httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Leggett" <>
Subject Some authorisation clarification
Date Wed, 29 Nov 2006 08:46:20 GMT
Hi all,

I have been trying to get a simple AAA config to work in httpd v2.0, and
the understanding that I get from reading the docs doesn't result in a
working config.

Basically I have a password protected URL space /, and a more specific
differently protected URL space /bugzilla. No matter what config I try, it
seems that the config for / always wins, and the config for /bugzilla is
always ignored.

The config looks like this:

# deny everybody to see if it's having an effect
<Location /bugzilla>
  Order allow,deny
  Deny from all
# aaa for /
<Location />
  AuthName "Username"
  AuthType Basic
  ...basic auth stuff...

Couple of things that happen:

- /bugzilla triggers the / config, and I am asked for a username and
password as per /. I expected it to say "forbidden".

- "AuthName Username" has no effect - the browser (FF) chooses a default
realm which seems to be "Authorised Access Only", instead of "Username".

- The docs for Location claim that Location directives are processed in
config file order, but it doesn't explicitly state whether the first
matched URL wins, or the last URL matched wins.

- According to the docs, both AuthType and AuthName can only appear in
Directory or .htaccess, but not Location. I cannot see any reason why
basic auth should only work for physical files on the filesystem. Either
way, using it in a Location tag does not throw any error.

Can anyone clarify how this is supposed to work, so I can update the


View raw message