httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Moreira <luis.more...@esinnovation.pt>
Subject Re: [users@httpd] Access to directories
Date Mon, 16 Feb 2004 12:04:29 GMT
Forgot to say that this is an Intranet server, not visible to the outside
world.
Sorry...

>     Accessing http://moreiranet/ROLLOUT_BESNET/INSTALADOR/ I
> am asked for
> username/password.

Ok - good. This is what I would expect.

** Me too. Thank God we agree on something

>     However, if I go to http://moreiranet/ROLLOUT_BESNET I get the
> corresponding index

This is what I would expect also. Do you not expect this? Why not?

** Because I have a "directory" directive to the sub-dir "instalador", not
the parent.

If you allow access to a directory, have "Options Indexes" and no
DirectoryIndex file then you will get a listing. What's the surprise?

** The surprise is that I thought the directive applied to the directory,
and all others were denied access to.

No. Access via password is enforced by the "Require" directive. In
directories which do not authentication, you get free access.

** This is precisely what I don't want.
** I want people to enter username/password to view when required (require
user), and get a listing when specified (options indexes)
** All others should be denied to view the listing.
** Maybe I got something very wrong in the very beginning of things

Thank you for being so helpful.
Really.
On my day-to-day, I find it very important "to be there when people need
me", and not to assume that people get born knowing everything.

I have no problem in sending you directly my httpd.conf, if you think you
can get more out of it.

Luis

----- Original Message -----
From: "Boyle Owen" <Owen.Boyle@swx.com>
To: <users@httpd.apache.org>
Sent: Monday, February 16, 2004 11:29 AM
Subject: RE: [users@httpd] Access to directories


Thanks for switching to plain-text - now I can quote:

> -----Original Message-----
> From: Luis Moreira [mailto:luis.moreira@esinnovation.pt]
> Sent: Montag, 16. Februar 2004 11:54
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Access to directories
>
>
> Hi
>
>     There isn't much difference between the "real" URLs and
> what I wrote,
> actually.

Except that my browser can't navigate to http://myweb/dir1... If it
could, I would see what you see and maybe be able to help you more.

>     I know that we are talking about Microsoft, but I was expecting a
> behaviour like on UNIX, where you can be denied of
> "navegating upwards" on a
> tree structure.
>     Anyway, think of it this way :
>
>     What you say is true, about the Basic Auth part.
>     I have lots of  "directory" directives, to set up
> different users to
> access different directories.
>     That works.
>
>     Examples :
>
>     To give access to a software instalations database I have
> this (d:/myweb
> is my root folder) :
>         <Directory d:/myweb/rollout_besnet/instalador>
>          Options Indexes
>               Order allow,deny
>               Allow from all
>          AuthType Basic
>          AuthName "Acesso restrito"
>          AuthUserFile "d:/program files/Apache Group/Apache/bin/pwd"
>          Require user nie com
>         </Directory>
>     Accessing http://moreiranet/ROLLOUT_BESNET/INSTALADOR/ I
> am asked for
> username/password.

Ok - good. This is what I would expect.

>     However, if I go to http://moreiranet/ROLLOUT_BESNET I get the
> corresponding index

This is what I would expect also. Do you not expect this? Why not?

If you allow access to a directory, have "Options Indexes" and no
DirectoryIndex file then you will get a listing. What's the surprise?

>
>     To access a public downloading area, I have simply this
> (downloads is a
> DIR under the root folder)
>         <Directory /downloads/publico>
>          Options Indexes
>         </Directory>
>     However, if I access http://moreiranet/downloads I get
> its index too

Fine. You must have "Options Indexes" or equivalent set at the Docroot
level. This is expected behaviour.

>
>     I don't have any  <Directory /downloads/cisco> directive.
>     However, if I type http://moreiranet/cisco, bingo! There
> I get its index
> also.

Ditto.

>
>     And so on, and so on.
>
>     Apparently, what happens is :
>
>     IF directory-directive exists,
>         Access works as intended with username/password
>     ELSE
>         Access is granted, no questions asked

No. Access via password is enforced by the "Require" directive. In
directories which do not authentication, you get free access.

I still don't really understand what the problem is. Do you not expect
to get a directory listing? Do you not expect to get access at all? Do
you want to have only password access?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

>
>     It looks like some sort of "default behaviour", where
> access is granted
> to all directories if no name is found
>
> Luis
>
> ----- Original Message -----
> From: "Boyle Owen" <Owen.Boyle@swx.com>
> To: <users@httpd.apache.org>
> Sent: Monday, February 16, 2004 10:13 AM
> Subject: RE: [users@httpd] Access to directories
>
>
> Plain text please..
>
> I assume by "Directory" directives you mean Basic Authentication
> directives like AuthUserFile and Require valid-user etc.
>
> These directives apply to the directory defined in the encompassing
> <Directory> tag. I guess that this works... Obviously you can
> access the
> parent directory because that is above the protected
> directory. You will
> also be able to access any parallel directories if they use the same
> AuthUserFile.
>
> Reading your post, I am not really sure what you think the
> problem is -
> can you try to be more specific? Give clear examples. Even
> better, give
> the real URLs so we can see what you think is wrong.
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
>
> -----Original Message-----
> From: Luis Moreira [mailto:luis.moreira@esinnovation.pt]
> Sent: Montag, 16. Februar 2004 11:00
> To: users@httpd.apache.org
> Subject: [users@httpd] Access to directories
>
>
> I thought I had this properly done, but as it turns out, I don't...
>
> Using Apache 1.3.23, I have a set of directories that people
> can access
> to.
> For that purpose, I have a set of "Directory" directives, to allow
> different users to access different directories.
>
> Noticing that, after accessing one of these directories with the
> appropriate username/password, I was able to access its "parent
> directory", and after that one a second directory at the same lever as
> the first one, I tried to go to other directories, typing
> http://myweb/dir1 and http://myweb/dir2 where DIR1 and DIR2
> do not match
> any "directory" directives, and I get and index view of all of them,
> worst of all without being asked for username.
>
> Since I did read the docs, but did a poor job of  it, is
> there a simple
> explanation for this ?
> What did I miss ?
>
> Thanks
> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
> e-mail is of a private and personal nature. It is not related to the
> exchange or business activities of the SWX Group. Le présent
> e-mail est
> un message privé et personnel, sans rapport avec l'activité
> boursière du
> Groupe SWX.
>
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
> If you receive this message in error, please notify the
> sender urgently
> and then immediately delete the message and any copies of it from your
> system. Please also immediately destroy any hardcopies of the message.
> You must not, directly or indirectly, use, disclose,
> distribute, print,
> or copy any part of this message if you are not the intended
> recipient.
> The sender’s company reserves the right to monitor all e-mail
> communications through their networks. Any views expressed in this
> message are those of the individual sender, except where the message
> states otherwise and the sender is authorised to state them to be the
> views of the sender’s company.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender’s company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender’s company.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message