Department of
Physics & Astronomy
 
Academics
Courses
Events
Research
People
Facilities

Main Page
SFSU Home
  • Computer System
    • Web Passwords

Got Protection?!!

Do you want to restrict access to information posted on your personal web pages?
It's easy!* Here's how to do it...

Tutorial on Restricting Access to Web Pages

You can post web pages in your public_html directory that require passwd authorization for access. For instance, you can post problem sets and answers which will be accessible only to members of a particular class. Or a map to your favorite fishing hole...

Security Level: Mild

This mechanism should prove handy for casual use. However, it ranks very low on the security scale, and should not be used for highly confidential material. Passwords and the "protected" web pages alike are transmitted unencrypted and can easily be eavesdropped. Don't use passwords that even resemble passwords to important accounts!

Furthermore, be aware that anyone logged into a host in the P&A network can access files in your home directories, including your web directories. You can generally use chmod to restrict access to directories and files, but if you restrict access to web pages, the web server will also be blocked.

The up side is that your protected pages are unlikely to appear in a Google search...

Simple scheme, one user per directory

Although you cannot configure access authorization for individual files, you can restrict access to entire directories. You must decide which different people and/or groups of people will need access to different resources. Each grouping will need its own restricted-access directory.

For example, you can give all the students in your Tachyon Physics 414 class a single login name and password which will grant them access to class web pages. Here we'll set up a a directory for this group, and a different directory for the students of Cosmography 101. Finally, a Reference directory will be accessible to both classes.

I. Create directories for each access grouping

$ cd ~/public_html
$ mkdir t414 c101 ref

II. Create the password file

All of the passwords will be kept in a single file. This file should not be in the public_html hierarchy; let's create an "auth" directory in your home directory.

The htpasswd utility creates and manages a password file. You must enter the first user and password when you use the -c option to create the file. Here we're creating a user named tach414: 

$ mkdir ~/auth	# The tilde (~) stands for your home directory
$ htpasswd -c ~/auth/basic.pw tach414

You will be prompted twice for the password. You will give this log name and this password to all of the students of Tachyon Physics 414. For the sake of this test, use "Z38r4" as the passwd.

When you repeat these steps for another class [user], you'll want to use the same password file. To enter additional users without erasing the previous users, or to change a password, leave out the "-c": 

$ htpasswd ~/auth/basic.pw cosmo101

For the sake of this test, use "5pH3r3"" as the passwd.

III. Create a .htaccess file in each controlled directory

With your favorite text editor, create a file named t414/.htaccess containing the following lines: 

AuthName "Access to Tachyon Physics 414"
AuthType Basic
AuthUserFile /Users/yourhomedirectory/auth/basic.pw
Require user tach414

Then create the c101/.htaccess and ref/.htaccess similarly, with the appropriate changes. To make the Reference directory accessible to the students of all of the classes, all of the "users" can be listed on the Require line: 

Require user tach414 cosmo101

...or access can be granted to any validated user: 

Require valid-user

IV. Create Links

Now all that's left is to put an index.html and/or other web pages and documents in that directory, then create the normal hyperlinks to them from an openly accessible page...

For instance:

Class Room Time Privileged Pages
Tachyon Physics 414 Th043 TTH:4pm-2pm Classwork
Cosmographics 101 Th295 MWF:7pm-9pm Classwork
All Classes Reference

Go ahead, try these links! Remember that in the examples above, user tach414's password is Z38r4, and cosmo101's password is 5pH3r3.

After you create pages in your protected directories, and an unprotected page with links to them, you should be able to run the same test accessing your own protected directories.

V. One last item of caution:

Be sure and create an "index.html" file in each directory you create, or else any user who gains web access to that directory will be able to read the names of all of the files there. This may not be a problem for you, but if you "park" files there that you don't [yet] want read even by the password privileged users, they could be found and read anyway.

More Sophistication

If you're feeling ambitious, you can give each student a user name and password. You can also assign individual users to groups and authorize access to your directories according to the groups. Read the Apache Web Server documentation on Authentication, Authorization and Access Control for the full story.

* This mechanism only works if it's enabled in the web server. If the page you're configuring isn't at www.physics.sfsu.edu, then the server may not be configured to support dynamic authorization. In addition, not all [older] browsers carry support for this feature.
webwiz@stars.sfsu.edu