DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=25367>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=25367 SECURITY requests for jsp pages bypass apache AuthUserFile directive ------- Additional Comments From [EMAIL PROTECTED] 2004-09-09 17:24 ------- I posted this one in Apache 2.0 bug database. I think I found the problem but no soltution to it. I agree, this is a security issue. _______ There seems to be a difference between Apache 1.3 and 2.0 : they don't handle htaccess files the same way. Let's say I have a site , protected with an authentification module (e.g mod_auth_pgsql) The site is opened to eveyone, but some directories are dynamically group protected. In this case, we have a httpd.conf with : <Directory "/var/www/html/mysite"> AuthName "My Realm" AuthType basic Auth_PG_host myhost.mydomain.org Auth_PG_port 5432 Auth_PG_database users Auth_PG_encrypted off Auth_PG_user admin Auth_PG_pwd admin Auth_PG_pwd_table users Auth_PG_uid_field iduser Auth_PG_pwd_field passwd Auth_PG_grp_table group Auth_PG_grp_user_field iduser Auth_PG_grp_group_field group AllowOverride All </Directory> and a .htaccess file in /var/www/html/mysite/secretdir that requires a particular group Require group secret This works perfectly in both versions (1.3 and 2.0) with both mod_auth_pgsql adapted modules. All files within secretdir are protected. The problem appears you're asking Apache to serve JSP files, which are handled by Tomcat through a mod_jk or mod_jk2 connector (same behavior, I tried it) - in Apache 1.3, the jsp files are protected like htm files : the .htaccess directives are taken into acount BEFORE tomcat handles jsp files - in Apache 2.0, the jsp is handled by tomcat WITHOUT looking to .htaccess (they are visible by everyone and I can't getRemoteUser - returns null) I tried to change the "modules loading order" without success. I have the same difference with mod_jk and mod_jk2, and with several Basic Authentication Modules. Apache 2.0 works if the REQUIRE directive is set in httpd.conf, but this is not dynamical and therefore doesn't fit my needs. I wonder if there is a magic trick to force Apache 2.0 to handle mod_jk like Apache 1.3 does. Configuration : (Apache 2.0.49 / Apache 1.3.27 + mod_jk / mod jk2 and tomcat 4.1.29) Thanks for reading Alexis --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]