Return-Path: Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 31884 invoked by uid 500); 2 Oct 2002 19:39:31 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Reply-To: "Apache HTTPD Bugs Notification List" Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 31868 invoked from network); 2 Oct 2002 19:39:30 -0000 Date: 2 Oct 2002 19:40:17 -0000 Message-ID: <20021002194017.1180.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: bugs@httpd.apache.org Cc: Subject: DO NOT REPLY [Bug 13218] New: - LimitExcept Breaks Authentication X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13218 LimitExcept Breaks Authentication Summary: LimitExcept Breaks Authentication Product: Apache httpd-2.0 Version: HEAD Platform: Other OS/Version: Windows XP Status: NEW Severity: Major Priority: Other Component: Other Modules AssignedTo: bugs@httpd.apache.org ReportedBy: jerrybaker@attbi.com If you have a LimitExcept directive controlling access to a directory, and set up basic authentication for that directory, the authentication fails. Apache just lets you in without requiring authentication. Example: Require user bob ... AuthType Basic AuthUserFile "D:/Web/htpasswd" AuthName "Protected Area" Require valid-user With this config, pointing your browser to /secret just lets you right in with no prompt for password or anything. Removing the LimitExcept directive causes the authentication to work as expected. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org