We have a web application that uses authentication, and we task mod_auth_tkt
with that. Authentication takes place on the proxy, and CGI requests are passed
to a second mod_perl server using mod_rewrite.

We recently ran into the following problem, however. We are putting the auth_tkt
directives inside a FilesMatch block thusly:


For static HTML that is served by the proxy (i.e. that mod_rewrite doesn't pass
onto mod_perl), mod_auth_tkt successfully redirects to the login page as
configured. But requests for .pl files are not blocked in this way --
mod_rewrite sends those to the mod_perl server, where mod_auth_tkt is not running.

Now, if we change things up a little, and use as the container
for the auth_tkt directives, that will successfully catch all requests to .html
and .pl files in that location.

Thus, in the first case, it looks like mod_rewrite is doing its thing before
mod_auth_tkt gets a chance to forward the user to the login page, but in the
second case, mod_auth_tkt gets to look at the request before mod_rewrite does
its thing.

The apache docs indicate that LocationMatch blocks are evaluated before
FilesMatch, so our guess is that perhaps mod_rewrite is doing its thing in between?

Can anyone shed some light on when mod_auth_tkt and mod_rewrite handle the
request? We'd love to be able to use FilesMatch for various reasons, and we
don't want a second mod_auth_tkt running on the mod_perl server.

Michael Peters
Plus Three, LP