httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (
Subject Re: PR2145: win32 bypass auth for specific files
Date Mon, 13 Jul 1998 22:01:09 GMT
My testing is with W95 C on FAT16 with Apache 1.3.0, no patches. This is a bit

Brian Behlendorf wrote:

> At 07:33 PM 7/10/98 -0600, you wrote:
> >On Fri, 10 Jul 1998, Brian Behlendorf wrote:
> >
> >


> Oh shit, I just realized something.  I didn't enable "AllowOverride All" in
> access.conf.  Yet, the presence of an htaccess.txt file (which I had set
> AccessFileName to) in the directory DID prevent the directory from being
> served, instead being forbidden.  So to recap:

No.  I don't think that the htaccess.txt file is having any affect here at all. If
you do not have an index.html file in a directory, you will always
get/localhost/directoryname/  is Forbidden. (I have not looked at what your
AutoIndexing does, so leave that discussion aside for now.)
I get the /directoryname/ is Forbidden under most circumstances, even when it's
protected with Basic Authentication & I give it the right password.  If there's no
index.html, then the directoryname is forbidden.

I will summarize my test results for this at the end.

> <Directory "C:/Program Files/Apache Group/Apache/htdocs">
> AllowOverride None
> </Directory>
> AccessFileName htaccess.txt
> DocumentRoot "C:/Program Files/Apache Group/Apache/htdocs"
> meant that when an htaccess.txt file with "deny from all" was put in
> htdocs/manual, then a request for "http://localhost/manual/" was met with a
> 403
> Forbidden, whereas a request for
> "<http://localhost/manual/index.html>http://localhost/manual/index.html"
> worked
> fine.

Did you really do this with index.html, or are you just using this name as a
placeholder, because this is not what I'm seeing.

If I do AllowOverride None, as you did,  & put the htaccess.txt file where you do,
with deny from all, I get
localhost/manual/ Forbidden
localhost/manual/mydoc.html  comes in OK.

If I put an index.html into the manual directory, then I get
localhost/manual/  comes in OK and displays the index.html file I just put there.

> When AllowOverride Limit (or All, etc) was specified, it correctly denied
> permission.  This is speciifc to Win95 - I can't recreate it on WinNT.
> Do you see this, Marc?
>  Brian
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> pure chewing satisfaction                  

I've tested a number of scenarios to do with auth.  Here's what I've found.

Scenario 1:    In access.conf, I started with
<Directory "e:/Apache/htdocs/basic">
AuthName basic_realm
AuthType Basic
AuthUserFile e:/apache/basic.txt
require user joe

A) localhost/basic/  requests a password & gives me the Forbidden message.(there
is no index.html file) even though I type the correct password.

B)localhost/basic/basic.html prompts me for password if this is a new browser
session (Netscape 4.04).  Serves up basic.html correctly iff I supply the right

C)localhost/basic/testauth/ requests a password if this is new browser session &
then gives Forbidden.  No index.html exists.  The directory does exist.  The
password is correct.

D) localhost/basic/testauth/dso.html requests a password if this is a new browser
session & then serves up dso.html correctly if password is OK.

Scenario 2:
I changed access.conf to contain
AccessFileName htaccess.txt
<Directory "e:/Apache/htdocs/basic">
#comment out the AuthName etc & see if it runs the same way in an htaccess file.
AllowOverride All
#AuthName basic_realm
#AuthType Basic
#AuthUserFile e:/apache/basic.txt
#require user joe

and I had the htaccess.txt file in the <DocumentRoot>/basic/ directory, with the
AuthName basic_realm
AuthType Basic
AuthUserFile e:/apache/basic.txt
require user joe

Doing the same 4 requests as in Scenario 1, I get the same results.  Access
checking everywhere, with directory names forbidden and files correctly displayed.

Scenario 3:
I follow Brian's suggestion and get rid of the Basic Authentication stuff.  I use
my htaccess.txt file with

deny from all

I do the 4 requests as in Scenario 1 and I get no prompts for passwords (good) and
Forbidden for directories and filenames.

Scenario 4:
I follow the error discussed above and change by access.conf to have
AllowOverride None

Still using the htaccess.txt with deny from all.

I do the 4 tests as in Scenario 1 and get access to files and Forbidden for
(I'm sure you're sick of all this by now, as am I)

Scenario 5:
I delete the htaccess.txt file to follow up on the message that says that the
presence of the htaccess file causes the directory to be forbidden, even though we
have AllowOverride None.

I do the tests and of course get access to files and Forbidden for directories.

These results cause me to question the conclusion that the presence of the
htaccess file did something. :-)

Scenario 6:
Put back htaccess.txt with deny from all.  Have the old error AllowOverrideNone in
access.conf. Try adding index.html to the /basic/directory.

Requesting /localhost/basic/ now displays the index.html.

Very simple & straight-forward.


Why does Apache tell me a directory is Forbidden, even if I give it the proper
authorization?  Will this change if I activate something to auto generate the
directory listing?  It's pretty disconcerting because when we first started
testing Basic Authentication, we made the mistake of trying to access the
directory name, rather than a file inside the directory.  We kept getting
forbidden, and jumped to the wild conclusion that the Authentication wasn't
working. Now we know better, but it was a bit nasty there for a while. :-)

Thanks for your patience if you're still reading this!

View raw message