I had a need to put password protection on a web site, but allow a certain section to be unprotected. The other way around is easy because permissions are inherited to subdirectories, so a child directory won’t affect a parent.

According to Configuration Sections, merging, Locations containers are processed in order, so the second container can modify behaviour from the first. The other trick ended up being the Satisfy directive, which allows one to say that any one of the specified methods will work. The final config is something like

 

    AuthType Basic

    AuthName "protected"

    AuthUserFile "....."

    require valid-user





    Order Allow,Deny

    Deny from none

    Allow from all

    # This means that either the "require valid-user" from above

    #or the above order (ie everyone) will work.

    # Without it, you get prompted

    Satisfy Any