Access Control for Your Web Pages (Raven and basic-auth)
- All users of Raven
- A Specific Group of Raven Accounts That You Define
- Basic Authentication using a UserID and Password that You Define
- All Raven Accounts can access a specific file
- All Raven Accounts can access specific files
- Logout of Raven
- Other access control
- Useful links
Unless otherwise indicated, all the access control directives described below need to be put in a file called .htaccess
(short for hypertext access). When the web server finds a file with this name in a particular directory, it will apply the directives to this directory and all the files and subdirectories contained within it (recursively).
All Raven Accounts
order deny,allow deny from all AuthType Ucam-WebAuth Require valid-user Satisfy any
A Specific Group of Raven Accounts That You Define
order deny,allow deny from all AuthType Ucam-WebAuth AuthGroupFile /home/CRSID/public_html/restricted/.htravengroups Require group mygroup Satisfy any
The .htravengroups
file will be of the form:
groupname1: username1 username2 username3 username4 etc groupname2: username5 username2 username3 etc
Basic Authentication using a UserID and Password that You Define
This is NOT a very secure way to control access to a directory. The password is sent as clear text with NO encryption across the Internet. This is useful for a little bit of security protection of relatively unimportant documents. For example if you are working on a paper with collaborators in another University.
The .htaccess file I have used for this example is:
AuthType Basic AuthName "Password Required" AuthUserFile /home/CRSID/password/password.file Require valid-user
Just to be sure the password file is not served by the web-server there is a .htaccess file in /home/CRSID/password/ with the following entry:
deny from all
The password file content is below (please note the password file is not in the www directory tree as you don't want the web server serving up your password file):
bob:mFOXu4tavzogU
of the form:
${userID}:${encrypted_password}
You can generate the password part of this file (after the ${userID} bit) using this bit of perl (from the UNIX command line):
perl -e 'print(crypt("bob","mF")."\n");' which is of the form: perl -e 'print(crypt("${password}","${SALT}")."\n");'
by replacing bob with a password, and you can replace the ${SALT} with two different text characters if you wish such as xX or Kw.
Note that these userIDs and passwords are sent in clear text across HTTP (port 80). So please DO NOT use a userID and password that you would use for your normal UNIX/Windows user accounts.
All Raven Accounts can access a specific file
<Files fileraven.html> order deny,allow deny from all AuthType Ucam-WebAuth Require valid-user Satisfy any </Files>
All Raven Accounts can access specific files
<FilesMatch (little|mermaid).html> Order allow,deny Deny from all AuthType Ucam-WebAuth Require valid-user Satisfy any </FilesMatch>
Logout of Raven
There is a trick to allow people to logout from Raven when they are finished looking at your pages. To make this work put html into your web page:
<a href="https://www.maths.cam.ac.uk/computing/logout">Logout</a> from < href="http://raven.cam.ac.uk">Raven</a>
and put this into a .htaccess file in the same directory:
<Files logout> SetHandler AALogout Satisfy any </Files>
Note: the Satisfy any is so that you do not have to be logged into Raven to logout. If your Raven session had timed out while you had a page open, then in order to logout from it you would need to reauthenticate to Raven.
Other access control
The above has covered the use of Raven or local passwords to restrict access. It is also possible to restrict access based on the computer someone is using, for example to allow access only from Cambridge computers.
- Apache's tutorial on authentication and authorization explains how to do this - scroll down to "Beyond just authorization"