Hi All,
I have a site that uses basic authentication (set in a .htaccess file
in the root of the site).
There is one folder for which I would like to disable basic
authentication (it will be available to the public).
Is there a way to disable basic authentication in only that one
directory? I tried an htaccess files with "AuthType None", but that
didn't work.
-Josh
Post removed (X-No-Archive: yes)
On Sep 2, 3:03 am, Davide Bianchi
wrote:
> On 2007-09-02, Joshua Beall
>
> > I have a site that uses basic authentication (set in a .htaccess file
> > in the root of the site).
> > There is one folder for which I would like to disable basic
> > authentication (it will be available to the public).
>
> The problem is that to get to the 'allowed' directory, you need
> to cross the root directory, so the authentication apply. You either
> move the unprotected directory on a different vhost or rethink the
> authentication on the whole site (not using Apache's authentication but
> handling it on a server-application).
>
> Davide
Actually, it turns out there is a way.
http://www.nabble.com/Disabling-basic-authen-tication-for-on ly-one-directory----possible--tf4366355.html#a12448146
In short, you can put a .htaccess file with the following:
Allow from all
Satisfy any
-Josh
On Sep 3, 12:55 pm, Joshua Beall
> On Sep 2, 3:03 am, Davide Bianchi
> wrote:
>
> > On 2007-09-02, Joshua Beall
>
> > > I have a site that uses basic authentication (set in a .htaccess file
> > > in the root of the site).
> > > There is one folder for which I would like to disable basic
> > > authentication (it will be available to the public).
>
> > The problem is that to get to the 'allowed' directory, you need
> > to cross the root directory, so the authentication apply. You either
> > move the unprotected directory on a different vhost or rethink the
> > authentication on the whole site (not using Apache's authentication but
> > handling it on a server-application).
>
> > Davide
>
> Actually, it turns out there is a way.
>
> http://www.nabble.com/Disabling-basic-authen-tication-for-on ly-one-di...
>
> In short, you can put a .htaccess file with the following:
>
> Allow from all
> Satisfy any
>
> -Josh
Davides hint that should rethink the whole authentication plan is
good; the satisfy any directive is commonly used for this kind of
thing, but to me it doesnt make any sense to set up the webserver like
this.
Have you thought about using virtual hosts so that you can have say
www.example.com
for the public, and
intranet.example.com
for those others
I don't want to throw cold water on your idea, but I didnt suggest
satisfy any because there are better ways to set it up. What happens
for instance if you ever need to allow the public access to a resource
that is currently behind the authentication, you will have to move
things all around or keep creating new ACLs for these new
circiumstances, far better to have flexibility and ease of
maintainance by setting things up properly to start with. The best
reason not to reply on basic authantication to keep things safe is
because it isnt terribly secure, for instance there are css scripts
going around at the moment which can brute force basic authenticate
while visiting a remote webpage from inside the LAN.
On Sep 3, 8:23 am, shimmyshack
> Davides hint that should rethink the whole authentication plan is
> good; the satisfy any directive is commonly used for this kind of
> thing, but to me it doesnt make any sense to set up the webserver like
> this.
> Have you thought about using virtual hosts so that you can have say
>
> www.example.com
> for the public, and
> intranet.example.com
> for those others
>
> I don't want to throw cold water on your idea, but I didnt suggest
> satisfy any because there are better ways to set it up. What happens
> for instance if you ever need to allow the public access to a resource
> that is currently behind the authentication, you will have to move
> things all around or keep creating new ACLs for these new
> circiumstances, far better to have flexibility and ease of
> maintainance by setting things up properly to start with. The best
> reason not to reply on basic authantication to keep things safe is
> because it isnt terribly secure, for instance there are css scripts
> going around at the moment which can brute force basic authenticate
> while visiting a remote webpage from inside the LAN.
That's all very good for an app of any size and/or value, but this is
a little personal utility of mine that nobody in the world (except for
me) will ever use. I just needed to make one directory in the entire
structure available without basic authentication, so that a tool I've
written (which depends on a networking library without good support
for basic auth) is able to access some files off the site.
Sometimes the easiest solution is the right answer.