Authentication and Access Control

Authentication, Authorization and Access Control

See’s Authentication, Authorization and Access Control page (for the 2.0 version):

Creation and location of the password file: the htpasswd utility

Assignment: Use htpasswd to create a password file.

Select a secure location.

Create the first user.

Create a subsequent user.


Configuring the server to request a password and authenticate the user:
Note that you can do this in a .htaccess file OR in a Directory container!

AuthType Basic
AuthName “Restricted_Realm_Name
AuthUserFile /usr/sbin/apache/passwd/passwords
Require user User_Name

Similarly, requiring group membership:

AuthType Basic
AuthName “Restricted_Realm_Name
AuthUserFile /usr/sbin/apache/passwd/passwords
AuthGroupFile /usr/sbin/apache/passwd/groups
Require group Group_Name


Allowing Authentication in Directory Containers: Just use the Directives above!

Allowing Authentication in .htaccess files:

AllowOverride AuthConfig


About .htaccess Files

Allow and Deny

Detailed Examples




Limit and LimitExcept

Assignment: Set up a secure directory using an .htaccess file.

First, require a user name and password.

Next, modify the configuration to allow only one host access without a password. Other users must be required to supply a password.

For the next iteration, require both.

Next, allow GET but deny POST.

Finally, eliminate support for .htaccess files, but secure one directory in the web filesystem.


More Resources

The .htaccess Tutorial

A good article from Using User Authentication