+extern "C" authz_status shib_validuser_check_authz(request_rec* r, const char* require_line, const void*)
+{
+ // Shouldn't have actually ever hooked this, and now we're in conflict with mod_authz_user over the meaning.
+ // For now, added a command to restore "normal" semantics for valid-user so that combined deployments can
+ // use valid-user for non-Shibboleth cases and shib-session for the Shibboleth semantic.
+
+ // In future, we may want to expose the AuthType set to honor down at this level so we can differentiate
+ // based on AuthType. Unfortunately we allow overriding the AuthType to honor and we don't have access to
+ // that setting from the ServiceProvider class..
+
+ shib_server_config* sc = (shib_server_config*)ap_get_module_config(r->server->module_config, &mod_shib);
+ if (sc->bCompatValidUser != 1) {
+ return shib_session_check_authz(r, require_line, nullptr);
+ }
+
+ if (!r->user || !*r->user) {
+ return AUTHZ_DENIED_NO_USER;
+ }
+
+ return AUTHZ_GRANTED;
+}
+