It is the resource administrator's responsibility to configure the correct access rules for a protected resource. A resource either can be protected with acces rules defined in the web server configuration or by the application itself by checking certain Shibboleth attributes.
When using web server access rules, you can use so-called '.htaccess' files in directories to overwrite the web server static configuration settings. The rules defined in that file are dynamic, which means that they can be changed without restarting the web server.
Once your resource is ready for use, you have to configure access rules which properly protect your resource.
Access Rule Examples
For first testing purposes it is OK to start with the most simple access
rule that grants access to any user with a valid AAI login:
AuthType shibboleth ShibRequireSession On require valid-user
Please see the page "Shibboleth Service Provider Access Control" for other examples.