You can use .htaccess files in combination with the server’s standard access control. The standard access controls are always applied before any .htaccess access control, regardless of the ordering of PathCheck directives. Do not require user authentication with both standard and .htaccess access control when user-group authentication is "Basic”. Use SSL client authentication via the standard server access control, and also require HTTP ”Basic’ authentication via an .htaccess file.
If you enable .htaccess files, the server checks for .htaccess files before serving resources. The server looks for .htaccess files in the same directory as the resource and in that directory's parent directories, up to and including the document root. For example, if the Primary Document Directory is set to /oracle/server/docs and a client requests /oracle/server/docs/reports/index.html, the server will check for .htaccess files at /oracle/server/docs/reports/.htaccess and /oracle/server/docs/.htaccess.
Note that the Server's Additional Document Directories and CGI Directory functionality enables an administrator to define alternate document roots. The existence of alternate document roots affects .htaccess file processing. For example, consider a server with the Primary Document Directory set to /oracle/server/docs and a CGI program at /oracle/server/docs/cgi-bin/program.cgi. If you enable CGI as a File Type, the server will evaluate the contents of both /oracle/server/docs/.htaccess and /oracle/server/docs/cgi-bin/.htaccess when a client issues a request for the CGI program. However, if you instead configure a CGI Directory at /oracle/server/docs/cgi-bin, the server will inspect /oracle/server/docs/cgi-bin/.htaccess but not /oracle/server/docs/.htaccess. This occurs because specifying /oracle/server/docs/cgi-bin as a CGI Directory marks it as an alternate document root.