You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/12/09 19:28:45 UTC

DO NOT REPLY [Bug 25367] New: - SECURITY requests for jsp pages bypass apache AuthUserFile directive

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25367>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25367

SECURITY requests for jsp pages bypass apache AuthUserFile directive

           Summary: SECURITY requests for jsp pages bypass apache
                    AuthUserFile directive
           Product: Tomcat 4
           Version: 4.1.18
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Connector:JK/AJP (deprecated)
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: jks@iname.com


I have this in my apache config:
<Directory "/local/webapps/wa">
 AuthType Basic
 AuthName "wa"
 AuthUserFile /usr/local/apache2/passwd/wa
 require user admins
</Directory>

This will block requests for html files, even /server-status, but not jsps.  I'm
using jk connector 1.2.5

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org