www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Barbara Glover <glov...@saic.com>
Subject other/5238: Directory indexing does not work when userid/password authentication is enabled.
Date Wed, 03 Nov 1999 13:27:06 GMT

>Number:         5238
>Category:       other
>Synopsis:       Directory indexing does not work when userid/password authentication is
enabled.
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Nov  3 05:30:00 PST 1999
>Last-Modified:
>Originator:     gloverb@saic.com
>Organization:
apache
>Release:        1.3.9
>Environment:
Windows NT 4.0 Service Patch 5
Apache was installed using binaries downloaded from www.apache.org
>Description:
I have several hyperlinks that when clicked display the contents of the directory
associated with the hyperlink (known as indexing).  When I enable the use
of userid/password authentication, I get the following message when I click
on each hyperlink that displays a directory "Forbidden You don't have permission
to access" followed by the directory name.  In the httpd.conf file, I commented
out the section
<Directory "C:/">
    Order deny,allow
    Deny from All
</Directory>
to see if this would make a difference and it did not.  This problem only occurs
when I have the userid/password authentication enabled, i.e. by the use of
the directive:
AccessFileName htaccess  (note I do not have a period preceding htaccess as
I am on a windows system.)

This is my http.conf file (I do not use the srm.conf or access.conf)
NOTE:  due to the space limitations here, I could not include the whole
httpd.conf file.  Instead I included only up to the last line that I modified
as I used the http.conf file provided with the release and edited only those
things I needed to.
******************Start of httpd.conf **********************
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://www.apache.org/docs/> for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# After this file is processed, the server will look for and process
# C:/Program Files/Apache Group/Apache/conf/srm.conf and then C:/Program Files/Apache Group/Apache/conf/access.conf
# unless you have overridden these with ResourceConfig and/or
# AccessConfig directives here.
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "/usr/local/apache" will be interpreted by the
# server as "/usr/local/apache/logs/foo.log".
#
# NOTE: Where filenames are specified, you must use forward slashes
# instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
# If a drive letter is omitted, the drive on which Apache.exe is located
# will be used by default.  It is recommended that you always supply
# an explicit drive letter in absolute paths, however, to avoid
# confusion.
#

#BKG: For the initial configuration, these directives need to be set:
#	ServerRoot
#	ServerName
#	BindAddress if you only have an IP address
#	DocumentRoot
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerType is either inetd, or standalone.  Inetd mode is only supported on
# Unix platforms.
#
ServerType standalone

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#BKG This should be set to where you installed Apache.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "C:/Program Files/Apache Group/Apache"

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile logs/httpd.pid

#
# ScoreBoardFile: File used to store internal server process information.
# Not all architectures require this.  But if yours does (you'll know because
# this file will be  created when you run Apache) then you *must* ensure that
# no two invocations of Apache share the same scoreboard file.
#
ScoreBoardFile logs/apache_status

#
# In the standard configuration, the server will process httpd.conf,
# srm.conf, and access.conf in that order.  The latter two files are
# now distributed empty, as it is recommended that all directives
# be kept in a single file for simplicity.  The commented-out values
# below are the built-in defaults.  You can have the server ignore
# these files altogether by using "/dev/null" (for Unix) or
# "nul" (for Win32) for the arguments to the directives.
#
#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We reccomend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

#
# Apache on Win32 always creates one child process to handle requests.  If it
# dies, another child process is created automatically.  Within the child
# process multiple threads handle incoming requests.  The next two
# directives control the behaviour of the threads and processes.
#

#
# MaxRequestsPerChild: the number of requests each child process is
# allowed to process before the child dies.  The child will exit so
# as to avoid problems after prolonged use when Apache (and maybe the
# libraries it uses) leak memory or other resources.  On most systems, this
# isn't really needed, but a few (such as Solaris) do have notable leaks
# in the libraries.  For Win32, set this value to zero (unlimited)
# unless advised otherwise.
#
MaxRequestsPerChild 0

#
# Number of concurrent threads (i.e., requests) the server will allow.
# Set this value according to the responsiveness of the server (more
# requests active at once means they're all handled more slowly) and
# the amount of system resources you'll allow the server to consume.
#
ThreadsPerChild 50

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
#Listen 3000
#Listen 12.34.56.78:80

#
# BindAddress: You can support virtual hosts with this option. This directive
# is used to tell the server which IP address to listen to. It can either
# contain "*", an IP address, or a fully qualified Internet domain name.
# See also the <VirtualHost> and Listen directives.
#BKG You need to set this if you only have an IP address.
#
#BindAddress *

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Please read the file README.DSO in the Apache 1.3 distribution for more
# details about the DSO mechanism and run `apache -l' for the list of already
# built-in (statically linked and thus always available) modules in your Apache
# binary.
#
# Note: The order in which modules are loaded is important.  Don't change
# the order below without expert advice.
#
#LoadModule anon_auth_module modules/ApacheModuleAuthAnon.dll
#LoadModule cern_meta_module modules/ApacheModuleCERNMeta.dll
#LoadModule digest_module modules/ApacheModuleDigest.dll
#LoadModule expires_module modules/ApacheModuleExpires.dll
#LoadModule headers_module modules/ApacheModuleHeaders.dll
#LoadModule proxy_module modules/ApacheModuleProxy.dll
#LoadModule rewrite_module modules/ApacheModuleRewrite.dll
#LoadModule speling_module modules/ApacheModuleSpeling.dll
#LoadModule status_module modules/ApacheModuleStatus.dll
#LoadModule usertrack_module modules/ApacheModuleUserTrack.dll

#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
#ExtendedStatus On

### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# If your ServerType directive (set earlier in the 'Global Environment'
# section) is set to "inetd", the next few directives don't have any
# effect since their settings are defined by the inetd configuration.
# Skip ahead to the ServerAdmin directive.
#

#
# Port: The port to which the standalone server listens.
#
Port 80

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.
#
ServerAdmin you@your.address

#
# ServerName allows you to set a host name which is sent back to clients for
# your server if it's different than the one the program would get (i.e., use
# "www" instead of the host's real name).
#
# Note: You cannot just invent host names and hope they work. The name you 
# define here must be a valid DNS name for your host. If you don't understand
# this, ask your network administrator.
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address (e.g., http://123.45.67.89/)
# anyway, and this will make redirections work in a sensible way.
#
#ServerName new.host.name
#Changed ServerName BKG
ServerName fuentes.saic-nmsd.com

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
#DocumentRoot "C:/Program Files/Apache Group/Apache/htdocs"
#Serve documents from the Virage directory BKG
DocumentRoot "C:/Virage/VideoSearchTools/vst/htdocs"

#
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories). 
#
# First, we configure the "default" to be a very restrictive set of 
# permissions.  
#
#Note - the / operates on the WHOLE filesystem, not just the
#DocumentRoot and below. BKG
#<Directory />
#    Options FollowSymLinks
#    AllowOverride None
#</Directory>
#BKG - modified
<Directory "C:/">
    Order deny,allow
    Deny from All
</Directory>


#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
#<Directory "C:/Program Files/Apache Group/Apache/htdocs">
#Changed to what I set DocumentRoot to. BKG
<Directory "C:/Virage/VideoSearchTools/vst/htdocs">

#
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
    Options Indexes FollowSymLinks

#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo", 
# "AuthConfig", and "Limit"
#
#    AllowOverride None
#Changed to All to use htaccess BKG
	AllowOverride All

#
# Controls who can get stuff from this server.
#
    Order allow,deny
    Allow from all

</Directory>

#
# UserDir: The name of the directory which is appended onto a user's home
# directory if a ~user request is received.
#
# Under Win32, we do not currently try to determine the home directory of
# a Windows login, so a format such as that below needs to be used.  See
# the UserDir documentation for details.
#
UserDir "C:/Program Files/Apache Group/Apache/users/"

#
# DirectoryIndex: Name of the file or files to use as a pre-written HTML
# directory index.  Separate multiple entries with spaces.
#
DirectoryIndex index.html

#
# AccessFileName: The name of the file to look for in each directory
# for access control information.
#
#AccessFileName .htaccess
#Windows does not support a period as first char BKG
AccessFileName htaccess

#
# The following lines prevent .htaccess files from being viewed by
# Web clients.  Since .htaccess files often contain authorization
# information, access is disallowed for security reasons.  Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files.  If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.
#
#<Files .htaccess>
#    Order allow,deny
#    Deny from all
#</Files>
#Windows does not support a period as first char.  BKG
<Files htaccess>
    Order allow,deny
    Deny from all
</Files>


#
# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each
# document that was negotiated on the basis of content. This asks proxy
# servers not to cache the document. Uncommenting the following line disables
# this behavior, and proxies will be allowed to cache the documents.
#
#CacheNegotiatedDocs

#
# UseCanonicalName:  (new for 1.3)  With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a URL that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name.  With this setting off, Apache will
# use the hostname:port that the client supplied, when possible.  This
# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
#
UseCanonicalName On

#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig conf/mime.types

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
# mod_mime_magic is not part of the default server (you have to add
# it yourself with a LoadModule [see the DSO paragraph in the 'Global
# Environment' section], or recompile the server and include mod_mime_magic
# as part of the configuration), so it's enclosed in an <IfModule> container.
# This means that the MIMEMagicFile directive will only be processed if the
# module is part of the server.
#
<IfModule mod_mime_magic.c>
    MIMEMagicFile conf/magic
</IfModule>

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog logs/error.log

#
# LogLevel: Control the number of messages logged to the error.log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here.  Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog logs/access.log common

#
# If you would like to have agent and referer logfiles, uncomment the
# following directives.
#
#CustomLog logs/referer.log referer
#CustomLog logs/agent.log agent

#
# If you prefer a single logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog logs/access.log combined

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature On

#
# Aliases: Add here as many aliases as you need (with no limit). The format is 
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL.  So "/icons" isn't aliased in this
# example, only "/icons/"..
#
Alias /icons/ "C:/Program Files/Apache Group/Apache/icons/"

#Aliases added for Virage BKG
Alias /vst/ "/Virage/VideoSearchTools/vst/htdocs/"

#Need to use the icons provided with Apache, or when you do a directory
#listing, will get broken icons.  BKG


#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
#ScriptAlias /cgi-bin/ "C:/Program Files/Apache Group/Apache/cgi-bin/"
#Changed to use the Virage directory BKG
ScriptAlias /scgi-bin/ "C:/Virage/VideoSearchTools/vst/scgi-bin/"


#
# "C:/Program Files/Apache Group/Apache/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
#<Directory "C:/Program Files/Apache Group/Apache/cgi-bin">
#    AllowOverride None
#    Options None
#</Directory>
#Changed to the scgi directory located in Virage BKG
<Directory "C:/Virage/VideoSearchTools/vst/scgi-bin">
	Order allow,deny
	Allow from All
</Directory>
<Directory "C:/Virage/VideoSearchTools/vst/htdocs/newComments">
IndexOptions FancyIndexing IconsAreLinks SuppressDescription SuppressSize
IndexOrderDefault Ascending Date

	Options Indexes FollowSymLinks
	Order allow,deny
	Allow from All
</Directory>
<Directory "C:/Virage/VideoSearchTools/vst/htdocs/newOrders">
	Options Indexes FollowSymLinks
	Order allow,deny
	Allow from All
</Directory>
#Do not put the full path name here as it will be ignored BKG.
#<Files vstScheduler.pl>
#    Order deny,allow
#    Deny from All
#</Files>

# Additional directories we need access to. BKG
<Directory "C:/Virage/VideoSearchTools/vst/htdocs/newComments">
	AllowOverride All
	Order allow,deny
	Allow from All
</Directory>

#Search templates
<Directory "C:/Virage/VideoSearchTools/vst/htdocs/search">
	Order allow,deny
	Allow from All
</Directory>
<Directory "C:/Virage/VideoSearchTools/vst/htdocs/search/barbara">
	Order allow,deny
	Allow from All
</Directory>
<Directory "C:/Virage/VideoSearchTools/vst/htdocs/search/VEDUser">
	Order allow,deny
	Allow from All
</Directory>
<Directory "C:/Virage/VideoSearchTools/vst/htdocs/search/icons">
	Order allow,deny
	Allow from All
</Directory>

<Directory "C:/Program Files/Apache Group/Apache/icons/">
	Order allow,deny
	Allow from All
</Directory>


#
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
#

#
# Directives controlling the display of server-generated directory listings.
#

#
# FancyIndexing is whether you want fancy directory indexing or standard
#
IndexOptions FancyIndexing IconsAreLinks SuppressDescription SuppressSize
IndexOrderDefault Ascending Date

***********End of httpd.conf file **********

***************htaccess file ***********
	AuthName VED
	AuthType Basic
	AuthUserFile "C:/Virage/VideoSearchTools/vst/passfile"
	require valid-user
	Options None
************end of htaccess file ********************
>How-To-Repeat:
Comment out the directive:
AccessFileName htaccess
and you will be able to perform a directory indexing.

Uncomment the directive
AccessFileName htaccess
and you will not be able to perform directory indexing.
>Fix:
I do not have any suggestions of how to fix this.  I did check the problem
report database and did not find this problem in the databse.  I also checked
the FAQ and have not found anything about this problem there.  
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message