5

We currently have a shibboleth implementation that protects a certain path. However, because this path is actually an HTTP request (made with an AngularJS app using $http), shibboleth will try to "redirect" this request to the Identity Provider, but the browser simply interprets this as a dead request. It gets returned to AngularJS with status=-1 and no associated headers/data.

I would like to intercept this 302 and instead return a 401, and preferably be able to edit the response headers. Are there any ways to do this using Apache or Shibboleth?

Relevant blocks:

# Proxy all requests to WebLogic
<Location "/api">
    SetHandler weblogic-handler
    WLSRequest On
    WebLogicHost services.endpoint.com
    WebLogicPort 9002
</Location>

# For requests marked as protected, apply shibboleth
# If this block gets triggered, Shibboleth attempts redirect
# which does not work with our architecture
<Location "/api/protected">
     AuthType Shibboleth
     ShibRequireSession On
     ShibApplicationId default
     ShibExportAssertion On
     Require Shibboleth
</Location>

How it's used in AngularJS:

//API call to unprotected endpoint
$http.get('http://hosted.on.apache.com/api/getData');

//API call to protected endpoint - Shibboleth triggered
$http.get('http://hosted.on.apache.com/api/protected/getSecureData');
jlewkovich
  • 2,725
  • 2
  • 35
  • 49
  • Seems like you are trying authenticate a `login page` with an `api` and you are trying to `hack a solution` to make them `speake` together . I guess the best solution is to allow `login` via `api` like `REST` instead of this existing scheme. I do not familiar with `shibboleth`. But you may get better lack with `Apache reverse proxy` in order to do this can of hack – oak Jul 12 '16 at 22:38
  • in order to `hack it` you may check http://stackoverflow.com/a/21074783/1211174. But better is to check if `shibboleth` has authentication based `api` instead – oak Jul 12 '16 at 23:00
  • Do you like to intercept just this 302 or all? – tuergeist Jul 13 '16 at 11:15
  • The shibboleth wiki has an example for enabling AJAX requests for protected resources, but it has been flagged as "off in some way" a year ago, please see https://wiki.shibboleth.net/confluence/display/IDP30/Cross-origin+AJAX+requests+for+Shib-protected+resources – LHSnow Feb 03 '20 at 11:44
  • Related question: https://stackoverflow.com/questions/32979785/shibboleth-sso-cors-error – LHSnow Feb 03 '20 at 12:35

3 Answers3

0

I'm not familiar with Sibboleth, but as people have pointed out in the comments this can easily be accomplished with a reverse proxy.

See the solutions suggested in this answer as a reference:

Apache - Reverse Proxy and HTTP 302 status message

Community
  • 1
  • 1
niken
  • 2,499
  • 3
  • 33
  • 56
  • I'm looking to bubble up a usable HTTP code to the UI, not handle the request itself (which would result in similar issues listed in the OP) – jlewkovich Jul 23 '16 at 18:24
0

It seems like this is not possible to do, as the 302 redirect sent by Shibboleth is simply forwarded to the caller by Apache (as it is not an error).

Instead of battling the redirects, have single endpoint being protected by Shibboleth. If successful, this endpoint sets two cookies:

  1. A secure, http-only session cookie that is used as a login token by every other endpoint.
  2. A secure timeout cookie that tells the frontend when the session runs out, to be able to communicate to the user that their session is about to end, and to stop any ajax-calls when the session has ended.

If there is still a valid shibboleth session when /login is called again, the session cookies will be reissued.

In Apache

<Location /login>
# Let Shibboleth handle the creation of a valid session
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user

# set session cookie
# set timeout cookie
LHSnow
  • 1,146
  • 9
  • 12
-1

Well I think redirecting a 302 to a 404 is not necessary. Try adding to your /api/protected area the following.

ShibRequestSetting requireSession 1

As per the documentation here this is what a typical protected path looks like. https://docs.shib.ncsu.edu/docs/testing/index.html

<Location /api/protected>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require shib-session
</Location>
Keith Smith
  • 9
  • 4
  • Can you elaborate how this fixed the problem? The problem is that Angular is not seeing the 302 returned when the session is not valid. Therefor it would help returning a 401 instead. Is this directive going to change that response code? – Silver Oct 18 '19 at 03:39