Mosaic 2.0 and NCSA HTTPd allow access restriction based on several criteria:
NCSA HTTPd 1.5 has support for HTTP Basic Authentication (Basic), as well as the proposed Message Digest Authentication (MD5). Most, if not all, current browsers should support HTTP Basic Authentication, but not all browsers support MD5. Some browsers that do include NCSA Mosaic/X 2.7 and Spyglass Mosaic
Per-directory configuration means that users with write access to part of the filesystem that is being served (the Document Tree) can control access to their files as they wish. They need not have root access on the system or write access to the server's primary configuration files. Also, the per-directory configuration files are read and parsed by the server on each access, allowing run-time re-configuration. The global configuration files are only parsed on start-up or restart, which usually requires root authority. There is a speed penalty associated with using the per-directory configuration files, but that's the trade-off you have to take.
Access control for a given directory is controlled by a specific file
in the directory with a filename as specified by the
AccessFileName
directive. The default filename is .htaccess
Create a file called
.htaccess
in directory turkey
that looks
like this:
AuthUserFile /otherdir/.htpasswd AuthGroupFile /dev/null AuthName ByPassword AuthType Basic <Limit GET> require user pumpkin </Limit>
Note that the password file will be in another directory
(/otherdir
).
AuthUserFile must be the full Unix pathname of the password file.
AuthName
can be anything you want. The AuthName field
gives the Realm name for which the protection is provided. This name
is usually given when a browser prompts for a password, and is also usually
used by a browser in correlation with the URL to save the password information
you enter so that it can authenticate automatically on the next challenge.
Note: You should set this to something, otherwise it will default to
ByPassword, which is both non-descriptive and too common.
AuthType
should be set to Basic
, since we are
using Basic HTTP Authentication. Other possibilities for NCSA HTTPd 1.5
are PEM, PGP, KerberosV4, KerberosV5, or Digest. These other types of
authentication will be discussed later.
<LIMIT GET POST PUT> require user pumpkin </LIMIT>If you only use
GET
protection for a CGI script, you may be finding that the REMOTE_USER
environment variable is not getting set when using METHOD="POST"
, obviously because the directory isn't protected against POST
.
Create the password file
/otherdir/.htpasswd
The easiest way to do this is to use the htpasswd
program
distributed with NCSA HTTPd. Do this:
htpasswd -c /otherdir/.htpasswd pumpkin
Type the password -- pie
-- twice as instructed.
Check the resulting file to get a warm feeling of self-satisfaction; it should look like this:
pumpkin:y1ia3tjWkhCK2
Add additional users to the directory's
.htpasswd
file.
Use the htpasswd
command without the -c
flag
to add additional users; e.g.:
htpasswd /otherdir/.htpasswd peanuts htpasswd /otherdir/.htpasswd almonds htpasswd /otherdir/.htpasswd walnuts
Call it /otherdir/.htgroup
and have it look something
like this:
my-users: pumpkin peanuts almonds walnuts
...
where pumpkin
, peanuts
,
almonds
, and walnuts
are the usernames.
Then modify the
.htaccess
file in the directory to look like this:
AuthUserFile /otherdir/.htpasswd AuthGroupFile /otherdir/.htgroup AuthName ByPassword AuthType Basic <Limit GET> require group my-users </Limit>
fido
with password
bones
.
Important Note: There is no correspondence between
usernames and passwords on specific Unix systems (e.g. in an
/etc/passwd
file) and usernames and passwords in the
authentication schemes we're discussing for use in the Web. As
illustrated in the examples, Web-based authentication uses
similar but wholly distinct password files; a user need
never have an actual account on a given Unix system in order to
be validated for access to files being served from that system
and protected with HTTP-based authentication.
rover
with
password bacon
and user jumpy
with
password kibbles
.
ncsa.uiuc.edu
.
Note for non-NCSA readers: The .htaccess
file
used in this case is as follows:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName ExampleAllowFromNCSA AuthType Basic <Limit GET> order deny,allow deny from all allow from .ncsa.uiuc.edu </Limit>
ncsa.uiuc.edu
.
Note for NCSA readers: The .htaccess
file
used in this case is as follows:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName ExampleDenyFromNCSA AuthType Basic <Limit GET> order allow,deny allow from all deny from .ncsa.uiuc.edu </Limit>