httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] .htaccess: How to "cut only the middle branch" from a directory tree?
Date Mon, 27 Feb 2006 07:57:40 GMT
> -----Original Message-----
> From: Apache.20.TEN@spamgourmet.com 
> [mailto:Apache.20.TEN@spamgourmet.com] 
> Sent: Samstag, 25. Februar 2006 01:59
> To: users@httpd.apache.org
> Subject: [users@httpd] .htaccess: How to "cut only the middle 
> branch" from a directory tree?
> 
> One bewildering observation on a low-traffic, co-hosted 
> account (hence no logs,
> & unusual first lines required in .htaccess) by a provider 
> using Apache 1.3.29:
> 
> Some directories didn't seem to get the password protection 
> they deserve.
> 
> I figured out that the protection on every level in the directory
> tree can be obtained by creating this structure of 
> subdirectories below root:
> /1/2/3 - and then uploading an .htaccess with these contents 
> into each of them:

Are you trying to nest protected realms?.. This is not supported by the HTTP RFC, which allows
only one layer of password protection.

The first time you access a protected directory (ie, "realm"), the server sends back a 401
Unauthorized. The client prompts for a password, then re-sends the request with the username/password
attached in a header (ie, "credentials"). Any subsequent requests in the same realm are sent
with the credentials automaticaly attached. If you then have a deeper subdir which is also
protected, the server will send a new 401. What happens next is unpredictable and browser-dependent
- it might prompt again, or it might send the original credentials. It depends on whether
the second password layer has the same credentials as the first. It also depends on the URL
of the first request (ie, dir then subdir, or straight into subdir).

Basic Authentication is, as its name implies, "basic". It provides a simple, unencrypted emulation
of a single-layer login over HTTP. Trying to get it to do too much is the way of pain...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> PerlSetVar AuthFile /.htpasswd
> AuthType Basic
> AuthName "confidential documents"
> require valid-user
> 
> Apache requires a password on http://site.dom/1/2/3, 
> http://site.dom/1/2
> and http://site.dom/1 - however when uploading a different 
> .htaccess that
> is supposed to open up (ONLY) http://site.dom/1/2 to the 
> "middle" directory of
> /1/2, something unexpected is caused by this /1/2/.htaccess file:
> 
> PerlSetVar AuthFile /.htpasswd
> AuthType Basic
> AuthName "wide open"
> order deny,allow
> Satisfy any
> 
> Besides directory 2, its subdirectory 3 becomes accessible 
> without credentials,
> as well, although the more restrictive version of .htaccess 
> has remained in...3
> and should therefore be unaffected by any changes to 
> /1/2/.htaccess - is there
> any explanation for this, and a way around the issue? (The 
> format of .htaccess
> being largely restricted by the hosting provider's 
> requirements, of course...)?
> 
> If this is a "feature", how does one make sure that the 
> .htaccess placed in the
> "sub-sub-subdirectory" /1/2/3 is observed, so 3 will not be 
> affected by changes
> to the .htaccess for its parent directory, i.e. remain 
> protected just like /1 ?
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen-
bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature.
It is not related to the exchange or business activities of the SWX Group. Le présent e-mail
est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message