Support

Admin Tools

#29100 401 Unauthorized password-protect administrator

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 22 February 2018 02:30 CST

Saturday, 03 February 2018 18:57 CST

user60489
Using the "Secret URL" and the "Password-protect Admin" settings.

I can log in fine, and make changes to some things, however, there are some others that I get "401 - Unauthorized
Your authorization failed. Please try refreshing the page and fill in the correct login details." I cancel what I'm doing, refresh the page and it asks me to log in again.

I have been fooling with the htaccess file, but as far as I can tell, I don't think I've got anything in it to do this. I've tried some backup htaccess files and the standard joomla one, but same result.

Once I disable the backend password-protect, it works.

Here's my current htaccess:

##### RewriteEngine enabled - BEGIN
RewriteEngine On
##### RewriteEngine enabled - END

## Send ETag (selected method: )
##### Rewrite rules to block out some common exploits -- BEGIN
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\[0-9A-Z]{0,2})
RewriteRule .* index.php [F]
##### Rewrite rules to block out some common exploits -- END

##### Advanced server protection rules exceptions -- BEGIN
##### Advanced server protection rules exceptions -- END

##### Advanced server protection -- BEGIN
##### Advanced server protection -- END

##### Joomla! core SEF Section -- BEGIN
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} !^/index\.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
##### Joomla! core SEF Section -- END

AddHandler application/x-httpd-php70 .php .php5 .php4 .php3

<IfModule mod_expires.c>
FileETag MTime Size
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 600 seconds"
ExpiresByType application/xhtml+xml "access plus 600 seconds"
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month "
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
</IfModule>

Saturday, 03 February 2018 19:48 CST

dlb
That's very strange. Usually the .htaccess password protection is on or off, it is never maybe. Let's delete the .htaccess file in the /administrator folder - NOT the root. That will kill the /administrator password protection. If that solves the problem, we can re-create the password from the Admin Tools menu. That function is sensitive to the version of the Apache server. Admin Tools creates different files based on the server version. For this reason, it does not travel well between servers.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Saturday, 03 February 2018 22:23 CST

user60489
Thanks for the reply, Dale.

I believe removing the .htaccess manually is the same as disabling the password-protect from within Admin Tools, which removes the .htaccess & .htpasswd - I've done that several times, and verified they were gone, then recreated when I re-enabled it from within Admin Tools.

Monday, 05 February 2018 08:21 CST

dlb
Let's take that password protection off and leave it off. That's a test, not a solution. I want to see if the problem still exists with that feature disabled. Not all servers support that feature.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Monday, 05 February 2018 10:57 CST

user60489
Thanks, Dale.

I already turned it off when I originally submitted the ticket – had to make changes to the site. It runs fine with it off. Maybe I didn’t make that clear in the initial ticket – sorry about that.

It has been running fine for the past year with password protection on. The server has not been migrated as far as I know. It throws the 401 error with password protection on. With password protection off, everything works fine.

-J

Tuesday, 06 February 2018 09:50 CST

dlb
I've been staring at this trying to figure out where the "intermittent" comes from. That isn't supposed to happen. Nicholas pointed me in the right direction. When you fill in the User ID and password for the password protection, the browser remembers it and sends it along with each subsequent request. That means you only have to enter the password once, not with every change.

So when you get the 401, the browser has either not sent the user and password, or sent the wrong one. The problem is in the browser, not the server. It could be a bug in the browser or it could also be in a browser plugin that's misbehaving. Please try incognito mode in your browser, which should eliminate the plugin option and if it still gives you 401s, please try an alternate browser.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Tuesday, 06 February 2018 17:10 CST

user60489
Thanks, Dale.

It appears it is indeed an issue with Chrome. I tried incognito mode, and still got the 401. With Pale Moon, Firefox, and Chrome Canary, it works fine.

I only get the error when I try to edit a Gantry 5 Particle.

Wednesday, 07 February 2018 08:42 CST

dlb
We don't have any reports of problems with Chrome in general. All I can suggest is to make sure you have the browser updated and look at your plugins. You can disable them and try again to try to narrow it down.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Wednesday, 07 February 2018 09:54 CST

dlb
Hold the phone! Someone just posted another ticket with a 401 error using Gantry. (#29129)

This is what Davide replied:
Hello,

given you report, it seems that Gantry is trying to load some media files directly from the admin area of your site, triggering the server protection.

For further info please take a look at our troubleshooter page here: https://www.akeebabackup.com/documentation/troubleshooter/atadminpw.html


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Wednesday, 14 February 2018 19:26 CST

user60489
Thanks, Davide.

I looked at that and Gantry is not an extension - it is the framework that Joomla runs on.

Asking the Gantry devs to fix their "badly written" code so it plays nice with Akeeba is like asking a car manufacturer to change their car design so a specific radio will fit in the dash.

I understand it may be insecure with what Gantry is doing, however I believe this is on Akeeba to figure out how to make their extension work with the Gantry in Chrome - not the other way around.

Tuesday, 20 February 2018 13:35 CST

user60489
No response? It's been almost a week.

Is Akeeba going to fix this issue so Admin Tools plays nicely with Chrome & Gantry?

Requesting some sort of acknowledgment here.

Wednesday, 21 February 2018 11:02 CST

dlb
My apologies, this ticket got mixed up between Davide and I, it was my error.

No, it is not Akeeba's duty to change our code to mitigate Gantry's error. It isn't that their code conflicts with Admin Tools, it conflicts with Joomla! standard practices. Joomla! doesn't run on Gantry, Gantry runs on Joomla!. The templates are a part of the Joomla! CMS system. If they want to sell extensions for Joomla!, they should conform to published design standards, as we do.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Wednesday, 21 February 2018 13:55 CST

user60489
The Gantry particle is NOT loading any media files when it does this. This is a problem with Akeeba, and they need to own it.

Answers like this only turn into finger pointing between groups with the user caught in the middle.

I've been a customer of Akeeba for some time now. And this certainly answers my question of my renewal to Akeeba backup & tools due next week. That answer is no renewal with a response like that.

Goodbye.

Thursday, 22 February 2018 02:30 CST

nicholas
First, please let me quote our documentation.

---
I enabled this feature and now the front-end of my site asks me for a username and password?!

This is not a bug in Admin Tools, but a problem with one of the extensions (components, modules or plugins) you are using.

More specifically, Joomla! extensions are not supposed to load anything from the administrator area of your site in the front-end. However, some badly written extensions try to access static media files (CSS, Javascript, images) from directories inside the administrator directory. On notorious example is the Zoo CCK extension. Since all of the contents of your administrator directory are protected with a username/password, your browser will prompt you for one as soon as it is instructed to download a file from that protected directory or any of its subdirectories.

There are two workarounds:

1. Disable the administrator password protection. This degrades your site's security but is the easiest and most immediate change.

2. Consult the developer of the offending extension and explain to him that loading files from the administrator area of the component in the front-end of the site is insecure and he has to resolve this issue. Hopefully, developers will realize that this practice is unsafe and fix their software.

---

Now, let's get to your unreasonable claim. You say that it's "our problem" and we should "own it". You are wrong. Your problem originates from RocketTheme's Gantry. They are putting public files in the private administrator directory. If you enable password protection to the administrator directory -as you should for defense against brute force and fingerprinting- their template framework breaks. You do NOT need Admin Tools to trigger this incompatibility. You can delete Admin Tools completely, use your hosting control panel's directory password protection on the "administrator" folder and the issue is triggered.

Akeeba Ltd has not written your hosting control panel, is not your host and most definitely does now own RocketTheme. So how exactly are we supposed to own a problem that's completely unrelated to us?!! Are we "responsible" for this problem because our advice brought this third party issue to your attention? I don't think that shooting the messenger helps. You have a security issue here. We uncovered it but it's not ours to fix. It's RocketTheme's. You can either do something about it or you can sweep it under the rug and hope you don't get hacked (you will), but shouting at us is unproductive and, honestly, barking up the wrong tree.

Now to the technical reasons. You have this problem because RocketTheme IS NOT following Joomla's best practices which were first established in the year two thousand and seven (2007) with Joomla 1.5. These past eleven years Joomla, being aware of the security issues arising from loading files from the private administrator backend into your site's public frontend, has provided the "media" directory as a solution. All front-end, web accessible, static media files -which are not image files that originate from or can be replaced by the end user- are meant to be stored in a subdirectory of the media folder named after the extension they belong to. All image files which have originated by and can be replaced by the user are meant to be stored in the images folder, without any requirements for the organization of its subfolders. We, Akeeba Ltd, did not invent this rule. This was decided by the Joomla Core Team who was responsible for making Joomla 1.5 between 2005 and 2007. RocketTheme should know that because their owner was one of the people in that core team (going by the username "rhuk").

In other words, RocketTheme cannot claim ignorance on this matter. Their owner agreed that this is the best practice and put his name on it. Why he's not following the best practice he helped established is another story and one that's not for me to answer. I will only comment that even though I could also hire cheap Vietnamese labor and make millions every year out of my software without caring about the security and performance of my clients' sites I instead chose to keep the company small, hire expensive but really damn good developers and put my clients' sites' security and performance above profit.

In the end of the day it's your site and your choice: do you want to put security first or do you want to let a badly written template framework mandate that your private administrator folder should be publicly accessible by every miscreant just because its developer hasn't bothered to move files in eleven years? I would put security first and shout at the developer who's violating the Joomla best practices he helped established. Moving these files around is a day's work and that's it. I know this because back when Akeeba Backup was called JoomlaPack (Joomla! 1.0 days) I had my static media files in administrator. By the time I released a Joomla! 1.5-only version of my software I had moved everything to the media folder because that was -and still is- the Joomla! best practice for very real and important security reasons.

So, if you want me to own something it's that I will always put your site's security above anything else, especially third party software which doesn't follow Joomla's best practices (they are called "best practices" because they matter to the security of your site!). This is what you are paying me for and this is what I will deliver. Asking me to do anything else is unacceptable. I will never add a button which does nothing or, worse, has a default backdoor. An illusion of security is worse than no security at all.

Now please go ask RocketTheme why the heck they don't follow the Joomla best practice their owner helped establish 11 years ago.

This ticket will now be closed. We won't accept any further tickets from you about this issue. You are very well aware why it happens and what you need to do to either REALLY solve it or conveniently sweep it under the rug and hope you don't get hacked.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!