Otdfbt

Interaction between Leyline of Anticipation and Teferi, Time Raveler

Why cruise at 7000' in an A319?

Cascading Repair Costs following Blown Head Gasket on a 2004 Subaru Outback

Is it illegal to withhold someone's passport and green card in California?

Apply brace expansion in "reverse order"

Why the feminine "la" in "à la Leonardo DiCaprio", though he is a man?

Sci fi short story, robot city that nags people about health

How much will studying magic in an academy cost?

In the Marvel universe, can a human have a baby with any non-human?

STM Microcontroller burns every time

What are the penalties for overstaying in USA?

Swapping rooks in a 4x4 board

How dangerous are set-size assumptions?

Folding basket - is there such a thing?

How do I professionally let my manager know I'll quit over cigarette smoke in the office?

Can humans ever directly see a few photons at a time? Can a human see a single photon?

Archery in modern conflicts

Long term BTC investing

Find the C-factor of a vote

Would it be a copyright violation if I made a character’s full name refer to a song?

What is this tool/thing in an Aztec painting?

Do I have any obligations to my PhD supervisor's requests after I have graduated?

Employer wants to use my work email account after I quit

Why aren't cotton tents more popular?

Disabling (Apache) Basic Authentication for OPTIONS requests

Disable HTTP Authentication for OPTIONS requests in TomcatRespond to HTTP OPTIONS with basic authEnable basic auth sitewide and disabling it for subpages?basic http authenticationApache basic HTTP authentication not workingApache authentication requirement based on locationCan you pass user/pass for HTTP Basic Authentication in URL parameters?Authentication just for HTTPS Requests in ApacheTruncate Basic authentication username and password in Apache proxyDisable HTTP Authentication for OPTIONS requests in TomcatBasic auth Apache with Tomcat

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

2

I have Apache basic authentication enabled on a test server and it works great:

AuthType Basic
AuthName "testing"
AuthUserFile /home/www/.htpasswd
Require user MyUser

deny from all

But it is also trying to authenticate requests sent via the OPTIONS method. Which is a problem because the CORS specification says that you should Exclude user credentials - https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0

How do I disable authentication for requests coming in with the OPTIONS method?

(Similar to this for Tomcat: Disable authentication for OPTIONS requests in Tomcat )

apache-2.4 .htaccess authentication http-basic-authentication

share|improve this question

asked Jun 6 at 17:23

GIS-JonathanGIS-Jonathan

11333 bronze badges

add a comment | 

2

I have Apache basic authentication enabled on a test server and it works great:

AuthType Basic
AuthName "testing"
AuthUserFile /home/www/.htpasswd
Require user MyUser

deny from all

But it is also trying to authenticate requests sent via the OPTIONS method. Which is a problem because the CORS specification says that you should Exclude user credentials - https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0

How do I disable authentication for requests coming in with the OPTIONS method?

(Similar to this for Tomcat: Disable authentication for OPTIONS requests in Tomcat )

apache-2.4 .htaccess authentication http-basic-authentication

share|improve this question

asked Jun 6 at 17:23

GIS-JonathanGIS-Jonathan

11333 bronze badges

add a comment | 

I have Apache basic authentication enabled on a test server and it works great:

AuthType Basic
AuthName "testing"
AuthUserFile /home/www/.htpasswd
Require user MyUser

deny from all

But it is also trying to authenticate requests sent via the OPTIONS method. Which is a problem because the CORS specification says that you should Exclude user credentials - https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0

How do I disable authentication for requests coming in with the OPTIONS method?

(Similar to this for Tomcat: Disable authentication for OPTIONS requests in Tomcat )

apache-2.4 .htaccess authentication http-basic-authentication

share|improve this question

asked Jun 6 at 17:23

GIS-JonathanGIS-Jonathan

11333 bronze badges

AuthType Basic
AuthName "testing"
AuthUserFile /home/www/.htpasswd
Require user MyUser

deny from all

share|improve this question

asked Jun 6 at 17:23

GIS-JonathanGIS-Jonathan

11333 bronze badges

share|improve this question

asked Jun 6 at 17:23

GIS-JonathanGIS-Jonathan

11333 bronze badges

asked Jun 6 at 17:23

GIS-JonathanGIS-Jonathan

11333 bronze badges

asked Jun 6 at 17:23

GIS-JonathanGIS-Jonathan

11333 bronze badges

1 Answer
1

active

oldest

votes

1

You can perhaps use an Apache expression (Apache 2.4+) to only apply the HTTP Basic Auth directives when the request method is not "OPTIONS".

For example:

<If "%REQUEST_METHOD != 'OPTIONS'">
# Authentication directives...
</If>

Reference:

https://httpd.apache.org/docs/2.4/expr.html

deny from all

You shouldn't need to use this (Apache 2.2) directive with your Basic Auth directives.

share|improve this answer

edited Jun 6 at 18:49

answered Jun 6 at 18:33

MrWhiteMrWhite

6,69622 gold badges1414 silver badges2626 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Excellent, worked like a charm. Thanks!
  
  – GIS-Jonathan
  Jun 6 at 19:54
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970420%2fdisabling-apache-basic-authentication-for-options-requests%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

You can perhaps use an Apache expression (Apache 2.4+) to only apply the HTTP Basic Auth directives when the request method is not "OPTIONS".

For example:

<If "%REQUEST_METHOD != 'OPTIONS'">
# Authentication directives...
</If>

Reference:

https://httpd.apache.org/docs/2.4/expr.html

deny from all

You shouldn't need to use this (Apache 2.2) directive with your Basic Auth directives.

share|improve this answer

edited Jun 6 at 18:49

answered Jun 6 at 18:33

MrWhiteMrWhite

6,69622 gold badges1414 silver badges2626 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Excellent, worked like a charm. Thanks!
  
  – GIS-Jonathan
  Jun 6 at 19:54
  

  
  
  
  

add a comment | 

1

You can perhaps use an Apache expression (Apache 2.4+) to only apply the HTTP Basic Auth directives when the request method is not "OPTIONS".

For example:

<If "%REQUEST_METHOD != 'OPTIONS'">
# Authentication directives...
</If>

Reference:

https://httpd.apache.org/docs/2.4/expr.html

deny from all

You shouldn't need to use this (Apache 2.2) directive with your Basic Auth directives.

share|improve this answer

edited Jun 6 at 18:49

answered Jun 6 at 18:33

MrWhiteMrWhite

6,69622 gold badges1414 silver badges2626 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Excellent, worked like a charm. Thanks!
  
  – GIS-Jonathan
  Jun 6 at 19:54
  

  
  
  
  

add a comment | 

You can perhaps use an Apache expression (Apache 2.4+) to only apply the HTTP Basic Auth directives when the request method is not "OPTIONS".

For example:

<If "%REQUEST_METHOD != 'OPTIONS'">
# Authentication directives...
</If>

Reference:

https://httpd.apache.org/docs/2.4/expr.html

deny from all

You shouldn't need to use this (Apache 2.2) directive with your Basic Auth directives.

share|improve this answer

edited Jun 6 at 18:49

answered Jun 6 at 18:33

MrWhiteMrWhite

6,69622 gold badges1414 silver badges2626 bronze badges

<If "%REQUEST_METHOD != 'OPTIONS'">
# Authentication directives...
</If>

share|improve this answer

edited Jun 6 at 18:49

answered Jun 6 at 18:33

MrWhiteMrWhite

6,69622 gold badges1414 silver badges2626 bronze badges

answered Jun 6 at 18:33

MrWhiteMrWhite

6,69622 gold badges1414 silver badges2626 bronze badges

answered Jun 6 at 18:33

MrWhiteMrWhite

6,69622 gold badges1414 silver badges2626 bronze badges