I have an application developed in CakePHP 2 , but I believe that the issue does not have as much involvement with the framework itself, just citing to contextualize.
As this private application, basically a webservice for accessing data with a mobile application, I restricted access using Apache HTTP strong> in the file .htaccess .
There is the physical path for files/photos that I want free access, so I included this exception thus:
AuthType Basic
AuthName "Meu webservice"
AuthUserFile /foo/bar/.htpasswd
Require valid-user
SetEnvIf Request_URI "files/photos/" allow
Order allow,deny
Allow from env=allow
Satisfy any
It works perfectly, restricting all access to webservice except for the given directory. Now I need to restrict a new access but this time it is not a URL pointing to a physical path but rather "virtual", since the framework ( MVC-like ) uses mod_rewrite to do the rewrite of the URLs.
Just adding the line below did not succeed, you are still prompted for a username and password.
SetEnvIf Request_URI "users/confirmation/" allow
I do not know if the problem is because of the use of URL rewriting, but considering that one physical path I succeeded and the other did not, I imagine it makes some sense of my doubt.