httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 13218] New: - LimitExcept Breaks Authentication
Date Wed, 02 Oct 2002 19:40:17 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13218>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13218

LimitExcept Breaks Authentication

           Summary: LimitExcept Breaks Authentication
           Product: Apache httpd-2.0
           Version: HEAD
          Platform: Other
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Other Modules
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jerrybaker@attbi.com


If you have a LimitExcept directive controlling access to a directory, and set
up basic authentication for that directory, the authentication fails. Apache
just lets you in without requiring authentication.

Example:
<Location />
<LimitExcept GET HEAD POST>
   Require user bob
</LimitExcept>
</Location>
...
<Alias /secret "D:/Web/www/protected">
<Directory "D:/Web/www/protected">
AuthType Basic
AuthUserFile "D:/Web/htpasswd"
AuthName "Protected Area"
Require valid-user
</Directory>

With this config, pointing your browser to /secret just lets you right in with
no prompt for password or anything.

Removing the LimitExcept directive causes the authentication to work as expected.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message