Lucee final and password protected folders / files


I’ve got an older Lucee install (Lucee final) running on CentOS

Apache is the web server, and I have a few folders protected with .htaccess
files and basic auth.

This works fine for the folders, for example throws
up the basic auth page as expected. Inside this /admin folder are a number
of files, .jpg, .htm, .html, etc. and a few .cfm files.

However, if I close my browser to clear the basic auth, and then hit the file is served without a prompt for a
password. If I hit one of the other files, I’m immediately prompted for a

It seems somewhere in this chain of servers apache/tomcat/lucee something
isn’t respecting the .htaccess when the file to be served contains a .cfm

Does anyone have any ideas how I can make this work as expected? or is
there some other way to correctly password protect folders served by lucee?

Thanks for your time.

My guess is you have a caching issue, not a auth issue. If you hit refresh
on foo.cfm, I’d bet it asks for a password.
Similarly if you check the apache logs, either no request is sent, or it
sends back a 304 instead of a 200. (please verify)

You can eliminate such things in Apache by sending pragma no-cache headers,
or deal with it in coldfusion:

        <cffunction name="expirePage" access="public" output="false"
                <cfif Not StructKeyExists(Request, "PageExpired") or not
                        <cfheader name="Pragma" value="no-cache" />
                        <cfheader name="Cache-Control" value="no-cache,
must-revalidate" />
                        <cfheader name="Last-Modified"
value="#rfc822DateTimeString(now())#" />
                        <cfheader name="Expires" value="Mon, 26 Jul 1997
05:00:00 GMT" />
                        <cfset Request.PageExpired = true />

        <cffunction name="rfc822DateTimeString" access="public"
returntype="string" output="no">
                <cfargument name="dateTime" required="yes" />

                <cfset var gmtTime = '' />
                <cfif not IsNumericDate(arguments.dateTime)>
                        <cfreturn "" />
                <cfset gmtTime = DateConvert("local2utc",
arguments.dateTime) />
                <cfreturn "#DateFormat(gmtTime, 'ddd, dd mmm yyyy')#
#TimeFormat(gmtTime, 'HH:mm:ss')# GMT" />

Of course doing it in coldfusion only protects your cfms. :slight_smile: But that’s
where the data requiring auth is most likely to be anyway.


I only wish it was a cache issue. I tried the pragma no-cache header and
have the same issue.

For testing, I spun up another Lucee server on a test domain and created
one folder, and protected it with a .htaccess file.
if I hit the the file is served up
without needing authentication. (first time I’ve ever hit it - so no cache)
if I hit the I’m prompted to login.

I suspected this has something to do with the proxy setup in apache, where
it sends .cfm to tomcat over port 8888 so I took this one step further, and
moved the authentication into httpd.conf or in my case I have an included
vhosts.conf and discovered that even here, the proxy pass takes priority
over the auth config requests are served without any authentication at all.

So I grabbed the latest modcfml from github, and compiled it into apache,
as the author references this very issue in the source code but no change
that I could see.

So I’m not completely sure where this leaves me, as clearly there must be a
way to protect specific folders… I just can’t seem to find it.

Next I’m going to bring up another virtual machine and do a fresh install
and see if its an out of the box issue, or something in my configuration.

Thanks for taking the time to respond.

I’ve run into the same issue with lucee with ubuntu not been able to solve it, pretty sure it’s the apache config as it does seem to be the proxy taking over when it’s serving cfm files.

I had the same problem. Solved it with the location directive inside a virtual host configuration.

<Location /mytomcatapp>
  AuthType Basic
  AuthName "Wrapper auth"
  AuthBasicProvider file
  AuthUserFile "/path/to/users.htpasswd"
  Require valid-user