Support

Admin Tools

#35635 Unauthorized with password protection administrator

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by toonetcreation on Sunday, 15 August 2021 14:54 CDT

Saturday, 14 August 2021 19:26 CDT

toonetcreation

Hi,

I have tried joomla and php files settings here : http://prntscr.com/1ot6u4y

But then, when I try to access admin back-end I get a blank page with Unauthorized message

Do you have an idea why ?

Thanks

L.

Sunday, 15 August 2021 03:42 CDT

nicholas

It means that either an issue in your server or your browser prevent you from using this standard HTTP (web server and browser) feature correctly. Kindly note that this feature is not implemented by Admin Tools itself as explicitly stated in the documentation.

Please read the documentation for more information on how this feature works and what to do to disable it if you do not have access to the backend of your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 15 August 2021 04:00 CDT

toonetcreation

Ok no problem.

But I did a test with EVERYTHING and works fine with this option...when I try to Access website backend I get the apache auth popup.

So I don't know why works with EVERYTHING option and not with others.

But I Can Ask my hosting provider.

Sunday, 15 August 2021 06:45 CDT

nicholas

When use any other option are you accessing your site's admin as https://www.example.com/administrator, https://www.example.com/administrator/ or https://www.example.com/administrator/index.php? Only the latter should work without an error.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 15 August 2021 08:20 CDT

toonetcreation

I'm using this https://www.example.com/administrator?my_string

Sunday, 15 August 2021 08:38 CDT

toonetcreation

Ok I did some tests :

  • When I select EVERYTHING :

this link works : https://www.example.com/administrator?my_string => I get the apache login popup

this link works : https://www.example.com/administrator/index.php?my_string => I get the apache login popup

  • When I select JOOMLA:

this link does not work : https://www.example.com/administrator?my_string => I get Unauthorized error message

this link works : https://www.example.com/administrator/index.php?my_string => I get the apache login popup

  • When I select  All PHP Files :

this link does not work : https://www.example.com/administrator?my_string => I get Unauthorized error message

this link works : https://www.example.com/administrator/index.php?my_string => I get the apache login popup

Is it the normal process ?

Sunday, 15 August 2021 11:07 CDT

nicholas

Yes, this is normal.

When you visit the /administrator?something URL you are asking Apache to display the contents of the administrator directory. 

When you have selected the Everything option Apache sees that the entire directory is password protected and sends an Authorisation Required response to your browser. Your browser shows you the password prompt. Then it sends the username and password to Apache as an HTTP Basic Authentication header. Apache compares that with your configured username and password. If they checkout, Apache realises it cannot display a directory, duh! So it looks for the directory's default file. One of them is index.php. Therefore Apache tries to load /administrator/index.php?something. Since index.php is Joomla's entry point for the administrator application the rest of the process works as it should with Joomla loading and Admin Tools verifying the secret URL parameter.

When you have selected an option other than Everything and try to access the /administrator directory you get blocked because access control is on all .php files (All PHP Files option) or index.php (Joomla option). Since this was not explicitly requested Apache will tell you that you are not allowed to display the directory itself. In these cases you MUST explicitly specify index.php in the URL to login to your site's administrator backend.

That was why I asked you if you're using index.php when you said that only the Everything option works. The Everything option is directory-level password protection, the other options are file-level password protection. They are treated very differently by Apache. It's the way Apache is supposed to work.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 15 August 2021 14:54 CDT

toonetcreation

ok that's fine I see now, ok for me ;-)

thanks again

L.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!