WWW Access Control

You can implement access control on all or part of your Web site so that:

users must provide a username and password (Basic Authentication);
users' computers must be within a particular domain

Basic Authentication: Warning

Basic Authentication alone does not provide the security and privacy to adequately protect truly confidential or personal information.

Basic Authentication is analogous to simply "closing a door" to parts of your Web site. It will prevent the casual or polite users from "opening the door", but will not prevent someone mildly determined to walking in.

Two issues that contribute to the lack of security and privacy are:

the content is transmitted over the network in plaintext
the usernames and passwords (submitted with each HTTP request) is transmitted over the network in plaintext

HTTP: Authenticate

fas% telnet 140.247.30.64 80
Trying 140.247.30.64...
Connected to 140.247.30.64.
Escape character is '^]'.
HEAD /~cscie12/assignments/ HTTP/1.1
Host: www.courses.fas.harvard.edu

HTTP/1.1 401 Authorization Required
Date: Mon, 22 Nov 1999 17:42:29 GMT
Server: Apache/1.3.6 (Unix) mod_perl/1.21 secured_by_Raven/1.4.1
WWW-Authenticate: Basic realm="CSCIE12 Assignment Submission"

HTTP: Authentication/Authorization

The username:password is sent MIME BASE 64 encoded (not encrypted).

fas% telnet 140.247.30.64 80
Trying 140.247.30.64...
Connected to 140.247.30.64.
Escape character is '^]'.
HEAD /~cscie12/assignments/ HTTP/1.1
Host: www.courses.fas.harvard.edu
Authorization: BASIC Z3Vlc3Q6a25vY2trbm9jaw== 

HTTP/1.1 200 OK
Date: Mon, 22 Nov 1999 17:46:42 GMT
Server: Apache/1.3.6 (Unix) mod_perl/1.21 secured_by_Raven/1.4.1
Author: David P. Heitmeyer
Content-Type: text/html

Access Control Documentation

Apache

Apache FAQ has a section on user authentication.
Using User Authentication from Apache Week
Relevant Apache Module and Directive Documentation
- mod_access module
- mod_auth module
- require directive
- satisfy directive

Implementing Access Control

To implement access control, you must create a file name '.htaccess' that contains with the proper configuration instructions. You may also need to create a ".htpasswd" file using the utility "htpasswd" and a ".htgroup" file.

htpasswd program
.htaccess file
htpasswd file
htgroup file

.htaccess

.htaccess
This file contains the instructions the WWW Server needs in order to implement access control. The directives contained within this file will apply to all the files and subdirectories at or below the level of the .htaccess file.

For example, /home/j/h/jharvard/public_html/private/.htaccess will apply to all files contained within the ~jharvard/public_html/private directory (and its subdirectories), but would not be applied to the file ~jharvard/public_html/index.html.

This file needs to be readable by the Web Server.

htpasswd file

.htpasswd
This file contains usernames and encrypted passwords (username:enc_passwd). It is created and managed with the utility, "htpasswd", which can be run from the command line on fas.harvard.edu and ice.fas.harvard.edu.

This file should not lie within your public_html. It should reside at the root level of your home directory (for example, /home/j/h/jharvard/.htpasswd

This file needs to be readable by the Web Server.

fas% which htpasswd
/usr/local/bin/htpasswd

fas% htpasswd
Usage: htpasswd [-c] passwordfile username
The -c flag creates a new file.

Sample content:

fas% more ~cscie12/.htpasswd.demo
guest:79WeSn3vYGsKQ
guest2:wGcgIYLtHNIpM
guest3:j9VzpSX/C8Kr2
guest4:CjHmW1PWNFwXM

htgroup file

.htgroup
This file contains group definitions (group_name:member1 member2 ...).

This file should not lie within your public_html. It should reside at the root level of your home directory (for example, /home/j/h/jharvard/.htgroup

This file needs to be readable by the Web Server.

Access Control Examples

For the examples given, the user "cscie12" is used. You should substitute your username and home directory appropriately.

The following .htpasswd.demo and .htgroup.demo files are used:

/home/c/s/cscie12/.htpasswd.demo
The .htpasswd.demo was generated by using the utility "htpasswd"

ice% htpasswd
Usage: htpasswd [-c] passwordfile username 
The -c flag creates a new file. 

ice% htpasswd -c /home/c/s/cscie12/.htpasswd.demo guest
Adding password for guest 
New password: *****
Re-type password: *****

Password for "guest" (and all other entries) is "guest". Entries for guest2, guest3, and guest4 are created without the "-c" flag, since the .htpasswd.demo file already exists.

Contents of file:

guest:79WeSn3vYGsKQ
guest2:PR4APgA.4CKO.
guest3:5DbCMPbSDstj2
guest4:htPnr8jT4bI5E

.htgroup.demo
Contents of file:

VIP: guest guest4

Access Control Example 1

Any valid user in .htpasswd.demo is allowed access

The"AuthName" is the description that is displayed by the browser in the Basic Authentication dialog box.

Contents of sample .htaccess file:

AuthName "Basic Authentication Tutorial 1"
AuthType Basic
AuthUserFile /home/c/s/cscie12/.htpasswd.demo
require valid-user

Demonstration of Example 1
You may login as any of the following users (username:password):
guest:guest
guest2:guest
guest3:guest
guest4:guest

Access Control Example 2

Only certain users in .htpasswd.demo are allowed access

Contents of sample .htaccess file:

AuthName "Basic Authentication Tutorial 2"
AuthType Basic
AuthUserFile /home/c/s/cscie12/.htpasswd.demo
require user guest2 guest3

Demonstration of Example 2
Only guest2 and guest3 are authorized:
guest2:guest
guest3:guest

Unauthorized:
guest:guest
guest4:guest

Access Control Example 3

Only members of a particular group are allowed access

Contents of .htaccess file:

AuthName "Basic Authentication Tutorial 3"
AuthType Basic
AuthUserFile /home/c/s/cscie12/.htpasswd.demo
AuthGroupFile /home/c/s/cscie12/.htgroup.demo
require group VIP

Contents of .htgroup.demo file:

VIP: guest guest4

Demonstration of Example 3
Only members of the group "VIP" (as defined by /home/c/s/cscie12/.htgroup.demo) are authorized (guest and guest4):
guest:guest
guest4:guest

Unauthorized:
guest2:guest
guest3:guest

Access Control Example 4

Only certain computers are allowed access

Contents of sample .htaccess file:

order deny,allow
deny from all
allow from 140.247
allow from 128.103
allow .harvard.edu

Demonstration of Example 4
Computers that are on the Harvard network (computers with hostnames ending in .harvard.edu or with IP addreses beginning with 128.103 or 140.247) will have access, others will be denied.

Access Control Example 5

Only certain computers are denied access

Contents of sample .htaccess file:

order allow,deny
allow from all
deny from .fas.harvard.edu

Demonstration of Example 5
Connections from within the domain 'fas.harvard.edu' will be denied.

Access Control Example 6

Certain computers are allowed in; others must provide a username and password

Contents of sample .htaccess file:

order deny,allow
deny from all
allow from .yale.edu

AuthType Basic
AuthUserFile /home/c/s/cscie12/.htpasswd.demo
AuthName "Basic Authentication Tutorial 6"
require valid-user

satisfy any

Demonstration of Example 6
Connection from within ".yale.edu" will be allowed; others must provide a valid username and password.

Access Control Example 7

Only certain computers are allowed in and users must provide a valid username and password.

Contents of sample .htaccess file:

order deny,allow
deny from all
allow from .harvard.edu

AuthType Basic
AuthUserFile /home/c/s/cscie12/.htpasswd.demo
AuthName "Basic Authentication Tutorial 7"
require valid-user

satisfy all

Demonstration of Example 7
Only connections from within ".harvard.edu" will be allowed and users must provide a valid username and password (satisfy all).