willa666
asked on
excluding a path from Basic authentication
I have a directive that i use to add password protection to the following director in apache:
http://servername/context/
in the directive i am only defining /context/
But i want to exclude the password protection when a user accesses a page in the following context that is contained in the secured context:
http://servername/context/sercure
the reason for this requirement is that all traffic to http://servername/context/sercure is then redirected via https and this is seen as a second session to apache and therefore asks for the user to authenticate again.
W
http://servername/context/
in the directive i am only defining /context/
But i want to exclude the password protection when a user accesses a page in the following context that is contained in the secured context:
http://servername/context/sercure
the reason for this requirement is that all traffic to http://servername/context/sercure is then redirected via https and this is seen as a second session to apache and therefore asks for the user to authenticate again.
W
hi willa666,
In addition to recommendation from Nopius, I;d like to refer to the following two PAQ.
https://www.experts-exchange.com/questions/20604686/htaccess-for-each-subdirectory.html
https://www.experts-exchange.com/questions/20276649/I-would-like-to-override-something-set-in-a-htaccess-in-a-higher-directory.html
http://httpd.apache.org/docs/2.0/mod/core.html#satisfy
cheers.
In addition to recommendation from Nopius, I;d like to refer to the following two PAQ.
https://www.experts-exchange.com/questions/20604686/htaccess-for-each-subdirectory.html
https://www.experts-exchange.com/questions/20276649/I-would-like-to-override-something-set-in-a-htaccess-in-a-higher-directory.html
http://httpd.apache.org/docs/2.0/mod/core.html#satisfy
cheers.
ASKER
Nopius:
this is a separate issue. before we had the sessions skipping from one web server to another. we have worked around this and now we have this issue. AuthDigestDomain is not a viable solution for this issue.
samri:
do you think that adding another unrestricted security directed will work?
this is a separate issue. before we had the sessions skipping from one web server to another. we have worked around this and now we have this issue. AuthDigestDomain is not a viable solution for this issue.
samri:
do you think that adding another unrestricted security directed will work?
ASKER
samri:
i will try it out and see what happens
Nopius:
Is AuthDigestDomain still an experimental plug in?
i will try it out and see what happens
Nopius:
Is AuthDigestDomain still an experimental plug in?
Yes, mod_auth_digest is still experimental in Apache,
but Digest authentication type supported in most browsers (see notes in apache docs for MSIE).
Some of directives are not implemented yet or implemented partially (not AuthDigestDomai).
but Digest authentication type supported in most browsers (see notes in apache docs for MSIE).
Some of directives are not implemented yet or implemented partially (not AuthDigestDomai).
willa666,
go ahead and give it a shot. I personally would go for a simple solution that works. However, the new authentication scheme like mod_auth_digest would be a plus to explore.
give it a shot and share with us the result.
cheers.
go ahead and give it a shot. I personally would go for a simple solution that works. However, the new authentication scheme like mod_auth_digest would be a plus to explore.
give it a shot and share with us the result.
cheers.
ASKER
I have tried it but i am using location match rather then directory
<LocationMatch "/context">
SetHandler weblogic-handler
AllowOverride AuthConfig
AuthType Basic
AuthName " NCL web application(s)"
AuthUserFile /etc/httpd/conf/users
Require user Usr1 Usr2
</LocationMatch>
<LocationMatch "/context/sercure">
SetHandler weblogic-handler
Options Indexes
Order allow,deny
Allow from all
</LocationMatch>
any ideas?
<LocationMatch "/context">
SetHandler weblogic-handler
AllowOverride AuthConfig
AuthType Basic
AuthName " NCL web application(s)"
AuthUserFile /etc/httpd/conf/users
Require user Usr1 Usr2
</LocationMatch>
<LocationMatch "/context/sercure">
SetHandler weblogic-handler
Options Indexes
Order allow,deny
Allow from all
</LocationMatch>
any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This problem was discussed before and it has solution for 'Digest' authentication. https://www.experts-exchange.com/questions/21874291/htaccess-authentication-for-2-servers.html
So if it's not a problem I recommend you to switch from 'Basic' to 'Digest' and use this feature with this apache directive:
AuthDigestDomain http://servername/context/ https://servername/context/
If you insist on Basic (which is insecure and all passwords goes throuth the Internet in cleartext), you may change context/secure/.htaccess to allow access without any authentication with following 2 options:
Allow from all
Satisfy Any
You need to test it.