mod-security-users

[mod-security-users] .htaccess, AUTH, and file access

[Peter <pet...@co...>]

(this message was previously submitted, but I since joined the mail list,
so the mods can ignore the pending post)

My .htaccess file for a directory...

AuthType Basic
AuthUserFile /home/content/pwfile
AuthGroupFile /dev/null
AuthName "Restricted Area"
Require user peter

My web hosting service uses Apache 1.3, and I have an issue which is
curious.

With the above, any attempt to access an html page, or the directory
results in the proper username/password challenge.

However, if a user tried to access certain files directly (assuming they
know the names), sometimes a password challenge is NOT presented.

For example, if a user types:
http://mysecure.dir/myfile.html he will get a username/password challenge
and
http://mysecure.dir/myfile.gif he will get a challenge BUT
http://mysecure.dir/myfile.jpg will not get challenged and the browser
presents options for opening or downloading the file! No password
challenge.
Same with
http://mysecure.dir/myfile.xls or http://mysecure.dir/myfile

My question is, is this expected behavior? How can I tell which filetypes
will bypass AUTH security? Are there specific commands I can add to
.htaccess? I even tried deny all in <Files *>, but still I am offered a
download choice.

Sorry if this post does not belong here, but I do appreciate any feedback
and suggestions. The hosting company is "investigating" after being able
to reproduce the error.

[mod-security-users] Re: .htaccess, AUTH, and file access

[Peter <pet...@co...>]

I received this back from my hosting provider:

"Thank you for giving us that information. It appears that the
investigation is complete. We have determined that you are having problems
with password protection with your .xls files because you can not password
protect the .xls file extension with an .htaccess file in our shared
hosting environment, as it is processed by Tomcat."

Any ideas to circumvent this? Thx

Re: [mod-security-users] Re: .htaccess, AUTH, and file access

[Ivan R. <iv...@we...>]

Peter wrote:
> I received this back from my hosting provider:
> 
> "Thank you for giving us that information. It appears that the
> investigation is complete. We have determined that you are having problems
> with password protection with your .xls files because you can not password
> protect the .xls file extension with an .htaccess file in our shared
> hosting environment, as it is processed by Tomcat."
> 
> Any ideas to circumvent this? Thx

  Circumvent - no. Solve the problem - possibly. If you are in control
  of your own web.xml you can configure another authentication layer
  in Tomcat.

  Of course, the real question is why do they have such a confusing
  setup in the first place. A major point of having Apache in front
  of application servers is to use its facilities. It makes no sense
  to me to forward requests to application servers before authentication
  phase takes place.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com

[mod-security-users] Re: Re: .htaccess, AUTH, and file access

[Peter <pet...@co...>]

On Thu, 02 Feb 2006 13:17:07 +0000, Ivan Ristic wrote:

> Peter wrote:
>> I received this back from my hosting provider:
>> 
>> "Thank you for giving us that information. It appears that the
>> investigation is complete. We have determined that you are having
>> problems with password protection with your .xls files because you can
>> not password protect the .xls file extension with an .htaccess file in
>> our shared hosting environment, as it is processed by Tomcat."
>> 
>> Any ideas to circumvent this? Thx
> 
>   Circumvent - no. Solve the problem - possibly. If you are in control of
>   your own web.xml you can configure another authentication layer in
>   Tomcat.
> 
>   Of course, the real question is why do they have such a confusing setup
>   in the first place. A major point of having Apache in front of
>   application servers is to use its facilities. It makes no sense to me to
>   forward requests to application servers before authentication phase
>   takes place.

Thank you. It did not make sense to me, but I am a novice at this. Yes, I
do have control over web.xml. Currently, only my error page is in it.
<?xml version="1.0" ?>
<web-app>
	<error-page>
		<error-code>404</error-code>
		<location>/errorpage.html</location>
	</error-page>
</web-app>

Not meaning to take up your time or that of others here, is there a URL
where I can read up on Tomcat, learn about the commands I can embed in
web.xml and where I can learn the differences between what I would put in
web.xml vs. what I would use htaccess for?

Looking forward to some heady weekend reading :) (Sarcasm intended!)

Re: [mod-security-users] Re: Re: .htaccess, AUTH, and file access

[Ivan R. <iv...@we...>]

Peter wrote:
>
> Not meaning to take up your time or that of others here, is there a URL
> where I can read up on Tomcat, learn about the commands I can embed in
> web.xml and where I can learn the differences between what I would put in
> web.xml vs. what I would use htaccess for?
> 
> Looking forward to some heady weekend reading :) (Sarcasm intended!)

  Tomcat lives at http://tomcat.apache.org/. It appears to be well
  documented. I believe this is what you are after:

  http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com