After extensive googling, I've found many examples of:
- Parent directory is open to public, but subdirectory and/or specific file(s) require(s) authentication
- Parent directory requires authentication, but subdirectory and/or specific file(s) are open to the public
These two objectives both seem easier and possible to achieve.
However, I can't seem to find a question, or an answer to how to do the following:
- Parent directory authenticates to a group and user password file, while subdirectory authenticates to an independent group and user password file.
Is this possible?
e.g.
given:/wwwroot/dir
/wwwroot/dir/subdir
httpd.conf
:
<Directory "/wwwroot/dir"> Options Indexes SymLinksIfOwnerMatch AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile /passwd/passwd.users AuthGroupFile /passwd/groups Require group some.People</Directory><Directory "/wwwroot/dir/subdir"> Options SymLinksIfOwnerMatch AuthType Basic AuthName "Other Restricted Files" AuthBasicProvider file AuthUserFile /passwd/passwd.other.users AuthGroupFile /passwd/other.groups Require group other.People</Directory>
This doesn't seem to work at all. Users from some.People
still have access to /wwwroot/dir/subdir
, and users from other.People
don't authenticate at all.
I even tried this (which is not really what I want):
httpd.conf
:
<Directory "/wwwroot/dir"> Options Indexes SymLinksIfOwnerMatch AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile /passwd/passwd.users AuthGroupFile /passwd/groups Require group some.People other.People</Directory><Directory "/wwwroot/dir/subdir"> Options SymLinksIfOwnerMatch AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile /passwd/passwd.users AuthGroupFile /passwd/groups Require group other.People</Directory>
This is setup with a shared AuthName
and shared set of group and user password files. Even if this worked as I conceived it, this is not really what I want, since it would mean that other.People
have access to the /wwwroot/dir
parent directory. However, even using this setup, I can't get other.People
to successfully authenticate in /wwwroot/dir/subdir
.
I found a slightly cryptic note in the apache docs that multiple <Directory>
directives that apply to the same directory are evaluated in the order that they appear in the config file, so I also tried swapping the two section above around, but that didn't seem to make any difference. There's another note, seemingly contradictory, that <Directory>
directives are evaluated in order of shortest path to longest, which seems to me to indicate that /wwwroot/dir
will always be processed before /wwwroot/dir/subdir
.