Apache authz_core error

I am running Apache 2.4.16 and Tomcat 8.0.23 on Slackware 64 14.1, kernel 3.10.17. Apache DocumentRoot is at /srv/httpd/htdocs and CATALINA_HOME is /srv/tomcat/. I want to show the directory index for one particular directory in the tomcat hierarchy: /srv/tomcat/webapps/ohprs/downloads/jones. As it turns out Tomcat doesn't let you do this on a directory basis. You have to expose all the hierarchies by setting 'listings' to 'true' in web.xml.

I did solve this by using Apache only, but I have an error I'd like to get rid of. I've added the following to httpd.conf:
Alias /jones /srv/tomcat/webapps/ohprs/downloads/jones

<Directory /srv/tomcat/webapps/ohprs/downloads/jones>
     Options +Indexes
     IndexOptions FancyIndexing HTMLTable SuppressDescription
     IndexOrderDefault Descending Date
     AllowOverride All
     Require all granted
 </Directory>

Open in new window

And I have an .htaccess file in that folder specifying login authorization. All this works fine, but when the folder is accessed I get the error in the Apache error_log:
[Fri Jul 31 14:58:35.311552 2015] [authz_core:error] [pid 8249:tid 140302900623104] [client 76.181.65.196:52072] AH01630: client denied by server configuration: /srv/tomcat/webapps/ohprs/downloads/jones/.htaccess

Open in new window

Note that I can log into this directory and see all the files and download whatever I what, so I don't know exactly what is being "denied".

Why? How do I make this go away?
LVL 1
MarkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve BinkCommented:
What is in the .htaccess file?
MarkAuthor Commented:
Sorry for the delay in response. Below is the .htaccess file. User names obfuscated:

AuthType Basic
AuthName "Disability Review"
AuthUserFile /etc/httpd/passwords
Require user user1 user2 user3 user4 user5

IndexIgnore .. header.html

IndexOptions +SuppressHTMLPreamble +NameWidth=*
HeaderName header.html
Steve BinkCommented:
The only thing I see immediately is that you do not specify AuthProviderType.  That should not be important, since it defaults to 'file', but you might try putting it into the .htaccess file.

Which brings up another question.  You have said that it requests credentials from you appropriately, and that you can log in.  Have you tried a bogus set of credentials to determine if it will keep you out?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

MarkAuthor Commented:
I've searched for this and cannot seem to find anything on AuthProviderType. Can you point me somewhere?
Have you tried a bogus set of credentials to determine if it will keep you out?
Yes, bogus credentials give:
[Tue Sep 08 13:34:30.271213 2015] [auth_basic:error] [pid 2043:tid 140302740313856] [client 76.181.65.196:53331] AH01618: user joe not found: /tanner/
[Tue Sep 08 13:34:38.301601 2015] [auth_basic:error] [pid 2043:tid 140302773884672] [client 76.181.65.196:53339] AH01618: user mark not found: /tanner/
[Tue Sep 08 13:34:46.224312 2015] [auth_basic:error] [pid 2043:tid 140302748706560] [client 76.181.65.196:53340] AH01617: user mfoley: authentication failure for "/tanner/": Password Mismatch
[Tue Sep 08 13:35:13.950537 2015] [auth_basic:error] [pid 1462:tid 140302698350336] [client 76.181.65.196:53349] AH01617: user mfoley: authentication failure for "/tanner/": Password Mismatch
[Tue Sep 08 13:35:24.987466 2015] [authz_core:error] [pid 2043:tid 140302807455488] [client 76.181.65.196:53352] AH01630: client denied by server configuration: /srv/tomcat/webapps/ohprs/downloads/tanner/.htaccess

Open in new window

MarkAuthor Commented:
Interesting ...

I did not get the "authz_core:error" until after the test I just ran (posted previously) with deliberately bogus credentials. After the 3rd failure using IE I got a 401 Unauthorize message and the "authz_core:error" appeared in the error_log.

Interestingly, I tried duplicating this in Firefox and it repeatedly let me re-try the credentials at least a dozen times, never shut me out like IE did -- hence, no ""authz_core:error" like with IE (though plenty of "auth_basic:error" for each failed attempt).

I'm beginning to think the "authz_core:error" isn't bogus and does happen after 3 failed attempts -- at least on Internet Explorer. What do you think?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve BinkCommented:
My apologies...your reply on this question fell into my black hole of an inbox..

I'm personally not convinced that the browser is causing this server-side behavior.  If the credentials are failing, it would make since for the auth modules to post an error for each occurrence.  Waiting for an arbitrary third attempt, which may or may not happen, just doesn't make sense in the larger picture.  Still, if the error is only occurring on a credential failure, then I also don't see it as much of a problem to be addressed.  If you're comfortable with it, I have no objections.  :)
MarkAuthor Commented:
Yeah, I'm comfortable with the "solution" for now. Bigger fish to fry anyway. Although, I don't know who 'routinet' is unless that is an alias for you (Steve Bink) as I intended to award you the points being the only participant.
Steve BinkCommented:
Yup, that's me.  A while ago, they started pushing the profile names onto comments instead of the username.  The disparity between the close request and the comment is likely an oversight.
MarkAuthor Commented:
I'm going to consider this solved, or rather "never a real problem." Seems like I only get the authz_core message if someone does in fact fail to log in correctly. Otherwise not. Probably correct behavior.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.