DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=25367.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=25367
SECURITY requests for jsp pages bypass apache AuthUserFile directive
--- Additional Comments From [EMAIL PROTECTED] 2004-09-09 17:24 ---
I posted this one in Apache 2.0 bug database.
I think I found the problem but no soltution to it.
I agree, this is a security issue.
___
There seems to be a difference between Apache 1.3 and 2.0 : they don't handle
htaccess files the same way.
Let's say I have a site , protected with an authentification module (e.g
mod_auth_pgsql)
The site is opened to eveyone, but some directories are dynamically group protected.
In this case, we have a httpd.conf with :
Directory /var/www/html/mysite
AuthName My Realm
AuthType basic
Auth_PG_host myhost.mydomain.org
Auth_PG_port 5432
Auth_PG_database users
Auth_PG_encrypted off
Auth_PG_user admin
Auth_PG_pwd admin
Auth_PG_pwd_table users
Auth_PG_uid_field iduser
Auth_PG_pwd_field passwd
Auth_PG_grp_table group
Auth_PG_grp_user_field iduser
Auth_PG_grp_group_field group
AllowOverride All
/Directory
and a .htaccess file in /var/www/html/mysite/secretdir that requires a
particular group
Require group secret
This works perfectly in both versions (1.3 and 2.0) with both mod_auth_pgsql
adapted modules. All files within secretdir are protected.
The problem appears you're asking Apache to serve JSP files, which are handled
by Tomcat through a mod_jk or mod_jk2 connector (same behavior, I tried it)
- in Apache 1.3, the jsp files are protected like htm files : the .htaccess
directives are taken into acount BEFORE tomcat handles jsp files
- in Apache 2.0, the jsp is handled by tomcat WITHOUT looking to .htaccess (they
are visible by everyone and I can't getRemoteUser - returns null)
I tried to change the modules loading order without success.
I have the same difference with mod_jk and mod_jk2, and with several
Basic Authentication Modules.
Apache 2.0 works if the REQUIRE directive is set in httpd.conf, but this is not
dynamical and therefore doesn't fit my needs.
I wonder if there is a magic trick to force Apache 2.0 to handle mod_jk like
Apache 1.3 does.
Configuration : (Apache 2.0.49 / Apache 1.3.27 + mod_jk / mod jk2 and tomcat 4.1.29)
Thanks for reading
Alexis
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]