tags:

views:

96

answers:

2
+1  Q: 

.htaccess mod-rewrite conflicting with subfolder auth

I have a site which redirects all requests for files/folders which don't exist to an index file using .htaccess: 

RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d 
RewriteRule ^.*$ - [NC,L]
RewriteRule !admin/* index.php [NC,L]

There is a folder "admin/" which has the following in .htaccess for auth: 

AuthType Basic
AuthName "admin"
AuthUserFile "/path/to/passwd"
require valid-user

Adding the auth .htaccess file in "admin/" causes the request to be trapped by mod-rewrite instead of providing the authentication response. I've tried a few different things trying to work around this (including this: http://stackoverflow.com/questions/1641666/htaccess-rewrite-and-auth-conflict), but couldn't get any purchase.

Thanks.

EDIT: If I'm already authenticated, the rewrite rule works allowing me to access the "admin/" folder. So it seems that it's the authentication challenge that's doing something wonky.

A: 

when you say you tried the solution from the other post, what did your code look like?

Something like this:

RewriteCond %{REQUEST_URI} !/admin/

I don't see why that wouldn't work.

Matthew J Morrison  2010-06-29 20:26:32
I tried exactly that prior to posting this question, and it didn't work. That's when I figured that was more going on than I knew. RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteCond %{REQUEST_URI} !admin/ RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ index.php [NC,L]
ironkeith  2010-06-29 20:48:41
A: 

Let me suggest a simplified form for the rewriting rules:

RewriteCond %{REQUEST_FILENAME} !-s
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule !^admin/ index.php [NC,L]

This incorporates Matthew's suggestion of checking the path against /admin/ (in .htaccess files you omit the leading slash).

You might also need to use a

RewriteBase /

before the first RewriteCond line.

David Zaslavsky  2010-06-29 20:37:55
I gave that a try, but unfortunately it didn't work (unless I removed the .htaccess file from the admin folder). Also, removing "RewriteRule ^.*$ - [NC,L]" breaks the rewrite.
ironkeith  2010-06-29 20:52:04
How did it break?
David Zaslavsky  2010-06-29 20:53:35
It no longer redirected requests to the index.php file. They all just 404'd.
ironkeith  2010-06-29 21:48:22
Maybe something is wrong with the pattern `!^admin/`. You could try changing it to `.*` (i.e. match everything) just as a test to see what happens.
David Zaslavsky  2010-06-30 03:52:13
Naw, the rule works perfectly, just not when there's a .htaccess auth file in the "admin/" folder. It's really got me baffled.
ironkeith  2010-06-30 15:12:07
Hm, well, I'm out of ideas :( sorry...
David Zaslavsky  2010-06-30 16:52:10

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication