View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0035935mantisbtapi restpublic2025-05-08 07:382025-05-09 10:21
Reportertk Assigned Todregad  
PrioritylowSeveritytextReproducibilityalways
Status assignedResolutionopen 
Product Version2.25.8 
Summary0035935: Comments on 0026365: Missing Authorization header in REST API causing requests to fail
Description

Hi,

rather comment than issue, maybe included in REST API docu:

After upgrade from mantis-2.25.6 to mantis-2.27.1 I faced problems (HTML Error 500) due to the directive



CGIPassAuth On

that has been introduced in 2.25.8 (cf. 0026365) in api/rest/.htaccess .

In this ticket there is also the statement 0026365:0068046:
"On some webservers both directives work and one of them is required.
On other webservers, CGIPassAuth is forbidden in .htaccess, and thus only the other directive is allowed and required."

To summarize, we had to allow additional capabilities in apache vhost configuration that are locked down due to safety reasons in general:



<Directory "[mantis_base]/api/rest/">

AllowOverride AuthConfig FileInfo

Options FollowSymLinks

Require all granted

</Directory>

Of course, Apache 2.4.13+ is prerequisite, but I suppose this is given in general nowadays.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0026365 closeddregad Missing Authorization header in REST API causing requests to fail 

Activities

dregad

dregad

2025-05-09 03:49

developer   ~0070229

@tk what you are asking it is not very clear.

we had to allow additional capabilities in apache vhost configuration that are locked down due to safety reasons in general

If the use of .htaccess is a problem for you and do not want to enable it, you simply need to add the necessary directives to your Apache vhost / directory configuration as appropriate, there is no obligation to allow overrides.

If you want the documentation to be updated, then it would be useful to provide us additional context and details, i.e. the actual errors that you got, and what needs to be changed to fix it (the vhost config you posted possibly includes additional directives that are not necessary to address the problem).

Providing the text you would like to see added would be nice too, keeping in mind that it needs to be generic so it remains applicable for other environments.
tk

tk

2025-05-09 08:52

reporter   ~0070230

@dregard : hope to get the point more clearly:

  • Prerequisite: mantis before 2.25.8, apache 2.4.13+
  • Problem: After update to mantis 2.25.8 or above, all REST API calls return error 500:

    
500 Internal Server Error

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

and the apache error log shows entries:



... [mantis_base]/api/rest/.htaccess: CGIPassAuth not allowed here

  • Cause of problem: In mantis-2.25.8 the directive "CGIPassAuth On" has been added in api/rest/.htaccess . Application of this directive will be denied if the required contextual permissions are not granted in the apache vhost configuration
  • Solution: The complete block of directives must be added to apache vhost configuration:

    
<Directory "[mantis_base]/api/rest/">
    
AllowOverride AuthConfig FileInfo
    
Options FollowSymLinks
    
Require all granted
    
</Directory>
  • Notes:
    Options FollowSymlinks is required, otherwise apache throws error "Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions ". The rewrite is another part of [mantis_base]/api/rest/.htaccess .
     Regarding "Require all granted" cf. https://webmasters.stackexchange.com/questions/107049/what-does-require-all-granted-on-directory-root-realy-means-apache-2-4-o or https://htaccessbook.com/access-control-apache-2-4/
dregad

dregad

2025-05-09 10:21

developer   ~0070232

Thanks for the detailed explanation, now I understand better.