module+current+directory&source=bl&ots=6ZFjq9Np0j&sig=COI3gcZbCJi6jkBONnvesdyCCyM&hl=en&sa=X&ei=iCNDT5qpFtCViAef17jvBA&ved=0CEYQ6AEwBA#v=onepage&q=htaccess&f=false

Cheers
Aaron

________________________________________
From: users-...@shibboleth.net [users-...@shibboleth.net] on behalf of Cantor, Scott [cant...@osu.edu]
Sent: Tuesday, 21 February 2012 3:20 PM
To: us...@shibboleth.net
Subject: Re: ShibAccessControl Relative Paths

[Cantor, Scott]

> Unfortunately for me - I don't think I could sell going relatively from
> /etc/shibboleth to ../../var/www/html/vhost/etc/etc as a better option to
> the end users. :)

I'm not trying to sell it, I don't even use static access control. That code is buried entirely inside the system, all relative path handling is done that way automatically, I couldn't stop it if I wanted to, other than producing absolute paths as input.

> You will have to excuse my Apache module ignorance here - I may not be
> reading these right - but I hope this is the sort of info you would be looking
> for:

Sounds plausible. Did you file a request?

[Aaron Roots]

On 22/02/12 1:41 AM, "Cantor, Scott" <cant...@osu.edu> wrote:

>> Unfortunately for me - I don't think I could sell going relatively from
>> /etc/shibboleth to ../../var/www/html/vhost/etc/etc as a better option
>>to
>> the end users. :)
>
>I'm not trying to sell it, I don't even use static access control. That
>code is buried entirely inside the system, all relative path handling is
>done that way automatically, I couldn't stop it if I wanted to, other
>than producing absolute paths as input.

Firstly sorry if I offended any - it was just an idea I found amusing and
thought it would keep things light.

>
>> You will have to excuse my Apache module ignorance here - I may not be
>> reading these right - but I hope this is the sort of info you would be
>>looking
>> for:
>
>Sounds plausible. Did you file a request?

Yep - I have filed a request now -
https://issues.shibboleth.net/jira/browse/SSPCPP-425

Many thanks
Aaron

[Cantor, Scott]

On 2/21/12 10:03 PM, "Aaron Roots" <aaron...@deakin.edu.au> wrote:
>
>Firstly sorry if I offended any - it was just an idea I found amusing and
>thought it would keep things light.

I'm not offended, I was just trying to explain that the path base location
isn't designed to meet the requirements of this feature, it's baked into
the support for loading any configuration file in the system, most of
which are not part of Apache.

Also, I noted that Apache commands that load files, such as group lists or
other access control information, are loaded relative to the ServerRoot,
not the htaccess file. I don't think the API is designed to permit loading
things from the document tree.

>Yep - I have filed a request now -
>https://issues.shibboleth.net/jira/browse/SSPCPP-425

As I noted there, I don't think there's modern API to do what you're
asking for. I'm going to run a quick test, but at best it's probably going
to be inconsistent and likely a bit dangerous to use.

Note that the main feature supported by the XML syntax is, I think, part
of Apache 2.4 now. They support AND/OR containers for Require rules.

[Aaron Roots]

Scott Cantor resolved SSPCPP-425.
Resolution: Fixed
Fix Version/s: 2.5

Awesome turn around time - thank you greatly.

Cheers
Aaron