|Applies To||RSA Product Set: RSA Access Manager Agent for Apache|
RSA Version/Condition: Apache 2.x
|Issue||Configure an Apache web server to allow mixed use of both RSA ClearTrust and Apache/mod_auth security|
Apache pass_realms functionality to mix RSA ClearTrust protection with HTTP Basic authentication does not function
Security Realm definitions in .htaccess files are ignored
A user is not challenged to authenticate when accessing pages intended to be protected by Apache's HTTP Basic authentication; a user is challenged to authenticate when accessing pages protected by RSA ClearTrust. When the ClearTrust Agent is uninstalled, the Apache HTTP Basic protected pages function correctly.
|Cause||.htaccess files are read by Apache at the same time as <Directory> blocks in the httpd.conf main configuration file; they are "merged" together provided AllowOverride is set for the directory in which the .htaccess file is contained. ClearTrust's protection is applied, in ct-httpd.conf, in a Location block which applies to the entire server. Location blocks in Apache are read after Directory blocks and thus take precedence. Because .htaccess is implicitly a Directory block, one can't add a Location block within it since it would be incorrect syntactically (like nesting a Location block within a Directory block). See "Merging of .htaccess with the main configuration files": http://httpd.apache.org/docs/2.0/howto/htaccess.html#how|
|Resolution||Define security realms in ct-httpd.conf, after the initial <Location /> block which defines the default RSA ClearTrust realm. Alternatively, modify the default ClearTrust realm to protect only the URLs you intend to be protected by ClearTrust, rather than the entire server. Finally, the ClearTrust realm definition can be completely removed from the main configuration files (httpd.conf and ct-httpd.conf) and the ClearTrust realm defined in each relevant .htaccess file in directories which you require ClearTrust to protect.|
To partially mimic the de-centralized functionality of .htaccess without removing the ClearTrust realm from the main Apache configuration, a series of Include directives at the end of the httpd.conf file will allow multiple Location blocks to be defined in other files, but this will require modification of httpd.conf, which is not required with .htaccess, so this is not an ideal workaround.
|Workaround||AuthType and AuthName parameters are added to .htaccess to create an Apache HTTP Basic security realm on a page that is not a ClearTrust-defined resource|
cleartrust.agent.apache.pass_realms was set to pass anything not in the RSA ClearTrust realm to the HTTP Basic authentication module in Apache (mod_auth), i.e. the parameter is defined as !CT,*
|Legacy Article ID||a29112|