Thread: [mod-security-users] .htaccess, AUTH, and file access
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Peter <pet...@co...> - 2006-01-31 16:19:12
|
(this message was previously submitted, but I since joined the mail list, so the mods can ignore the pending post) My .htaccess file for a directory... AuthType Basic AuthUserFile /home/content/pwfile AuthGroupFile /dev/null AuthName "Restricted Area" Require user peter My web hosting service uses Apache 1.3, and I have an issue which is curious. With the above, any attempt to access an html page, or the directory results in the proper username/password challenge. However, if a user tried to access certain files directly (assuming they know the names), sometimes a password challenge is NOT presented. For example, if a user types: http://mysecure.dir/myfile.html he will get a username/password challenge and http://mysecure.dir/myfile.gif he will get a challenge BUT http://mysecure.dir/myfile.jpg will not get challenged and the browser presents options for opening or downloading the file! No password challenge. Same with http://mysecure.dir/myfile.xls or http://mysecure.dir/myfile My question is, is this expected behavior? How can I tell which filetypes will bypass AUTH security? Are there specific commands I can add to .htaccess? I even tried deny all in <Files *>, but still I am offered a download choice. Sorry if this post does not belong here, but I do appreciate any feedback and suggestions. The hosting company is "investigating" after being able to reproduce the error. |
|
From: Peter <pet...@co...> - 2006-02-02 11:26:28
|
I received this back from my hosting provider: "Thank you for giving us that information. It appears that the investigation is complete. We have determined that you are having problems with password protection with your .xls files because you can not password protect the .xls file extension with an .htaccess file in our shared hosting environment, as it is processed by Tomcat." Any ideas to circumvent this? Thx |
|
From: Ivan R. <iv...@we...> - 2006-02-02 13:17:42
|
Peter wrote: > I received this back from my hosting provider: > > "Thank you for giving us that information. It appears that the > investigation is complete. We have determined that you are having problems > with password protection with your .xls files because you can not password > protect the .xls file extension with an .htaccess file in our shared > hosting environment, as it is processed by Tomcat." > > Any ideas to circumvent this? Thx Circumvent - no. Solve the problem - possibly. If you are in control of your own web.xml you can configure another authentication layer in Tomcat. Of course, the real question is why do they have such a confusing setup in the first place. A major point of having Apache in front of application servers is to use its facilities. It makes no sense to me to forward requests to application servers before authentication phase takes place. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
|
From: Peter <pet...@co...> - 2006-02-02 14:17:33
|
On Thu, 02 Feb 2006 13:17:07 +0000, Ivan Ristic wrote: > Peter wrote: >> I received this back from my hosting provider: >> >> "Thank you for giving us that information. It appears that the >> investigation is complete. We have determined that you are having >> problems with password protection with your .xls files because you can >> not password protect the .xls file extension with an .htaccess file in >> our shared hosting environment, as it is processed by Tomcat." >> >> Any ideas to circumvent this? Thx > > Circumvent - no. Solve the problem - possibly. If you are in control of > your own web.xml you can configure another authentication layer in > Tomcat. > > Of course, the real question is why do they have such a confusing setup > in the first place. A major point of having Apache in front of > application servers is to use its facilities. It makes no sense to me to > forward requests to application servers before authentication phase > takes place. Thank you. It did not make sense to me, but I am a novice at this. Yes, I do have control over web.xml. Currently, only my error page is in it. <?xml version="1.0" ?> <web-app> <error-page> <error-code>404</error-code> <location>/errorpage.html</location> </error-page> </web-app> Not meaning to take up your time or that of others here, is there a URL where I can read up on Tomcat, learn about the commands I can embed in web.xml and where I can learn the differences between what I would put in web.xml vs. what I would use htaccess for? Looking forward to some heady weekend reading :) (Sarcasm intended!) |
|
From: Ivan R. <iv...@we...> - 2006-02-02 16:08:25
|
Peter wrote: > > Not meaning to take up your time or that of others here, is there a URL > where I can read up on Tomcat, learn about the commands I can embed in > web.xml and where I can learn the differences between what I would put in > web.xml vs. what I would use htaccess for? > > Looking forward to some heady weekend reading :) (Sarcasm intended!) Tomcat lives at http://tomcat.apache.org/. It appears to be well documented. I believe this is what you are after: http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com |
Thanks for helping keep SourceForge clean.
X