Basic Auth of a Subdirectory

I noted in the documentation that you can turn on Basic Auth from server.json.

However, this seems to be an all or none configuration - either the entire site is using basic auth or none of it is. I would like to set up basic auth for the /lucee directory, but cannot seem to find examples of how to do that.

Can someone point me in the right direction?

@Scott_Stroz Sorry for the delay, this message got overlooked in the holidays.

While Undertow does support basic-auth to be on a per-directory basis, what we’ve exposed in the server.json is an all-or-nothing flag. I had originally wanted to extend that, but it seems no one really ever uses basic auth in CommandBox (or if they do, they never talk about it) so I never put any effort into adding to the feature. This would be a cool thing to be able to do with server rules (Undertow’s predicate language) but they also never exposed basic auth config there either.

So maybe some day I’ll get some time to add this, or someone will sponsor the feature. But for now, it’s not possible with CommandBox directly. You’d need Apache or something similar as a proxy in front and configure it there.

Now, that said-- since it seems you are looking to do this for security, I’ll point out CommandBox already has a bunch of built in stuff for blocking the CF and Lucee admins. In fact, CommandBox is secure-by-default so if you start a server in production profile, it will automatically lock down the admins and it does it in a way that still allows access from localhost (which is admittedly more useful on a Windows host than a Linux one). Since most production CommandBox deploys are managing all their settings with CFConfig, there really is no need to access the administrator anyway. You can still read/write settings from the CFConfig CLI as well if you need. Based on those workflows, putting basic auth in front of the web admin UI isn’t something I’ve ever tried to do since I just block the admin UIs outright on production in most cases.

I was hoping there was a way to lockdown subdirectories because I prefer to use the admin because once the server is set up, the only time I really need it is to troubleshoot (turn off caching, etc.).

I figured if I need to do that, I can simply go in and enable access and restart the server.


I’ve put in this ticket as a reminder since it would be a nice feature.

Perhaps I’ll get a chance to work on it some time or someone else will be able to pick up the mantle. I’ve glanced at what Undertow supports a couple times (including last night) and it’s honestly rather complicated. You can do all manner of crazy custom stuff. It would be a non-trivial task to unravel all the mysteries of the SecurityConstraint and figure how much of it to expose in CommandBox, what that JSON would look like, and how we’d pass the dynamic data to the server when starting.