SOLVED - Tomcat bypasses Basic auth. (also, Enable basic auth in Lucee)

I’ve never seen this happen. In the words of Lews Black, “I am confused.”

Apache.conf file for virtual host:

<Directory "/websites/">
		AllowOverride None
		AuthType Basic
		AuthName "plutoLivesHere"
		AuthUserFile /etc/apache2/passwords/webauth
		Require user plutoAdmin

So, when I point my browser to

Apache asks for my credentials.

BUT… when I open a fresh browser window (quit Firefox, clear all history, etc. and re-launch Firefox), and point to

No auth required.

I can do this on any protected directory. Just accessing the directory itself requires credentials. Any CFM file will process and load without credentials. And that’s after multiple attempts to fix this, tinker with /conf/server.xml, clear out passwords in browser, clear history, cache, etc.

All web CFM files are www-data:www-data

What the?

After a long night and morning… the problem is “User-error!” Or, more appropriatly, admin error.

The TL;DR solution was to use the “Location” directive properly.

I also decided to use the “Define” directive and move some common directories to a separate include conf file.

How to use the Define directive:
Define a variable called ‘listofusers’ who can access certain directories (see
It takes form of parameter-name parameter-value
ex: Define myVar foobar
ex: Define myVar “foobar foobar1 foobar2”

Here is a virtual host conf file that works as intended (I have tested it) with CFM/AJP, and in this example, I am also redirecting any non SSL requests to SSL.

SSLStrictSNIVHostCheck on
<VirtualHost *:443>
	DocumentRoot /websites/this-site/
	DirectoryIndex index.cfm index.html
	RewriteEngine On
	RewriteOptions Inherit
	RewriteCond %{HTTP_HOST} !^www\.
	RewriteRule ^(.*)$ [R=301,L]
	SSLEngine on
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateFile /etc/letsencrypt/live/
	SSLCertificateKeyFile /etc/letsencrypt/live/
	SSLCertificateChainFile /etc/letsencrypt/live/
	# Various common virtual host includes used in this CFM site
	Include /etc/apache2/my-apache-cf-ajp.conf
	Include /etc/apache2/my-apache-cf-secure-lucee.conf
	# Secured directories list of users and include conf
	Define listofusers "adminuser1 adminuser2 simpleuser1"
	Include /etc/apache2/my-apache-secure-directories.conf
	<Directory "/websites/this-site/">
		AllowOverride None
	CustomLog /websites/this-site/ vhost_combined
	ErrorLog /websites/this-site/
	# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
	LogLevel error

And the critical include conf where the variable “listofusers” is passed in:

Contents of "Include /etc/apache2/my-apache-secure-directories.conf"

# Any subdirectories named admin which derrick works with
<Location /admin>
	AuthType Basic
	AuthName "AdminAarea"
	AuthUserFile /etc/apache2/passwords/webauth
	Require user ${listofusers}
1 Like