From 5e9e86b9ca490421ccda55991c9176c94144eff4 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 17 Jun 2013 19:40:37 +0000
Subject: [PATCH] Restrict pre-2.4 use of new require rules

---
 apache/mod_shib.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/apache/mod_shib.cpp b/apache/mod_shib.cpp
index 41b4d8f..fe7d038 100644
--- a/apache/mod_shib.cpp
+++ b/apache/mod_shib.cpp
@@ -1291,13 +1291,20 @@ AccessControl::aclresult_t htAccessControl::authorized(const SPRequest& request,
                 status = true;
             }
         }
-        else if ((!strcmp(w,"valid-user") || !strcmp(w,"shib-session")) && session) {
-            request.log(SPRequest::SPDebug, "htaccess: accepting shib-session/valid-user based on active session");
+        else if (!strcmp(w,"valid-user") && session) {
+            request.log(SPRequest::SPDebug, "htaccess: accepting valid-user based on active session");
+            status = true;
+        }
+        else if (sta->m_dc->bCompatWith24 == 1 && !strcmp(w,"shib-session") && session) {
+            request.log(SPRequest::SPDebug, "htaccess: accepting shib-session based on active session");
             status = true;
         }
         else if (!strcmp(w,"user") && !remote_user.empty()) {
             status = (doUser(*sta, t) == shib_acl_true);
         }
+        else if (sta->m_dc->bCompatWith24 == 1 && !strcmp(w,"shib-user") && !remote_user.empty()) {
+            status = (doUser(*sta, t) == shib_acl_true);
+        }
         else if (!strcmp(w,"group")  && !remote_user.empty()) {
             status = (doGroup(*sta, t) == shib_acl_true);
         }
-- 
2.1.4