Apache - Location vs Directory Directives

Question

Im not that familiar with Apache.

• When using <Location>, I am able to redirect users to a sign-on page, forcing them to authenticate and have proper privileges before accessing the URL.
• When using <Directory>, it is supposed to allow me to control access to specified folders and directories, right?

Question:
How does <Directory> behave similarly and differently from <Location>?

• With <Location /web>: www.mysite.com/web and www.mysite.com/web/foo will be controlled.
  
• With <Directory /webforms>: how will www.mysite.com/web look like if some of the scripts are from that folder?
• With <Directory /pictures>: how will www.mysite.com/web look like if some of the picture are from that folder?
• What about a situation where you have both types of directives active and affecting a single page? What kinds of things should I expect or watch out for?

Answer 1

The Apache HTTP server documentation has a section called What to use When which, I think, directly answer your question :

Choosing between filesystem containers and webspace containers is actually quite easy. When applying directives to objects that reside in the filesystem always use <Directory> or <Files>. When applying directives to objects that do not reside in the filesystem (such as a webpage generated from a database), use <Location>.

The important part is the following :

It is important to never use <Location> when trying to restrict access to objects in the filesystem. This is because many different webspace locations (URLs) could map to the same filesystem location, allowing your restrictions to be circumvented.

Read on for more information...