I need some help with Apache configuration when using multiple require directives (condition: any). What I would like to achieve is SSO when using Apache with Xampp on Windows (any version) through SSPI module. However I need a fallback mechanism that would allow ANY user to also visit the page but I would then provide alternate means of authentication.
At the moment I have SSO through SSPI functioning with the proper configuration and "require valid-user" directive. When I try to permit any other user that is not capable of authenticating through SSO to also access the page the problem is that Apache always seems to use the less complicated method of authentication (or none). So when I use configuration such as the following:
<RequireAny>
require valid-user
require all granted
</RequireAny>
In the case above all users will just automatically be granted access without any authentication. The same goes if I replace "require all granted" with:
require expr ${HTTP_COOKIE} -strmatch "*ALLOWED*"
having previously set a proper cookie in a custom 401 page.
To summarize, I'd like to always authenticate users first through SSO and if this doesn't work, then all users should be granted access. The reason for this is that I need REMOTE_USER key in $_SERVER variable if such authentication can be performed (user exists in AD).