--- loncom/lontrans.pm	2021/04/18 02:08:46	1.30
+++ loncom/lontrans.pm	2021/10/08 14:36:51	1.36
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # URL translation for User Files
 #
-# $Id: lontrans.pm,v 1.30 2021/04/18 02:08:46 raeburn Exp $
+# $Id: lontrans.pm,v 1.36 2021/10/08 14:36:51 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -67,37 +67,55 @@ sub handler {
             my ($redirect,$remote_ip);
             if ($hdrhost eq $alias) {
                 $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP);
-                if ($vpnext && &Apache::lonnet::ip_match($remote_ip,$vpnext)) {
+                if (($vpnext && &Apache::lonnet::ip_match($remote_ip,$vpnext)) &&
+                    ($r->uri !~ m{^/adm/(lti|launch)/})) {
                     $redirect = $hostname;
-                    if ($redirect eq $hdrhost) {
+                }
+                if ($r->uri eq '/adm/sso') {
+                    if (&Apache::lonnet::alias_shibboleth($lonhost)) {
                         undef($redirect);
+                    } else {
+                        $redirect = $hostname;
                     }
                 }
+                if ($redirect eq $hdrhost) {
+                    undef($redirect);
+                }
             } elsif ($hdrhost eq $hostname) {
                 $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
                 unless (($remote_ip eq '127.0.0.1') || ($remote_ip eq '::1') ||
                         ($remote_ip eq &Apache::lonnet::get_host_ip($lonhost)) ||
+                        ($r->uri=~m{^/adm/(lti|launch)/}) ||
                         ($vpnint && &Apache::lonnet::ip_match($remote_ip,$vpnint))) {
                     $redirect = $alias;
-                    if ($r->uri=~m{^/raw/}){
+                    if (($r->uri=~m{^/raw/}) || ($r->uri=~m{^/adm/dns/})) {
                         my %iphost = &Apache::lonnet::get_iphost();
                         if (exists($iphost{$remote_ip})) {
                             undef($redirect);
                         }
+                    } elsif ($r->uri eq '/adm/sso') {
+                        unless (&Apache::lonnet::alias_shibboleth($lonhost)) {
+                            undef($redirect);
+                        }
                     }
                 }
             }
             if ($redirect) {
                 my $uri = $r->uri;
+                if (($uri eq '/adm/switchserver') || ($uri =~ m{^/Shibboleth.sso/})) {
+                    return DECLINED;
+                }
                 unless ($uri eq '/adm/migrateuser') {
                     my %user;
                     my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user);
                     if (($handle) && ($user{'name'} ne '') && ($user{'domain'} ne '')) {
-                        my $token = &get_token($r,$remote_ip,\%user);
-                        unless ($token eq '') {
-                            $r->internal_redirect("/adm/migrateuser?token=$token");
-                            $r->set_handlers('PerlHandler'=> undef);
-                            return DECLINED;
+                        unless (($user{'name'} eq 'public') && ($user{'domain'} eq 'public')) {
+                            my $token = &get_token($r,$remote_ip,\%user);
+                            unless ($token eq '') {
+                                $r->internal_redirect("/adm/migrateuser?token=$token");
+                                $r->set_handlers('PerlHandler'=> undef);
+                                return DECLINED;
+                            }
                         }
                     }
                 }
@@ -107,6 +125,9 @@ sub handler {
                     $protocol = 'https';
                 }
                 my $querystring = $r->args;
+                if ($uri =~ m{^(/adm/css/)(.+)(.css)$}) {
+                    $uri = $1.&escape($2).$3;
+                }
                 my $location = $protocol.'://'.$redirect.$uri;
                 if ($querystring) {
                     $location .= "?$querystring";