Authentication and Access Control

Authentication, Authorization and Access Control

See Apache.org’s Authentication, Authorization and Access Control page (for the 2.0 version): http://httpd.apache.org/docs/2.0/howto/auth.html

Creation and location of the password file: the htpasswd utility

Assignment: Use htpasswd to create a password file.

Select a secure location.

Create the first user.

Create a subsequent user.

 

Configuring the server to request a password and authenticate the user:
Note that you can do this in a .htaccess file OR in a Directory container!

AuthType Basic
AuthName “Restricted_Realm_Name
AuthUserFile /usr/sbin/apache/passwd/passwords
Require user User_Name

Similarly, requiring group membership:

AuthType Basic
AuthName “Restricted_Realm_Name
AuthUserFile /usr/sbin/apache/passwd/passwords
AuthGroupFile /usr/sbin/apache/passwd/groups
Require group Group_Name

 

Allowing Authentication in Directory Containers: Just use the Directives above!

Allowing Authentication in .htaccess files:

AllowOverride AuthConfig

 

About .htaccess Files

Allow and Deny

Detailed Examples

Order

Satisfy

Require

Limit and LimitExcept

Assignment: Set up a secure directory using an .htaccess file.

First, require a user name and password.

Next, modify the configuration to allow only one host access without a password. Other users must be required to supply a password.

For the next iteration, require both.

Next, allow GET but deny POST.

Finally, eliminate support for .htaccess files, but secure one directory in the web filesystem.

 

More Resources

The Apache.org .htaccess Tutorial

A good article from ApacheWeek.com: Using User Authentication