In order to protect a directory on an Apache HTTPD web server with a password, this configuration was added to an .htaccess file in the respective directory:



AuthType Basic
AuthName "Protected Directory"
AuthUserFile /var/www/dir/ .htpasswd
Require valid-user

Furthermore, a file /var/www/dir/ .htpasswd was created with the following content:

usera:S3cr3t

Given that all these files were correctly processed by the web server processes, which of the following statements is true about requests to the directory?

A. The user usera can access the site using the password S3cr3t
B. Accessing the directory as usera raises HTTP error code 442 (User Not Existent)
C. Requests are answered with HTTP error code 500 (Internal Server Error)
D. The browser prompts the visitor for a username and password but logins for usera do not seem to work
E. The web server delivers the content of the directory without requesting authentication

題解

「.htpasswd」檔案中的密碼欄位,如果使用「htpasswd」指令來產生的話,雖然預設並不會以明碼儲存,但是可以透過提供「-p」參數來使用明碼。

「htpasswd」指令預設會使用MD5進行雜湊(「-m」參數),「.htpasswd」檔案看起來會像這樣:

usera:$apr1$FMvyPFsQ$CQNQc/lfAiHNaOIjA6a.K/

如果要更安全的話,通常會使用bcrypt來進行雜湊(「-B」參數),「.htpasswd」檔案看起來會像這樣:

usera:$2y$05$7svvma1IcvF1PMBI4HW2EOcFH9Vguhh73S4xEMGhhv5Xn7fUFM1DK

從題目提供的「.htpasswd」檔案,可以看出它是使用明碼來儲存密碼。

而「Require」設定為「valid-user」的話,任何存在於「.htpasswd」檔案中的使用者才可以透過提供正確的密碼來存取檔案資源。如果使用者密碼驗證失敗的話,會回傳HTTP的401狀態(Authorization Required)。

因此選項「A」是正確答案。