Edmund A. Hajim  School of Engineering and Applied Sciences

Simple Access Control for Web Pages

So you want to limit access to some of your web pages? It is really quite simple. Here's how...

The mechanics of restricting access is fairly simple. It is not practical to restrict access based on the presence of an existing HSEAS account, but access could be granted based on a specific piece of information, e.g., knowledge supplied to those taking a course. That knowledge would be a login name and password associated with the web pages. The "login" name would not be a real account name, nor the password one used for any real account; they are merely access identifiers and authenticators for access to the web page area for those materials.

The way this works is that the "restricted" materials are placed in a separate directory in the web page area for the course. The directory also has two special files, '.htaccess' and '.htpasswd', that control access to those materials.

Let's use an example of a course, BME260, which resides on Enterprise in the directory /var/www/html/bme/courses/BME260. We create a subdirectory named "Restricted" (/var/www/html/bme/courses/BME260/Restricted) and will place our "restricted" materials and our access control files in that directory. That directory should not be world writable, and generally not even group writable. Check with the CNG staff via email to problem if you think the directory needs to be group wriable.

The general form of the '.htaccess' file looks something like this:

AuthUserFile /{path_to_htpasswd}/.htpasswd
AuthGroupFile /dev/null
AuthName {Label_for_this_access_group}
AuthType Basic
<Limit GET>
    require user {pseudo_user_name}

You would have to replace values the 'AuthUserFile', "AuthName', and the name of the required user with values appropriate for your materials

continuing with our example of BME260,

AuthUserFile /var/www/html/bme/courses/BME260/Restricted/.htpasswd
AuthGroupFile /dev/null
AuthName BME_260_Class
AuthType Basic
<Limit GET>
    require user fall2000

Make sure the file has the correct permissions:

chmod 0644 .htaccess

Then you would create a file .htpassswd in that directory using the 'htpasswd' utility, e.g.,

cd /usr/bme/www/courses/BME260/Restricted
htpasswd -c .htpasswd fall2000
chmod 0644 .htpasswd

Htpasswd will prompt you for a password for the pseudo-user 'fall2000', and then will ask you to repeat it, to ensure you entered what you thought you entered (since you won't see text while you're entering the password).

In class, you can let students know what the pseudo-user name is, and what the password is for that access. You should admonish them to not share the password with anyone.

Once connected in any browser session, the access remains active; so if you access these pages from a "public" area machine (e.g., a Mac/PC in the library), and if you do not close the browser, then the next person to sit down at that browser session will be able to access the materials also (without needing to know the password).

WARNING: Anyone on any HSEAS UNIX system (in any of the HSEAS departments) will be able to view, copy, etc., any and all of these materials, because the files must be readable by the web server to be available over the web. The web server does not run with administrative privileges (i.e., 'root' access) as that is too dangerous.

This means that if you are relying on htaccess to protect (e.g.) course materials such as quiz answers, you have to remember that htaccess only protects the materials from being viewed via web browsers. Anyone on a HSEAS host can still see the materials. If you tighten file permissions, then the web server won't be able to see the files, and then they are not available on the web at all.

We can do the following though... the web server runs as a special user named 'nbapach', and has no special privileges. If we change the 'Restricted' directory's group membership to a group that 'nbapach' belongs to also ('nbapach' belongs to the group 'nbapach'), and change the permissions on the directory to 'drwxr-s---' then only you (as owner of the directory and members of the group 'nbapach' - i.e., 'nbapach' -would be the only ones to be able to access the materials contained within that directory. Note: You will need CNG systems staff assistance if you need to do this, as you cannot belong to 'nbapach', and thus cannot change group membership of your restricted directory (or directories) to that group without assistance.

For a little bit fancier example for an ECE class this time, we can add in some restrictions so only certain host names or IP#s can get access:

AuthUserFile /var/www/html/ece/courses/ECE410/ClassOnly/.htpasswd
AuthGroupFile /dev/null
AuthName ece410_members
AuthType Basic
<Limit GET>
order deny,allow
deny from all
allow from 128.151.162. 128.151.160. 128.151.164. .seas.rochester.edu .ee.rochester.edu .ece.rochester.edu
require user fall2003
<Limit PUT POST>
deny from all

This strongly inhibits access. It ensures that no POST or PUT operation will work at all, and in this example, restricts accsss to hosts in ECE and the central HSEAS hosts. That is useful for department-only material, and test pages, etc.. Be aware that this restriction would mean that you could not view the web pages from home, from within the UR libraries, etc..

Note that in these examples, the apparent location is /usr/bme/www/courses/BME260/Restricted, but the real location - needed to point to the .htpasswd file, is /var/www/html/bme/courses/BME260/Restricted, as this is what the server sees on its local disk structure.

To make your life a little easier, we've made the departmental web page areas appear as /usr/dept/www (e.g., /usr/ece/www, /usr/me/www and so on) on all HSEAS UNIX hosts accessible by that department (e.g., /usr/ece/www is not available on ME UNIX hosts). But the server has the areas available under their real names (i.e., /var/www/html/dept).

Please be aware that while usually quite effective, these simple measures are not foolproof. I would not trust these to protect those materials that need be kept completely confidential (e.g., medical records, grade lists with Social Security numbers).

As always, contact problem if you have a question or problem. For critical or urgent problems, please contact any CNG systems staff member by direct mail or phone.

Last modifed: Monday, 27-Feb-2012 11:27:35 EST