function beforeFilter ()
in app_controller.php

Matt Curry said on January 30, 2008

.htaccess don't allow Location or Direcotry sections so Apache will throw an internal server error.

I was wondering about that. If you follow the link to the thread the guy who suggested the solution implies it's possible.

Anthony said on January 30, 2008

Just a small caveat to the use of:

htpasswd -c /my/passwd/file bob

Be careful with the -c flag, I use this feature so rarely that I often have to check an online resource (from my server co's site) for accuracy.

The -c flag creates a new password file, so if you're adding an additional user to the file omit the flag, or at least make sure you add all the users you want in the new file.

htpasswd -c /my/passwd/file user user1 user2

My own server does not warn me that the -c flag will obliterate the old version of the file.

Luke said on January 30, 2008

hi it works from the .conf file - but there is another option to do with the Auth class and Security in Cake 1.2 (Basic HTTP Authentication)

it uses the beforeFilter as stated above, in your app_controller

Luke said on February 01, 2008

Hmm. I have been trying to get this to work with a <VirtualHost> set site, by putting the <Location "/admin"> within in the <VirtualHost> directive, but it gives me a 401.shtml page on going to any /admin/ pages and this is a HTTP Auth error.

I wonder if it is a permissions error with the way I made the htpasswd file? doesn anyone know more about Apache, VirtualHosts and Location ?

Paul Decowski said on February 01, 2008

(…) it gives me a 401.shtml page on going to any /admin/ (…)

Make sure the path to the htpasswd file is correct and that it has appropriate access rights.

Kyle Hayes said on February 02, 2008

FYI, you can use this similar action on IIS as well with the ISAPI_Rewrite module installed and dropping it into httpd.ini

Luke said on February 26, 2008

"Make sure the path to the htpasswd file is correct and that it has appropriate access rights."
Paul - thanks for your reply: what access rights would I set for the htpasswd file in a virtualhosts set up though? You mean allow Apache access right - so would the group having read access be correct? I am evidently not very expereinced with permissions on unix :(

Stevie said on December 06, 2008

I found an easy way to enabling a security check for the whole admin-route solely based on a htaccess-file.

You just have to create a folder named 'admin' (or what ever your admin-route is called) and put a file named .htaccess in there without any location or directory enclosement.

AuthType Basic
AuthName "secured area"
AuthUserFile /path/to/passwdfile
Require valid-user

Since CakePHP always checks for existing files before envoking the url-rewrite the admin folder will be found and the htaccess will be executed. After being authenticated CakePHP finds out that the "file" is not present in the folder admin and envokes the url-rewriting as normal.

Did I miss something or does this work for everyone who just wants to enable a very simple security?

Sorry, comments are closed for this post. If you have any further questions or comments, feel free to send them to me directly.