A problem, which recently came up, is how to handle authentication for sub-folders of WebRoot correctly: If you add a document mapping from a URL, e.g. http://localhost/restricted/ to a sub-folder of WebRoot, e.g. c:\Pi3Web\WebRoot\Restricted\, the mapping doesn't apply, if the user makes a typo in the URL, e.g. http://localhost/Restricted/. But the default mapping applies, if the sub-folder WebRoot/restricted/ exists.
You can assign an authentication realm to this mapping but if the user makes such a typo, the request falls through to the default mapping and the request is handled without authentication.
You can do two things in order to switch on authentication for such an URL in a correct way:
1. Configure the path mapper to be case insensitive (Conf\HTTP.cnf):
<Object>
Name PathMapper
Class PathMapperClass
CaseSensitive "No"
</Object>
2. Configure authenticated URL's only at top level, i.e. the default mapping won't apply. This can be, e.g.:
where 'Restricted' is another folder at the same level as WebRoot but not inside of WebRoot (i.e. c:\Pi3Web\Restricted\ instead of c:\Pi3Web\WebRoot\Restricted\). Note, that a folder Restricted\ must not exist in c:\Pi3Web\WebRoot\ in that case.
Note, that this problem only applies to Windows, where path and file names are handled case insensitive. On POSIX systems such a typo in the URL will lead to a '404 Resource not found' error with the default configuration.
--
regards
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
A problem, which recently came up, is how to handle authentication for sub-folders of WebRoot correctly: If you add a document mapping from a URL, e.g. http://localhost/restricted/ to a sub-folder of WebRoot, e.g. c:\Pi3Web\WebRoot\Restricted\, the mapping doesn't apply, if the user makes a typo in the URL, e.g. http://localhost/Restricted/. But the default mapping applies, if the sub-folder WebRoot/restricted/ exists.
You can assign an authentication realm to this mapping but if the user makes such a typo, the request falls through to the default mapping and the request is handled without authentication.
You can do two things in order to switch on authentication for such an URL in a correct way:
1. Configure the path mapper to be case insensitive (Conf\HTTP.cnf):
<Object>
Name PathMapper
Class PathMapperClass
CaseSensitive "No"
</Object>
2. Configure authenticated URL's only at top level, i.e. the default mapping won't apply. This can be, e.g.:
Mapping From="/restriced/" To="Restricted\" ...
where 'Restricted' is another folder at the same level as WebRoot but not inside of WebRoot (i.e. c:\Pi3Web\Restricted\ instead of c:\Pi3Web\WebRoot\Restricted\). Note, that a folder Restricted\ must not exist in c:\Pi3Web\WebRoot\ in that case.
Note, that this problem only applies to Windows, where path and file names are handled case insensitive. On POSIX systems such a typo in the URL will lead to a '404 Resource not found' error with the default configuration.
--
regards