# Access Control for Your Web Pages (Raven and basic-auth)

Unless otherwise indicated, all the access control directives described below need to be put in a file called .htaccess (short for hypertext access). When the web server finds a file with this name in a particular directory, it will apply the directives to this directory and all the files and subdirectories contained within it (recursively).

### All Raven Accounts

 order deny,allow
deny from all
AuthType Ucam-WebAuth
Require valid-user
Satisfy any


### A Specific Group of Raven Accounts That You Define

 order deny,allow
deny from all
AuthType Ucam-WebAuth
AuthGroupFile /home/CRSID/public_html/restricted/.htravengroups
Require group mygroup
Satisfy any


The .htravengroups file will be of the form:

groupname1: username1 username2 username3 username4 etc


### Basic Authentication using a UserID and Password that You Define

This is NOT a very secure way to control access to a directory. The password is sent as clear text with NO encryption across the Internet. This is useful for a little bit of security protection of relatively unimportant documents. For example if you are working on a paper with collaborators in another University.

The .htaccess file I have used for this example is:

 AuthType Basic
Require valid-user


Just to be sure the password file is not served by the web-server there is a .htaccess file in /home/CRSID/password/ with the following entry:

deny from all


The password file content is below (please note the password file is not in the www directory tree as you don't want the web server serving up your password file):

bob:mFOXu4tavzogU


of the form:

${userID}:${encrypted_password}


You can generate the password part of this file (after the ${userID} bit) using this bit of perl (from the UNIX command line): perl -e 'print(crypt("bob","mF")."\n");' which is of the form: perl -e 'print(crypt("${password}","${SALT}")."\n");'  by replacing bob with a password, and you can replace the${SALT} with two different text characters if you wish such as xX or Kw.

Note that these userIDs and passwords are sent in clear text across HTTP (port 80). So please DO NOT use a userID and password that you would use for your normal UNIX/Windows user accounts.

### All Raven Accounts can access a specific file

<Files fileraven.html>
order deny,allow
deny from all
AuthType Ucam-WebAuth
Require valid-user
Satisfy any
</Files>


### All Raven Accounts can access specific files

<FilesMatch (little|mermaid).html>

Order allow,deny
Deny from all
AuthType Ucam-WebAuth
Require valid-user
Satisfy any

</FilesMatch>


### Logout of Raven

There is a trick to allow people to logout from Raven when they are finished looking at your pages. To make this work put html into your web page:

 <a href="https://www.maths.cam.ac.uk/computing/logout">Logout</a> from < href="http://raven.cam.ac.uk">Raven</a>


and put this into a .htaccess file in the same directory:

<Files logout>
SetHandler AALogout
Satisfy any
</Files>


Note: the Satisfy any is so that you do not have to be logged into Raven to logout. If your Raven session had timed out while you had a page open, then in order to logout from it you would need to reauthenticate to Raven.

### Other access control

The above has covered the use of Raven or local passwords to restrict access. It is also possible to restrict access based on the computer someone is using, for example to allow access only from Cambridge computers.