httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Don't require authentication on a subfolder
Date Fri, 31 Jul 2009 14:10:36 GMT
Scott Brady wrote:
> 
> That worked (I had to put the "/public/" before the "/" 

and remove the trailing slash in "/public/", but it worked).
> 
Just to nitpick a bit :

The fact that you are using mod_SSPI leads me to believe you are running 
Apache on a Windows host.
In that case, you should read this document carefully :

http://httpd.apache.org/docs/2.2/mod/core.html#location

and particularly reflect on this paragraph :

<Location> sections operate completely outside the filesystem. This has 
several consequences. Most importantly, <Location>  directives should 
not be used to control access to filesystem locations. Since several 
different URLs may map to the same filesystem location, such access 
controls may by circumvented.

What that means is explained more completely here :

http://httpd.apache.org/docs/2.2/sections.html

in the section "What to use When".

If that is still not entirely clear, here is a summary :
- the Windows filesystem, in terms of locatiing directories and 
filenames, is case-insensitive.  In other words, "/dir" and "/DIR" and 
"/Dir" all lead to same place.
- the Apache <Location> directive applies to the URL, and IS 
case-sensitive.  In that case, "/public" and "/PUBLIC" are 2 different URLs.

So your section
<Location /public>
applies only to browser requests that come in as 
"http://yourhost/public".  It does not apply if a request comes as 
"http://yourhost/PUBLIC", although for both URLs, Apache will server the 
content of the same disk directory.

In your specific case, it does not really matter, because your intention 
is to release the security for your "public" directory, compared to the 
rest of the site.
But don't do the same for a "secret" part of your site.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message