Got it. I'm trying to allow a desktop app that can't do authentication through to a specific file, which has no need of being secure - the password is simply so that customers don't purchase from the test site accidentally.

this is in my .htaccess in /test/

# All anyone access to dir for XML file
# No security needed on this - publicly available on live site
# Authentication handled by script.
SetEnvIf Request_URI "/path/to/dir/for/files/needed/.*" app_access

Order Deny,Allow

AuthType Basic
AuthName "Sandbox Site"
AuthUserFile "/path/to/.htpasswds/public_html/test"
require valid-user

#Allow valid-user
Deny from all
Allow from env=app_access
Satisfy any

modified from the two possiilities here: [css-tricks.com...]

An alternative is to add a .htaccess file to the subdirectory path in which the unprotected file resides, and override the auth requirements there -- either for the specific file, or for the entire subdirectory-path.

This is what is meant when .htaccess is referred to as a "per-directory configuration file."

Jim
[edit]Speling korrekshun[/edit]

[edited by: jdMorgan at 5:09 pm (utc) on Jan 14, 2011]

confession time - I didn't know how to disable auth on a child directory.

Would I just put a

Allow From All
Satisfy Any

in my .htaccess in the child directory?

Looks like my original response must have been knocked out during the restore [webmasterworld.com] on Jan 7, 2011. I said ...

Looks right to me :)
[httpd.apache.org...]

"Satisfy Any" and perhaps "Allow from all"

Jim

Thanks all