min,

Welcome to WebmasterWorld!

Have you reviewed the Apache Authentication, Authorization, and Access Control [httpd.apache.org] guide?

You can put the directives into any scoped container you like, so control is available by <Directory> structure or by URL-<Location> structure, as well as others.

Jim

Ok, I've finally had some time to sit down and work on this, and I have the authentication working for multiple levels via users and groups files...

My next question is in regards to custom error documents.. I have built custom error pages for the rest of my site, which utilize the site's general color scheme, text size, etc... The folder for which I built .htaccess authentication is a subdomain of the main site. (Within my webhost's cpanel it is regarded as a completely separate area, and does not pick up the error pages from the main site. So, my question is... if I place custom error documents in the directory protected via .htaccess, and a user enters the wrong credentials, or cancels out of the login screen, how do I get custom error pages to show up, if the directory itself is password protected and they cancelled out of the login? In other words, if they don't have permission to view the directory because they cancelled out, they won't have permission to see the error page load... right? Is there a way to make specific files NOT controlled by the authentication I placed in the .htaccess, or do I have to rely on the default standard apache error page for the authenticated directory?

-min

Here's what I'm currently getting when I cancel out of the login:
_____
Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Additionally, a 401 Authorization Required error was encountered while trying to use an ErrorDocument to handle the request.
_____

The last part suggests that the error documents themselves can't be accessed because the user doesn't have access to the folder...

-min

Can you put the ErrorDocument above the protected folder in a "public" folder?

There may be a workaround using SetEnvIf REQUEST_URI, Satisfy any, and Allow from, but it's ugly.

Jim

I thought about that, but the whole idea here was to have the entire subdomain require authentication...

Also, wouldn't that require a page, in that directory, with a link to each of the subdirectories which would then require separate authentication? I don't want to do that, because I don't want user1 to even know user2 exists...

If they could somehow login and be automatically redirected to the appropriate directory based on their credentials, that would work, but I'm not sure if that's workable with .htaccess or if I'd need a more heavy-duty authentication system.

A side question... the AuthName "Whatever" line in the top-level .htaccess seems to override the AuthName statement in the subdirectories... For example, if dir1 has AuthName "Whatever" and dir1/subdir has AuthName "Something", I only see "Whatever", even when logging into the subdir... Any way to override that? I thought .htaccess overrides anything in a higher directory...

-min

Hmm... on thinking about it more, I think moving everything down one directory might work... Since each user will receive a direct link to their space anyway, I won't really need any kind of login page... I can probably get away with putting a 0-second meta refresh in the top level directory, pointing to the primary domain... so here's what I have now:

subdomain <- error pages and meta-refresh out to main site
subdomain/subdir1 <- accessible by admin user
subdomain/subdir1/subdir2, 3, etc <- access by users

Not quite as elegant as I had hoped, but it works and gives me time to do more research

Still don't know why the AuthName overrides AuthName in subdirectories though... It's not critical, but would be nice to add a personalized touch.

-min