SOLVED - Tomcat bypasses Basic auth. (also, Enable basic auth in Lucee)

I’ve never seen this happen. In the words of Lews Black, “I am confused.”

Apache.conf file for virtual host:

<Directory "/websites/this.domain.com/web/pluto">
		AllowOverride None
		AuthType Basic
		AuthName "plutoLivesHere"
		AuthUserFile /etc/apache2/passwords/webauth
		Require user plutoAdmin
	</Directory>

So, when I point my browser to

https://this.domain.com/pluto

Apache asks for my credentials.

BUT… when I open a fresh browser window (quit Firefox, clear all history, etc. and re-launch Firefox), and point to

https://this.domain.com/pluto/index.cfm

No auth required.

I can do this on any protected directory. Just accessing the directory itself requires credentials. Any CFM file will process and load without credentials. And that’s after multiple attempts to fix this, tinker with /conf/server.xml, clear out passwords in browser, clear history, cache, etc.

All web CFM files are www-data:www-data

What the?

After a long night and morning… the problem is “User-error!” Or, more appropriatly, admin error.

The TL;DR solution was to use the “Location” directive properly.

I also decided to use the “Define” directive and move some common directories to a separate include conf file.

How to use the Define directive:
Define a variable called ‘listofusers’ who can access certain directories (see https://httpd.apache.org/docs/2.4/mod/core.html#define)
It takes form of parameter-name parameter-value
ex: Define myVar foobar
ex: Define myVar “foobar foobar1 foobar2”


Here is a virtual host conf file that works as intended (I have tested it) with CFM/AJP, and in this example, I am also redirecting any non SSL requests to SSL.

SSLStrictSNIVHostCheck on
<VirtualHost *:443>
	
	ServerAdmin adin@www.this-site.org
	
	ServerName www.this-site.org
	
	ServerAlias this-site.org w.this-site.org ww.this-site.org wwww.this-site.org
	
	DocumentRoot /websites/this-site/www.this-site.org/web
	
	DirectoryIndex index.cfm index.html
	
	RewriteEngine On
	RewriteOptions Inherit
	RewriteCond %{HTTP_HOST} !^www\.
	RewriteRule ^(.*)$ https://www.this-site.org/ [R=301,L]
	
	SSLEngine on
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateFile /etc/letsencrypt/live/www.this-site.org/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/www.this-site.org/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/www.this-site.org/chain.pem
	
	# Various common virtual host includes used in this CFM site
	Include /etc/apache2/my-apache-cf-ajp.conf
	Include /etc/apache2/my-apache-cf-secure-lucee.conf
	
	# Secured directories list of users and include conf
	Define listofusers "adminuser1 adminuser2 simpleuser1"
	Include /etc/apache2/my-apache-secure-directories.conf
		
	<Directory "/websites/this-site/www.this-site.org/web">
		AllowOverride None
	</Directory>
	
	CustomLog /websites/this-site/www.this-site.org/log/www.this-site.org.ssl.access.log vhost_combined
	ErrorLog /websites/this-site/www.this-site.org/log/www.this-site.org.ssl.error.log
	# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
	LogLevel error
	
</VirtualHost>

And the critical include conf where the variable “listofusers” is passed in:

Contents of "Include /etc/apache2/my-apache-secure-directories.conf"

# Any subdirectories named admin which derrick works with
<Location /admin>
	SSLRequireSSL
	AuthType Basic
	AuthName "AdminAarea"
	AuthUserFile /etc/apache2/passwords/webauth
	Require user ${listofusers}
</Location>
1 Like