2

I am having trouble trying to get the apache mod auth_form to work.

I have a sub-domain that i wish to protect and use for various administrative features on my website.

When i submit the auth form i get:

Method Not Allowed

The requested method GET is not allowed for the URL /admin/index.html.

I have followed to my best ability the instructions in that docs here:

http://httpd.apache.org/docs/current/mod/mod_auth_form.html

and here:

http://httpd.apache.org/docs/current/mod/mod_session.html

I am also using Apache 2.4.9, with all required modules for this to work loaded.

So i have set up the sub domain as follows:

/index.html (Public root / auth form)
/admin/index.html (The contents of the folder i wish to protect)

/index.html contains the following:

<form method="POST" action="/admin">
    User: <input type="text" name="httpd_username" value="" />
    Pass: <input type="password" name="httpd_password" value="" />
    <input type="submit" name="login" value="Login" />
</form>

For the Vhost block that controls the sub-domain, i have added the following (noting that i am enabling GET and POST for this domain as the default sees these disabled):

<VirtualHost *:80>
    ServerAdmin webmaster@mydomain.com
    ServerName mydomain.com
    ServerAlias admin.mydomain.com

    DocumentRoot /var/www/mydomain.com/admin/

    <Directory /var/www/mydomain.com/admin/>
        <LimitExcept GET POST>
             Require all denied
        </LimitExcept>
        Options -ExecCGI -FollowSymLinks -Includes -Indexes -MultiViews
        Require all granted
    </Directory>

    <Location /admin>
        SetHandler form-login-handler
        AuthFormLoginRequiredLocation http://admin.mydomain.com/index.html
        AuthFormLoginSuccessLocation http://admin.mydomain.com/admin/index.html
        AuthFormProvider file
        AuthUserFile /var/www/mydomain.com/admin_inc/.htpasswd
        AuthType form
        AuthName realm
        Session On
        SessionCookieName session path=/private;domain=admin.mydomain.com;httponly;secure;
        SessionCryptoPassphrase secret
    </Location>

</VirtualHost>

In the apache error log I get the following:

[Mon May 19 10:26:38.xxxxxx 2014] [auth_form:error] [pid xxxxx] [client xxxxxx:xxxxx] AH01811: the form-login-handler only supports the POST method for /admin/index.html, referer: http://admin.mydomain.com/

If anyone could explain to me what i have done wrong here in order to create this error, it would be greatly appreciated, thank you!

Craig van Tonder
  • 121
  • 1
  • 7

2 Answers2

4

I finally got this working, and I had stepped on this question while trying to find solutions to my problems.

You are getting this error because your call is intercepted by the form-login-handler, which only supports POST.

The trick is that the SetHandler directive should only be active for the URL that will be used as the action of the authentication form. All other protected resources should use the same configuration, but without this handler.

Here's a working configuration :

<VirtualHost *:80>
    ServerAdmin webmaster@example.com
    ServerName example.com
    ServerAlias www.example.com

    DocumentRoot /var/www/example.com/

    <Location /admin>
        # Protect all resources under /admin with form auth. Note that the login form is NOT under /admin : not sure this is required, but this is how I got it working
        AuthFormLoginRequiredLocation http://www.example.com/index.html
        AuthFormLoginSuccessLocation http://www.example.com/admin/index.html
        AuthFormProvider file
        AuthUserFile /var/www/example.com/.htpasswd
        AuthType form
        AuthName realm
        Session On
        SessionCookieName session path=/private;domain=www.example.com;httponly;secure;
        SessionCryptoPassphrase secret
    </Location>
    <Location /admin/dologin>
        # Since this location is a sub-path of the previous one, it inherits all parameters above
        # It will be the only URL to be able to process form logins, and the only one to require POST
        SetHandler form-login-handler
    </Location>

</VirtualHost>

Of course you need to set your action attribute in the form to the login handler url :

<form method="POST" action="/admin/dologin">
    User: <input type="text" name="httpd_username" value="" />
    Pass: <input type="password" name="httpd_password" value="" />
    <input type="submit" name="login" value="Login" />
</form>

Hope this helps someone (eventhough this thread is 4 years old ! :) )

lbndev
  • 141
  • 3
1

You are somehow sending the login credentials with some method that is not POST¹. Maybe double-check your login form?

¹http://code.ohloh.net/file?fid=Pwx9mfavxhieWn8XSiBldWz63zI&cid=h1J7pf7LYjw&s=&fp=305270&mp&projSelected=true#L1127

Simon
  • 596
  • 1
  • 4
  • 12