UNIVERSITY of VIRGINIA
Computer Science
Research  Teaching  People  Community   

Search
Directory
Contact Us
 
Undergrads • Grad Students • Faculty • Staff • Alumni • Locator • Phones

Password Protection

Basic password protection of web directories can be done very easily. Now, this is not extremely secure, since anyone with direct filesystem access (i.e., telnet or ftp) will still be able to get to the files. To restrict access to directories you must create two files: .htaccess and .htpasswd . The .htaccess file should look something like this:

AuthUserFile /home/pev5b/achtung/.htpasswd
AuthGroupFile /dev/null
AuthName AuchtungBaby
AuthType Basic
<Limit GET>
require user youtoo
</Limit>

The AuthUserFile directive tells the webserver where the .htpasswd file, which contains the valid name-passwd combination, is located, usually in the directory that you want to protect. The AuthGroupFile is unimportant, so it is directed to our favorite bit bin, /dev/null. The AuthName merely is the "name" of the set of files trying to be accessed. The "require user" element must be set to the username that is allowed to access the files in question. The next step is to setup the .htpasswd file.

Another way to protect a directory is by the client's domain name. An example of this would be to allow access from any machine in the virginia.edu domain, but disallow all others. This can be done by simply replacing the <Limit GET> section with:

<Limit GET>
order deny,allow
deny from all
allow from virginia.edu
allow from 128.143
</Limit>

One drawback of this is that valid users trying to access the page from a non-UVA network or dialup will be unable to get it.

To create the .htpasswd file execute the command (htpasswd is in /usr/cs/bin)

htpasswd -c /the/path/to/your/directory username

/the/path/to/your/directory should be the name of the directory you want to password protect and the username should be the username you want to allow to access the files. Both of .htpasswd and .htaccess should be chmod world readable in order to work. This can be done by executing the following command in the directory to be protected:

chmod 644 .htpasswd .htaccess

For more information on user authentication see this ApacheWeek article or the Apache mod_auth documentation.



UVa CS Department of Computer Science
School of Engineering, University of Virginia
151 Engineer's Way, P.O. Box 400740
Charlottesville, Virginia 22904-4740

(434) 982-2200  Fax: (434) 982-2214
Web Comments: webteam@cs.virginia.edu
Admissions Inquiries: inquiry@cs.virginia.edu
Site directory, Other addresses
Server statistics
© Created by the CS Web Team