DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25055 [EMAIL PROTECTED] changed: What|Removed |Added Component|Connector:Coyote JK 2 |Connector:JK/AJP ||(deprecated) -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25055 [EMAIL PROTECTED] changed: What|Removed |Added Severity|normal |enhancement Status|NEW |RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2004-12-22 23:09 --- Quoting Bill Barker: quote Enhancement request at best (and not one that I like). Security should be done by Tomcat in this case. mod_jk/Apache2 bypasses directory_walk, so '.htaccess' is never looked at. /quote On this basis I am marking this as WONTFIX. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25055 --- Additional Comments From [EMAIL PROTECTED] 2004-12-22 23:56 --- I don't consider this an enhancement, I consider this a bug. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=25055.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=25055
bypass of apache authentication
--- Additional Comments From [EMAIL PROTECTED] 2004-09-20 18:56 ---
Since the problem seems to lay inside Apache hooks, I spent some time to explore
hooks configuration in Apache 2 mod_jk2/mod_jk modules.
This is the piece of code involved
static void jk2_register_hooks(apr_pool_t * p)
{
ap_hook_handler(jk2_handler, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(jk2_post_config, NULL, NULL, APR_HOOK_MIDDLE);
/* Force the mpm to run before us and set the scoreboard image */
ap_hook_child_init(jk2_child_init, NULL, NULL, APR_HOOK_LAST);
ap_hook_translate_name(jk2_translate, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_map_to_storage(jk2_map_to_storage, NULL, NULL, APR_HOOK_MIDDLE);
}
I see nothing about authentication in this. Furthermore, I don't see where
htaccess handling takes place inside Apache 2 request processing. If anyone has
any idea on how to configure modjk for Apache2, please let us know.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25055 bypass of apache authentication --- Additional Comments From [EMAIL PROTECTED] 2004-09-16 13:26 --- See the comment From [EMAIL PROTECTED] in bug http://issues.apache.org/bugzilla/show_bug.cgi?id=29834 htaccess file handling did not change, but the connector module hooks So, the problem seems to be closed on the Apache side. Module hooks is a major issue in Apache 2, particularly when we talk about priorities between modules. In our problem, mod_jk bypasses the htaccess authentication in Apache 2. This could be an interesting way of investigation. I tried again to change the LoadModule order without success. Anyone's got an idea ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25055 bypass of apache authentication --- Additional Comments From [EMAIL PROTECTED] 2004-09-10 13:52 --- The link to the same bug submitted in Apache 2 bugzilla. http://issues.apache.org/bugzilla/show_bug.cgi?id=29834 It can be reassigned, but I think the problem might lay - either in the mod_jk/mod_jk2 implementation for Apache 2 - or in the Apache 2 API ? So, it can be useful to leave it in both databases as long as we don't know which one is concerned... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25055 bypass of apache authentication --- Additional Comments From [EMAIL PROTECTED] 2004-09-09 17:10 --- I posted this one in Apache 2.0 bug database. I think I found the problem but no soltution to it. I agree, this is a security issue. ___ There seems to be a difference between Apache 1.3 and 2.0 : they don't handle htaccess files the same way. Let's say I have a site , protected with an authentification module (e.g mod_auth_pgsql) The site is opened to eveyone, but some directories are dynamically group protected. In this case, we have a httpd.conf with : Directory /var/www/html/mysite AuthName My Realm AuthType basic Auth_PG_host myhost.mydomain.org Auth_PG_port 5432 Auth_PG_database users Auth_PG_encrypted off Auth_PG_user admin Auth_PG_pwd admin Auth_PG_pwd_table users Auth_PG_uid_field iduser Auth_PG_pwd_field passwd Auth_PG_grp_table group Auth_PG_grp_user_field iduser Auth_PG_grp_group_field group AllowOverride All /Directory and a .htaccess file in /var/www/html/mysite/secretdir that requires a particular group Require group secret This works perfectly in both versions (1.3 and 2.0) with both mod_auth_pgsql adapted modules. All files within secretdir are protected. The problem appears you're asking Apache to serve JSP files, which are handled by Tomcat through a mod_jk or mod_jk2 connector (same behavior, I tried it) - in Apache 1.3, the jsp files are protected like htm files : the .htaccess directives are taken into acount BEFORE tomcat handles jsp files - in Apache 2.0, the jsp is handled by tomcat WITHOUT looking to .htaccess (they are visible by everyone and I can't getRemoteUser - returns null) I tried to change the modules loading order without success. I have the same difference with mod_jk and mod_jk2, and with several Basic Authentication Modules. Apache 2.0 works if the REQUIRE directive is set in httpd.conf, but this is not dynamical and therefore doesn't fit my needs. I wonder if there is a magic trick to force Apache 2.0 to handle mod_jk like Apache 1.3 does. Configuration : (Apache 2.0.49 / Apache 1.3.27 + mod_jk / mod jk2 and tomcat 4.1.29) Thanks for reading Alexis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25055 bypass of apache authentication [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Additional Comments From [EMAIL PROTECTED] 2004-09-09 18:36 --- *** Bug 25367 has been marked as a duplicate of this bug. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25055 bypass of apache authentication --- Additional Comments From [EMAIL PROTECTED] 2004-09-09 21:19 --- Can we have a link to the apache bug? And shouldn't that status of this bug be changed to ASSIGNED already? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25055] - bypass of apache authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25055. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25055 bypass of apache authentication [EMAIL PROTECTED] changed: What|Removed |Added Summary|getRemoteUser() returns null|bypass of apache |- bypass of apache |authentication |authentication | --- Additional Comments From [EMAIL PROTECTED] 2004-02-02 13:10 --- I had 3 private emails the past week about this issue from people who have the same problem. I refered them to my comment from 2003-12-02 07:43. As this is a security issue, I think this bug is important enough to justify a comment in the release notes of mod_jk... I'm also changing the summary to reflect the real problem in this bug report and not the initial problem I had encountered - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
