Apache Web Server Authentication (using htaccess)

Web Server Authentication

The ECN web server comes with a dynamic authentication mechanism using Purdue's central identification, authentication and authorization service, I2A2. Setting restrictions on web page service is as simple as placing restriction commands into the access control file. This document describes the commands available in the access control file.

I2A2 Access Control

A web directory may contain an access control file, called .htaccess that describes access permissions to this directory, plus every directory beneath it. The access permissions in the file can be one or more of the following types:

  • require i2a2-user: require a specific I2A2 user,
  • require i2a2-char: require I2A2 characteristic,
  • require any-user: require any authenticated user.
  • require unix-group: require match in UNIX group file.

require i2a2-user

The require i2a2-user command authorizes anyone in the user list access. The command takes one or more users per line. The user can be listed as either the login name, the fully qualified name or the Purdue ID number.

Examples:

require i2a2-user cs
require i2a2-user kozl moyman nelson
require i2a2-user 0610858296

These lines indicate that authentication is required, and that the users with login names cs, kozl, moyman, or nelson are authorized to use the web directory. Additionally, the user with the Purdue ID number 0610858296 is also authorized.

Note:

When using PUID, the format must be one to ten digits, without the dash (-) character. Be careful, a mistyped PUID will be looked up as a login name and will most likely fail to match.

require i2a2-char

The require i2a2-char command authorizes anyone that has an I2A2 characteristic access. The command takes one or more characteristics per line. The characteristic can be listed the characteristic number or an expression of characteristic numbers.

The list of I2A2 characteristics are available I2A2 Characteristics.

Examples:

require i2a2-char 1
require i2a2-char 13101 3615|4197
require i2a2-char 0&~1

These lines indicates that authentication is required, and that the users with the characteristic are authorized to use the web directory. The authorized user needs to be an "Employee" (0), or a type "EmployeeGroup: Admin/Professional (A)" (13101) employee. Also, the user could have characteristic 3615 or 4197 (which is an Engineering Computer Network employee). Finally, a characteristic expression can be used. In this case, the characteristic "0|~1" corresponds to "Employee and not Student".

Note:

Spaces are used to separate fields. Be careful not to add spaces where they shouldn't belong. A characteristic of:

require i2a2-char 0 & ~1

will not do what you might expect. In this case, it will match a characteristic for "0" or "&" or "~1".

require any-user

The require any-user commands authorizes anyone that is able to authenticate to I2A2 access to the web page. This makes it simple to verify that the user is part of the university in some way, rather than having the web page open to anonymous access.

Example:

require any-user

Note:

Remember that any requirements that passes authorization will be enough to allow access. Placing require any-user into your access control file will override all other requirements.

require unix-group

The require unix-group commands authorizes anyone that is able to authenticate to I2A2, and belongs to any of the named unix group(s), access to the web page.

Example:

require unix-group aaestaff aaefaculty

Note:

Unix groups are defined in the /etc/group file. Access is allowed if any of the unix-group names contain the authenticated user's name.

Password File Access Control

A web directory may contain an access control file, called .htaccess that describes access permissions to this directory, plus every directory beneath it. The access permissions in the file can be one or more of the following types:

require user

The require user command authorizes anyone that knows a username and password pair which you define. Before this command is used you must create a second control file (called .htpasswd) which defines the username/password.

To create an .htpasswd file use the following command from an ECN UNIX shell:

> /usr/local/bin/htpasswd -c [web_directory]/.htpasswd [username]

For example, to create a user called guest for the ECN entity:

$ /usr/local/bin/htpasswd -c .htpasswd guest

The system will prompt you to provide a password for the newly created user. Once the user is created that username and password can be required by adding the following lines to your .htaccess file.

AuthBasicProvider file
AuthUserFile [web_directory]/.htpasswd
require user [username]

Example:

AuthBasicProvider file
AuthUserFile /web/entities/cheezburgr/.htpasswd
require user guest

Note:

Purdue's Policy on Authentication and Authorization states that, "Purdue University will assign a Purdue University Identifier (PUID) and User Credentials for Identification and Authentication purposes to each individual that has a business, research, or educational need to access University IT Resources." In almost all cases a Purdue username and password should be requested through the appropriate channels for each person needing access to your data.

Last modified: 2015/02/24 09:19:31.081771 US/Eastern by curtis.f.smith.1
Created: 2007/02/26 08:27:48.467000 US/Eastern by brian.r.brinegar.1.

Categories

Search

Type in a few keywords describing what information you are looking for in the text box below.

Admin Options: Edit this Document