Received: (qmail 73487 invoked by uid 65534); 7 Apr 2000 14:32:11 -0000 Message-Id: <20000407143211.73486.qmail@locus.apache.org> Date: 7 Apr 2000 14:32:11 -0000 From: John Houser Reply-To: houserj@vtls.com To: submit@bugz.apache.org Subject: Password authentication fails with mod_auth. X-Send-Pr-Version: 3.110 >Number: 5969 >Category: mod_auth-any >Synopsis: Password authentication fails with mod_auth. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: mistaken >Submitter-Id: apache >Arrival-Date: Fri Apr 07 07:40:01 PDT 2000 >Closed-Date: Sat Apr 15 18:59:51 PDT 2000 >Last-Modified: Sat Apr 15 18:59:51 PDT 2000 >Originator: houserj@vtls.com >Release: 1.3.6 >Organization: >Environment: HP-UX zeus B.11.00 B 9000/887 1925771271 16-user license >Description: I've set up a restricted directory for some CGI scripts. My intent is to allow GET queries without a password. POST queries should require one. The directory setup is as follows: AllowOverride Any Options ExecCGI Order allow,deny Allow from all The .htaccess file in the restricted directory is as follows: AuthType Basic AuthUserFile /usr/local/apache/conf/.htpasswd AuthName "Class 34 Restricted" Require Valid-user The .htpasswd file exists and contains an entry: class34:VsiUV2LUTsCUQ When I try a GET that works fine. When I try a POST the password entered is never accepted. By the way, I expect to change the 'Allow from all' in the Directory to 'Deny from all' when everything is working, but right now I need to provide access. >How-To-Repeat: The server is behind a firewall. >Fix: None. >Release-Note: >Audit-Trail: From: Marc Slemko To: houserj@vtls.com Cc: Apache bugs database Subject: Re: mod_auth-any/5969: Password authentication fails with mod_auth. Date: Fri, 7 Apr 2000 09:27:26 -0600 (MDT) On 7 Apr 2000, John Houser wrote: > I've set up a restricted directory for some CGI scripts. My intent is to allow GET queries without a password. POST queries should require one. The directory setup is as follows: > > > AllowOverride Any > Options ExecCGI > Order allow,deny > Allow from all > > > The .htaccess file in the restricted directory is as follows: > AuthType Basic > AuthUserFile /usr/local/apache/conf/.htpasswd > AuthName "Class 34 Restricted" > > Require Valid-user Please go back and check the docs again. "Valid-user" is not the same as "valid-user". If you looked in the error log, you would probably find that out. > > > The .htpasswd file exists and contains an entry: > class34:VsiUV2LUTsCUQ > > When I try a GET that works fine. When I try a POST the password entered is never accepted. > > By the way, I expect to change the 'Allow from all' in the Directory to 'Deny from all' when everything is working, but right now I need to provide access. Erm... then no one will be able to access it, unless you have a "satisfy any" somewhere, but there isn't much point to doing that. Look through the docs again; host based access control and username based access control are two different things. > >How-To-Repeat: > The server is behind a firewall. > >Fix: > None. > >Release-Note: > >Audit-Trail: > >Unformatted: > [In order for any reply to be added to the PR database, you need] > [to include in the Cc line and make sure the] > [subject line starts with the report component and number, with ] > [or without any 'Re:' prefixes (such as "general/1098:" or ] > ["Re: general/1098:"). If the subject doesn't match this ] > [pattern, your message will be misfiled and ignored. The ] > ["apbugs" address is not added to the Cc line of messages from ] > [the database automatically because of the potential for mail ] > [loops. If you do not include this Cc, your reply may be ig- ] > [nored unless you are responding to an explicit request from a ] > [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ] > > > State-Changed-From-To: open-closed State-Changed-By: lars State-Changed-When: Sat Apr 15 18:59:51 PDT 2000 State-Changed-Why: An answer has already been sent back to the user. Class-Changed-From-To: sw-bug-mistaken Class-Changed-By: lars Class-Changed-When: Sat Apr 15 18:59:51 PDT 2000 Severity-Changed-From-To: serious-non-critical Severity-Changed-By: lars Severity-Changed-When: Sat Apr 15 18:59:51 PDT 2000 >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]