Lucee 4.5.5.006 final and password protected folders / files

83 views
Skip to first unread message

corp...@gmail.com

unread,
Feb 24, 2017, 4:07:21 AM2/24/17
to Lucee
Hello,

I've got an older Lucee install (Lucee 4.5.5.006 final) running on CentOS 6.8

Apache is the web server, and I have a few folders protected with .htaccess files and basic auth.

This works fine for the folders, for example www.example.net/admin/ throws up the basic auth page as expected.  Inside this /admin folder are a number of files, .jpg, .htm, .html, etc. and a few .cfm files.

However, if I close my browser to clear the basic auth, and then hit www.example.net/admin/foo.cfm the file is served without a prompt for a password.  If I hit one of the other files, I'm immediately prompted for a password.

It seems somewhere in this chain of servers apache/tomcat/lucee something isn't respecting the .htaccess when the file to be served contains a .cfm extension.

Does anyone have any ideas how I can make this work as expected? or is there some other way to correctly password protect folders served by lucee?


Thanks for your time.

Joseph Gooch

unread,
Feb 24, 2017, 4:13:37 PM2/24/17
to lu...@googlegroups.com
My guess is you have a caching issue, not a auth issue. If you hit refresh on foo.cfm, I'd bet it asks for a password.
Similarly if you check the apache logs, either no request is sent, or it sends back a 304 instead of a 200.  (please verify)

You can eliminate such things in Apache by sending pragma no-cache headers, or deal with it in coldfusion:

        <cffunction name="expirePage" access="public" output="false" returntype="void">
                <cfif Not StructKeyExists(Request, "PageExpired") or not Request.PageExpired>
                        <cfheader name="Pragma" value="no-cache" />
                        <cfheader name="Cache-Control" value="no-cache, must-revalidate" />
                        <cfheader name="Last-Modified" value="#rfc822DateTimeString(now())#" />
                        <cfheader name="Expires" value="Mon, 26 Jul 1997 05:00:00 GMT" />
                        <cfset Request.PageExpired = true />
                </cfif>
        </cffunction>


        <cffunction name="rfc822DateTimeString" access="public" returntype="string" output="no">
                <cfargument name="dateTime" required="yes" />

                <cfset var gmtTime = '' />
                <cfif not IsNumericDate(arguments.dateTime)>
                        <cfreturn "" />
                </cfif>
                <cfset gmtTime = DateConvert("local2utc", arguments.dateTime) />
                <cfreturn "#DateFormat(gmtTime, 'ddd, dd mmm yyyy')# #TimeFormat(gmtTime, 'HH:mm:ss')# GMT" />
        </cffunction>

Of course doing it in coldfusion only protects your cfms. :)  But that's where the data requiring auth is most likely to be anyway.

-G


--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/15ca2a19-92f1-4666-998e-acad49243a04%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

corp...@gmail.com

unread,
Feb 25, 2017, 5:47:59 PM2/25/17
to Lucee
I only wish it was a cache issue.  I tried the pragma no-cache header and have the same issue.

For testing, I spun up another Lucee server on a test domain and created one folder, and protected it with a .htaccess file.
if I hit the www.example.net/protected/index.cfm the file is served up without needing authentication. (first time I've ever hit it - so no cache)
if I hit the www.example.net/protected/ I'm prompted to login.

I suspected this has something to do with the proxy setup in apache, where it sends .cfm to tomcat over port 8888 so I took this one step further, and moved the authentication into httpd.conf or in my case I have an included vhosts.conf and discovered that even here, the proxy pass takes priority over the auth config requests are served without any authentication at all.

So I grabbed the latest modcfml from github, and compiled it into apache, as the author references this very issue in the source code but no change that I could see.

So I'm not completely sure where this leaves me, as clearly there must be a way to protect specific folders... I just can't seem to find it.

Next I'm going to bring up another virtual machine and do a fresh install and see if its an out of the box issue, or something in my configuration.

Thanks for taking the time to respond.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.

mee nothus

unread,
Mar 21, 2017, 8:44:48 PM3/21/17
to Lucee
I've run into the same issue with lucee 4.5.5.006 with ubuntu not been able to solve it, pretty sure it's the apache config as it does seem to be the proxy taking over when it's serving cfm files.

Geoff Bowers

unread,
Mar 22, 2017, 8:01:13 PM3/22/17
to Lucee


On Wednesday, 22 March 2017 11:44:48 UTC+11, mee nothus wrote:
I've run into the same issue with lucee 4.5.5.006 with ubuntu not been able to solve it, pretty sure it's the apache config as it does seem to be the proxy taking over when it's serving cfm files.

The mailing list is being retired.  You can rejoin this conversation here:

 
Reply all
Reply to author
Forward
0 new messages