>Number: 3697 >Category: mod_auth-any >Synopsis: authentication ignored on servlets directory only >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat Jan 16 18:30:01 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.4 >Environment: uname=>SunOS einstein.base2inc.com 5.7 Generic sun4u sparc SUNW,Ultra-1
gcc 2.8.1 java 1.1.7 apache-jserv 1.0b2 (static) mod_jserv.c source copied into apache source tree in src/modules/jserv and compiled in this manner: ./configure --with-layout=GNU --activate-module=src/modules/jserv/mod_jserv.o make then httpd copied into /usr/local/apache/sbin also configured with --enable-module=rewrite exhibited same systems both ways also exhibits the same symptons with apache version 1.3.1 >Description: No matter what I do, the authentication is somehow bypassed on the servlets directory only. Everything works fine on any htdocs directory as well as the cgi-bin directory. Servlets are located in /usr/local/apache/share/servlets access.conf contains the following: <Directory /usr/local/apache/share/cgi-bin> Options None AllowOverride AuthConfig </Directory> <Directory /usr/local/apache/share/servlets> Options None AllowOverride AuthConfig </Directory> Then the same .htaccess file is placed in both the cgi-bin as well as the servlets directory that looks like: AuthUserFile /usr/local/apache/security/kit/users AuthGroupFile /usr/local/apache/security/kit/groups AuthName "Digital Workflow Toolkit" AuthType Basic require user fmorton Again, this setup works fine with cgi and all htdocs directory, but not with servlets for some reason. Accessing servlets does not even ask for a user/password and happily runs the servlet. The servlet used is the Hello.class file distributed with apache-jserv that is basically a "hello world" servlet. Couldn't be any simpler. >How-To-Repeat: I can repeat it endlessly in the configuration above, but have not tried in another enviroment. I suspect this is not so much a software bug but some particular installation requirement with apache-jserv combined with the authentication module. I have tried all other avenues i know of to get this resolved without success. >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
