Protecting a sub-level directory - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Protecting a sub-level directory

(Without multiple prompts)

OrangeBall21

4:24 pm on May 4, 2022 (gmt 0)

Appreciate the help as I've been struggling to wrap my head around this issue:

We have the following site structure:

Root
 - Dev
   - Folder A
      - Folder 1A
   - Folder B
   - Folder C

Our goal is to have each folder inside 'dev' set-up with it's own individual password, while having a global password on 'dev' that allows access to all folders.

In this example we have one single .htpassword setup with two users: User Global, and User John. User Global should have access to everything, and User John should only be allowed to access Folder A and it's sub-contents.

In our Dev folder we have the following .htaccess:

AuthType Basic
AuthName "Dev Password"
AuthUserFile /dev/.htpasswd

SetEnvIf Request_URI "^/folder-a(/.*)?$" allow
SetEnvIf Request_URI "^/folder-a/folder-1a(/.*)?$" allow

<RequireAny>
 Require env allow
 Require user global
</RequireAny>

In our Folder A, we have the following .htaccess:

AuthType Basic
AuthName "Folder A Password"
AuthUserFile /dev/.htpasswd
Require user global john

This works as expected for User Global, allowing access to everything and only prompts for authorization one time.

However for User John, when visiting Folder A it will prompt for authorization and then re-prompt when trying to access any sub-folders of Folder A.

Normally we could deal with just having to authorize twice, but this becomes a bigger issue when the sub-folder is a website and it sends a new prompt for every file/asset on pageload. I've tried allowing the folder directly in the .htaccess of Dev to make sure it wasn't overriding anything, but the problem still persists. Any ideas?

lucy24

5:25 pm on May 4, 2022 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

<tangent>

SetEnvIf Request_URI "^/folder-a(/.*)?$" allow
SetEnvIf Request_URI "^/folder-a/folder-1a(/.*)?$" allow

The first line includes the second line. (Also, anything involving .*$ is superfluous, unless you have additional folders named, say, folder-abc or /folder-1abc/ that you need to exclude.)
</tangent>

re-prompt when trying to access any sub-folders of Folder A

Is there more than one? Why, in that case, does the earlier rule specifically name /folder-1a/ ?

phranque or someone like him will come along and answer your actual question. But crystal ball says it's going to be one of those D’oh! slapping-self-upside-the-head explanations.

OrangeBall21

6:17 pm on May 4, 2022 (gmt 0)

Good catch, but I honestly did those re-cursively on purpose after initial tries without them didn't work either. It was just a feeble attempt at preserving some sanity with this haha. For clarity, even without either of those lines there is still a second prompt for User John when accessing any sub-folder of Folder A. I specifically excluded /folder-1a/ again to ensure there was no way the Dev .htaccess was being applied to that sub-folder, and yet somehow it is. There will be multiple sub-folders of A, but for the example I just listed one.

To give a little context on the use case of this set-up: We are a development agency and allow clients to preview the progress of their builds. So we want the Global user to be used by our team to access any folder with a single prompt, and then provide clients with their company's unique auth for their corresponding directory, but not give them access to other company's directories or the root dev folder.

Fingers crossed it's as simple as the crystal ball is predicting!

lucy24

6:34 pm on May 4, 2022 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

to ensure there was no way the Dev .htaccess was being applied to that sub-folder

htaccess or htpasswd? mod_setenvif is inherited, so once an environmental variable has been set, it stays set all the way down the line unless you expressly un-set it.

OrangeBall21

7:34 pm on May 4, 2022 (gmt 0)

My mistake on the wording, I believe I meant htpasswd or more specifically the authorization requirements of the .htaccess in dev. I didn't know that about the mod-setenvif, but I think in this case it shouldn't make a difference as the env is only used in that .htaccess.

phranque

12:06 am on May 5, 2022 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

welcome to WebmasterWorld [webmasterworld.com], OrangeBall21!

i would check for clues in any AllowOverride directives in <Directory> sections of your server config file(s).

i would also look for clues in the web server access and error log files - there should be a 401 response logged for each password prompt seen in the browser.

perhaps the request at the point the server is processing the authorization looks different from the request sent by the user agent.
i also wonder if there's something going on with symbolic links...

lucy24

3:41 pm on May 5, 2022 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

After sleeping on it, I'm wondering if it is even possible to do it by the current methods. Going back to:

this becomes a bigger issue when the sub-folder is a website and it sends a new prompt for every file/asset on pageload

As far as the server is concerned, every request exists in perfect isolation. Servers don’t recognize the concept of “It’s OK, you let me in three milliseconds ago so I’m obviously approved for this subsequent request.” (Hence cookies, but I don’t suppose that’s a security-compatible option.) One approach would be to put supporting files in a different directory that doesn’t require authorization. Another would be to replace the authorization process with something that looks specifically at IP--the way you’d do if you want to authorize yourself in a development phase. This may or may not be completely impracticable: Is User John at a desk in a particular office, or is he connecting remotely from potentially anywhere on the planet?