.htaccess Web Authentication Howto

This docuemnt describes using a .htaccess files in a web folder to restrict access to a set of users defined in a password file that you create. If you want to use the ISRL LDAP server as the authoratative source for usernames and passwords, please refer to the document Using LDAP for Web Page Authentication

Note: the instructions below assume you will be using the URL https://www-s.isrl.uiuc.edu/~username, where username is replaced with your username. This assures that usernames/passwords are sent encrypted and that others cannot see the private data being protected within the restricted folders.

Setting up the .htaccess file

There are a few pieces of information the Apache web server needs to know in order to handle web authentication. You must turn it on, tell it which password file to check, and what types of users are required.

To enable password protected web folders, edit a file called .htaccess in the top-level directory you wish to protect. As an example, suppose your directory structure looks like this:


/content/web/users/username/public_htmls
 |
 +-------- randomstuff
 |
 +-------- morestuff
 |          |
 |          +-------- UltraSecret
 |
 +-------- protected
            |
            +-------- staff
	    |
	    +-------- everyone

Suppose you want anyone to be able to access public_htmls/randomstuff, want anyone with an ISRL account to access public_htmls/morestuff and public_htmls/protected/everyone, and want only Bob and Jane to access public_htmls/protected/staff. You would need three .htaccess files, one in each of the above directories.

Let's look at the simplest case. You want anyone with an ISRL account to access a directory. In that top-level directory, use the following .htaccess:

AuthType               basic
AuthName               "A name to appear in the passwd box"
AuthUserFile           /content/web/users/username/.htpasswd
require                valid-user

Here's what each of these pieces does.

AuthType

This describes how Apache should ask for authentication. Check the Apache docs for more information.

AuthName

This text will appear in the browser's password dialog box.

AuthUserFile

The location of the password file. NOTE: the server www.isrl does not have access to users home directories, so the .htpassword file must be located in /content/web/users/username. Further, it should NOT be located in the public_htmls directory or anyone could read it.

There are two ways to create your htpasswd file.

Using the htpasswd command on soldev.isrl.uiuc.edu or www3.isrl.uiuc.edu. The first time you create a username, you'll need to use the -c switch to create the file. Subsequently you should not use the -c switch or you will overwrite the original. The syntax (shown without the -c switch) is as follows, after which you will be prompted to enter a password for the newuser:
```
      htpasswd /content/web/users/username/.htpasswd newuser
        
```
Use the web form at http://www.flash.net/cgi-bin/pw.pl to create a username/encrypted password pair that you can cut and paste into your .htpasswd file using your favorite editor. On a Windows workstation in the ISRL this can be done by editing the file W:\username\.htpasswd. On Linux workstations, this can be done by editing the file /content/web/users/username/.htpasswd.

require

This tells the system who can log in. "valid-user" means anyone who authenticates.

The .htaccess file presented will work for both the public_htmls/morestuff and public_htmls/protected/everyone directories. For the last directory, where only Bob and Jane are to have access, only one item needs to be changed. This is the require directive. Change it to give a list of users required:

AuthType               basic
AuthName               "A name to appear in the passwd box"
AuthUserFile           /content/web/users/username/.htpasswd
require                user Bob Jane

isrl-support@isrl.uiuc.edu