The ECN No Name Newsletter is no longer being published. This is an archived issue.

WWW Access Control And User Authentication

NO NAME NEWSLETTER-- May 1995

Cathy Curry

You can control access to your web documents using Domain Access Control, User Authentication or a combination of both. Domain Access Control is based on the acceptance or rejection of a connection based on the client's Internet address or host or domain name. User Authentication is based on the entry of a username and password.

Both of these methods use a file named .htaccess to control access to the restricted directory. You can have both Domain Access Control and User Authentication defined in the same .htaccess file.

The .htaccess File

The .htaccess file must be created in the directory you want to restrict/protect. This can be either your departmental home page (/var/www/htdocs), your personal home page (~/public-web) or a subdirectory of either. Using the .htaccess file, you can restrict access to directories, not files. If you want to restrict access to just one file, you should put the file in a directory by itself.

Components Of The .htaccess File

Within the .htaccess file, <Limit> will control access to a directory. Outside and within the "Limit" sections will be directives defining access controls.

DOMAIN LEVEL ACCESS CONTROL

The following directives will be used within the "Limit" sections:

order: defines the order in which deny and allow directives are evaluated within a Limit section.
allow: defines which hosts can access the directory.
deny: defines which hosts are denied access to the directory.

The server ALWAYS processes ALL of the lines. You control whether it does allow before deny, or deny before allow. The results are not always the same:

<Limit GET>
  order deny,allow
  allow from all
  deny from all
<Limit>

Process deny first - everyone is out
Process allow next - everyone is back in

<Limit GET>
  order allow,deny
  allow from all
  deny from all
<Limit>

Process allow first - everyone is in
Process deny next - everyone is out

To restrict access to `~/public-web`:

Example 1: To exclude one group:

order allow,deny
allow from all
deny from group (domain name)

cd ~/public-web

Create a file named .htaccess. In this file type in the following:

<Limit GET>
  order  allow,deny
  allow  from all
  deny   from ecn.purdue.edu
<Limit>

Save the file and exit the editor.

Result: EVERYONE except ECN hosts are allowed into ~/public-web.

Example 2: To allow one group:

order deny,allow
deny from all
allow from group (domain name)

cd ~/public-web

Create a file named .htaccess. In this file type in the following:

<Limit GET>
  order  deny,allow
  deny   from all
  allow  from ecn.purdue.edu
<Limit>

Save the file and exit the editor.

Result: only ECN hosts are allowed into ~/public-web.

To specify multiple organizations (i.e., ecn domain, cs domain and a non-profit organization) you separate with a whitespace, no commas:

allow ecn.purdue.edu cs.purdue.edu non.profit.org

USER AUTHENTICATION

Files used for User Authentication:

File          Description                             Naming
.htaccess     the file to control access              .htaccess
.htpasswd     the hypertext password file             any name
.htgroup      the file which defines                  any name
                  the users in a specific group

The .htaccess file will be comprised of the following directives:

<Limit GET>
require
<Limit>

The require directive tells httpd to prompt for a username and password, and it is only allowed within the Limit section.

User Authentication does not read the system's /etc/passswd file. Web-based authentication uses similar but distinct password files; a user does not need to have an actual account on the given Unix system for access to these protected files.

When user authentication is in place, the user is given two prompts (username and password) to which he must respond correctly before access is allowed. Once the user is authenticated, he can navigate from page to page without repeated authentication prompts.

The following four Auth directives go outside the Limit sectioning directive. All four directives must be defined for user authentication to work properly.

AuthUserFile: Contains the absolute pathname to the hypertext password file (.htpasswd).
AuthGroupFile: Contains the absolute pathname to the group file (.htgroup). For single username/password, set this line to "/dev/null"
AuthName: To specify the prompt to be given to the user. Helps the user @know which username and password is required. Can be anything you want (i.e., By Secret Password Only!, By Password, etc..).
AuthType: Must always be "Basic"

Single Username/Password

For our example, we will authenticate ~/public-web, so only user "jruser" with password "gopurdue" can access this.

Create a directory to store the password file. This directory CANNOT be in the directory which you are planning to authenticate:
```
       cd ~
       mkdir auth\fR
```
In the HOME directory, a directory named auth will contain the password file.
Go into the directory where you want user authentication:
```
        cd ~/public-web
```

Using your editor, create a file called .htaccess that looks like this:

AuthUserFile      /home/harbor/a/your-login/auth/.htpasswd
AuthGroupFile     /dev/null
Authname          ByPassword
AuthType          Basic

<Limit GET>
     require group my-users
<Limit>

Save the file and exit the editor.
Create a hypertext password file for the username specified in your .htaccess configuration file. The easiest way to do this is to use the htpasswd program. At your window prompt, in any directory, type:
/usr/local/etc/httpd/support/htpasswd -c ~/auth/.htpasswd jruser
The htpasswd program is stored in /usr/local/etc/httpd/support/. You must use the -c flag when you FIRST create a password file. ~/auth/.htpasswd is the location of your personal password file. In your .htaccess file, "jruser" is the username you specified.
Type the password gopurdue twice as instructed.
To check your file, look at ~/auth/.htpasswd. Remember, this is a "dot" file, type
ls -al
in your auth directory to list it.
Try to access your ~/public-web/ directory. Mosaic should demand a username and password and will not give you access to the file unless you enter "jruser" and "gopurdue."

Multiple Usernames/Passwords

If you want to give access to a directory to more than one username/password pair, follow the steps as for a single username/password except you add additional users to the directory's .htpasswd file and you create a group file (.htgroup). To add more authenticated users to your ~/public-web directory:

Create the password file, as in step #1 in the single username/password instructions.
Now you need to create a group file. Go into your password file directory: cd ~/auth
You already have a file .htpasswd. Using your editor, create a file called .htgroup and insert a line like this:
my-users: jruser lois ned lila
Save the file and exit the editor.
Go to the directory you are protecting, the directory which contains the .htaccess file:
cd ~/public-web

Edit the .htaccess file to look like this:

AuthUserFile    /home/server/a/your-login/auth/.htpasswd
AuthGroupFile   /home/harbor/a/your-login/auth/.htgroup
Authname        ByPassword
AuthType        Basic

<Limit GET>
     require group my-users
<Limit>

Then run the htpasswd program without the -c flag to add the users specified in your .htaccess file:

/usr/local/etc/httpd/support/htpasswd ~/auth/.htpasswd lois
/usr/local/etc/httpd/support/htpasswd ~/auth/.htpasswd ned
/usr/local/etc/httpd/support/htpasswd ~/auth/.htpasswd lila

Now the users in group my-users ("jruser", "lois", "ned" and "lila") can use their username and password to gain access to ~/public-web.

To change a password for an existing username, type:

/usr/local/etc/httpd/support/htpasswd  ~/otherdir/.htpasswd username

Additional Information

The Mosaic User Authentication Tutorial is available at

http://wintermute.ncsa.uiuc.edu:8080/auth-tutorial/tutorial

webmaster@ecn.purdue.edu

Last modified: Friday, 12-Sep-97 23:13:42 EST

HTML