+extern "C" authz_status shib_user_check_authz(request_rec* r, const char* require_line, const void*)
+{
+ // Shouldn't have actually ever hooked this, and now we're in conflict with mod_authz_user over the meaning.
+ // For now, added a command to restore "normal" semantics for user rules so that combined deployments can
+ // use user for non-Shibboleth cases and shib-user for the Shibboleth semantic.
+
+ // In future, we may want to expose the AuthType set to honor down at this level so we can differentiate
+ // based on AuthType. Unfortunately we allow overriding the AuthType to honor and we don't have access to
+ // that setting from the ServiceProvider class..
+
+ shib_server_config* sc = (shib_server_config*)ap_get_module_config(r->server->module_config, &mod_shib);
+ if (sc->bCompatValidUser != 1) {
+ return shib_ext_user_check_authz(r, require_line, nullptr);
+ }
+
+ // Reproduce mod_authz_user version...
+
+ if (!r->user) {
+ return AUTHZ_DENIED_NO_USER;
+ }
+
+ const char* t = require_line;
+ const char *w;
+ while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+ if (!strcmp(r->user, w)) {
+ return AUTHZ_GRANTED;
+ }
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01663)
+ "access to %s failed, reason: user '%s' does not meet "
+ "'require'ments for user to be allowed access",
+ r->uri, r->user);
+
+ return AUTHZ_DENIED;
+}
+