I have my main web-facing directory, public_html, which has lines in its htaccess for www to non-www redirecting:

RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST}!^example.com [NC]
RewriteRule ^(.*) http://example.com/$1 [R=301,NC,L]

which works fine. I also have a subdirectory which is auth protected as it contains developmental versions of the software, call it /dev. It contains its own .htaccess file containing only the auth lines for this purpose. These, just to be clear, are:

AuthName "Blah blah"
AuthType Basic
AuthUserFile /path/to/htpasswd
require valid-user

Now when I visit http://www.example.com/dev, my browser just displays a 401 Authentication required failure screen (saying "The requested URL /401.shtml was not found on this server.", so in fact it's a 404 following the non-attempt to authenticate) and does not challenge interactively for username /password. It only correctly challenges when using the non-www version, http://example.com/dev, when it works fine. The same afflicts a single password-protected file in the top-level public_html (auth'd in the public_html/.htaccess), which fails to a 401 screen on www.example.com/file but challenges interactively on domain.com/file. I wonder if anyone can diagnose this?

I have tried adding RewriteEngine on and Options <etc> to the /dev/.htaccess to no apparent effect.

[edited by: engine at 12:23 pm (utc) on Jan. 28, 2008]
[edit reason] please use example.com [/edit]