RE: Question about Basic Authentication

Thank you, David

I did come across another thread with an example that places the password
file under the 'conf' sub-directory alongside the http.conf file; so your
suggestion is a good one.

I also noticed in the same thread that the password file is actually called
"svn-password.pass" as opposed to "passwd" which may account for the
problems I've had with authentication.

On Windows, one must run the htpasswd.exe file from the DOS command line.

Thanks,
Dave

-----Original Message-----
From: David Chapman [mailto:dcchapman_at_acm.org]
Sent: Thursday, September 06, 2012 2:39 PM
To: Anastasio, David M CTR USAF AFMC AFLCMC/HNID
Cc: users_at_subversion.apache.org
Subject: Re: Question about Basic Authentication

On 9/6/2012 11:08 AM, Anastasio, David M CTR USAF AFMC AFLCMC/HNID wrote:
> Yes, I think that is exactly the problem here.
> I will try to create the password file with htpasswd.
> Does Apache suggest where the password file should reside?
> Is it restricted to a certain location? I couldn't find this in the
> documentation.
> Thank you.
> Dave
>
There is no standard password file location, as AuthUserFile is specified
directly in the <Location> block in your httpd.conf. Under Linux I put the
password file in /etc with the rest of the system password files.

The essential requirement is that the file *not* be visible from outside the
server, i.e. don't put it into your repository directory or another
directory under your DocumentRoot. Unfortunately, I have seen this happen -
"hey, what's in http://server.name/passwd.txt"? It wasn't a Subversion
repository that time (and worse yet, the passwords were plaintext), but
password file location is a trap for the unwary.

I've never set up Apache under Windows, so I can't suggest a "good"
location. Maybe the directory in which httpd.conf is stored?

-- 
     David Chapman      dcchapman_at_acm.org
     Chapman Consulting -- San Jose, CA
     Software Development Done Right.
     www.chapman-consulting-sj.com