Setting up password protection on a web directory


1a) For user based authentication, create a file /fs/www/path/to/webdir/.htaccess containing the following:
AuthUserFile /fs/www/path/to/webdir/.htpasswd AuthGroupFile /dev/null AuthName "Some Name" AuthType basic <Limit GET POST> require user testuser </Limit>

1b) For host based authentication create a file /fs/www/path/to/webdir/.htaccess containing the following...

AuthUserFile /fs/www/path/to/webdir/.htpasswd AuthGroupFile /dev/null AuthName "Some Name" AuthType basic <Limit GET POST> order allow,deny allow from .cs.umd.edu </Limit>

1c) For both user and host based authentication create a file /fs/www/path/to/webdir/.htaccess containing the following...

AuthUserFile /fs/www/path/to/webdir/.htpasswd AuthGroupFile /dev/null AuthName "Some Name" AuthType basic <Limit GET POST> order allow,deny allow from .cs.umd.edu require user testuser satisfy any </Limit>
The allow from .cs.umd.edu is for host based authentication. The satisfy any tells the server to or host and password authentication for access. The satisfy all would and the two authentication methods requiring both to succeed before access is granted.

The require user directive specifies that the user testuser must successfully authenticate to be granted access.

Note, .htaccess files affect the directory which contains them and all subdirectories. This is usually desired behavior, but be aware of it. If you want different behavior somewhere lower in the directory tree, you will need to create another .htpasswd to override the one above it.

Note that everyone should have read access to these files (.htaccess and .htpasswd).

2) create the passwd file by running

htpasswd -c /fs/www/path/to/webdir/.htpasswd <username>

...for each user to whom you want to grant access and provide a password when prompted. The path to this file must match the path to the file you specified in the AuthUserFile directive in the .htaccess file. Note that there is no connection between the htpasswd file and the other department authentication systems. You may use any username or password you like. You can add multiple users to the require user line as necessary to allow multiple users access. See Apache's web site for more information on the directives.

Keep in mind that this restricts web-based access only. If someone has a CS account they can cd to the directory and look around. If you have something that needs to be protected from normal users as well, send mail to staff@cs.umd.edu and we will try to work something out for your needs.


Last Updated: Aug 2006