EECS Technical Database

User Tools

Site Tools

You are here: Technical Database » Web Publishing including Protected Areas » Password Protecting Web Areas » Authentication By User-Defined Usernames and Passwords or Groups
Trace:
web:password-protected:authbyuserdefined:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
web:password-protected:authbyuserdefined:start [2017/01/30 12:59] jasweb:password-protected:authbyuserdefined:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
Line 1: Line 1:
-======Authentication By User-Defined Usernames and Passwords or Groups  ====== 
- 
-If you wish to authenticate users by user-defined usernames and passwords or groups: 
- 
-Create a password file that will contain the usernames and passwords for the protected area using the htpasswd(1) command. If the file does not exist, you can use the "-c" option to create it. For example: 
- 
-  % htpasswd -c /eecs/home/example/private/webpasswd joe 
- 
-This would prompt you to create a web password for user "joe" and create a new password file. If you have already created the password file, do not use the "-c" option, as this will overwrite the existing file. Instead just use: 
- 
-  % htpasswd 
- 
-The password file should not be located in a directory that is served by the webserver. However, it must be a file that the webserver has permission to access. 
- 
-Ensure that the web server can read the password file. For example: 
- 
-  % chmod o+x /eecs/home/example 
-  % chmod o+x /eecs/home/example/private 
-  % chmod o+r /eecs/home/example/private/webpasswd 
- 
-CAUTION: Other users on the system will also be able to read the password file. The passwords are encrypted, but this does not mean they are safe. 
- 
-If you would like to authenticate based on user-defined groups, you must create a group file (eg. /eecs/home/example/private/webgroups) that assigns users from the above step to groups. The file will look like this: 
- 
-  students: joe sally 
-  faculty: bob ruth 
-  everyone: joe sally bob ruth 
- 
-Here, users joe and sally are in the students group, users bob and ruth are in the faculty group, and everyone is in the everyone group. 
- 
-If you created a groups file, ensure that the web server can read the file: 
- 
-  % chmod o+x /eecs/home/example 
-  % chmod o+x /eecs/home/example/private 
-  % chmod o+r /eecs/home/example/private/webgroups 
- 
-CAUTION: Other users on the system will also be able to read the groups file. 
- 
-In the directory you wish to protect, create a .htaccess file with the following contents: 
- 
-  AuthType Basic 
-  AuthName "Name of Web Area You Are Protecting" 
-  AuthUserFile /eecs/home/example/private/webpasswd 
- 
-If you wish to restrict access to any user-defined account, add: 
- 
-  Require valid-user 
- 
-If instead, you wish to restrict access to specific user-defined accounts, add for each user: 
- 
-  Require user <userid> 
- 
-If you wish to restrict access to user-defined groups, add: 
- 
-  AuthGroupFile /eecs/home/example/private/webgroups 
- 
-For each group that you wish to allow, add: 
- 
-  Require group <group> 
- 
-If you wish to restrict access to both user-defined usernames and groups, you must add: 
- 
-  AuthzGroupFileAuthoritative off 
- 
-You can use as many "Require user" or "Require group" lines as needed. You can also add additional users or groups to one Require line, separating them by spaces. 
- 
-If you use both "Require user" and "Require group", group will be checked first and then user. If the users group is in the allowed group list, and not in the allowed user list, the user will get access. Likewise, if the user is not in the allowed group list, but is in the allowed user list, they will also get access. 
- 
-Check file permissions on your .htaccess file and directory permissions on all directories leading up to your .htaccess file. 
- 
-At a minimum, your .htaccess file must be readable by the web server, which runs as user "www": 
- 
-  % chmod o+r .htaccess 
- 
-CAUTION: This will enable other users on the system to also read your .htaccess file. file. 
- 
-You will also need to ensure that all directories up to your .htaccess file are accessible by the web server. For example, if your .htaccess file is /eecs/home/example/www/.htaccess: 
- 
-  % chmod o+x /eecs/home/example 
-  % chmod o+x /eecs/home/example/www 
-     
-(optional) You may wish to restrict access to your page to encrypted http (https) only. This will ensure that all usernames and passwords sent to your site over the web will be encrypted. In order to do this, add the following line to the top of your .htaccess file: 
- 
-  SSLRequireSSL 
- 
-Now, if an http user tries to access your site, they will get a "Forbidden" message. 
- 
-If, instead, you would like to automatically redirect any http accesses to your page to https, add the following to your .htaccess file instead of the SSLRequireSSL line above: 
- 
-  RewriteEngine On 
-  RewriteCond %{SERVER_PORT} !^443$ 
-  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 
- 
-Notes: 
- 
-  * A utility, mkhtaccess is available for helping your build your .htaccess file (steps 1 and 2 above). See the mkhtaccess page for details. 
- 
-  * Full details on Apache authentication can be found in the Apache authentication documentation. 
- 
-  * Please refrain from using your system password in a user-defined password file. The files must be readable by everyone on the system in order to be available to the web server. 
  
web/password-protected/authbyuserdefined/start.1485799179.txt.gz · Last modified: 2017/01/30 12:59 by jas
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki