Simple Password Protection for WWW Directories

Note: This assumes you know the basics of Project Vincent, including how to use an editor to create web pages, how to change into the right directories, etc. If you don't know that stuff already, then go learn it and come back to this page later. This is a very to-the-point, step-by-step process for doing simple password protection; the intent of this page is not to teach you how to use unix or create web pages.

Steps to implement simple password protection in a WWW subdir:

  1. Create the desired subdir (if it doesn't yet exist) and cd into it.

  2. Change privs in the dir to give read/list privs to the user www. Note that this user is Project Vincent-specific; this is implemented differently in other systems, especially non-/afs systems. The command for this is
    fs sa . www rl
    (within the protected directory). Use
    fs la
    to make sure you and www (and, optionally, system admins) are the only ones with privs in that directory. If there are others (there will probably be a system:anyuser), type (for the system:anyuser example)
    fs sa . system:anyuser none
    to remove those privs.

  3. Edit a new file called .htaccess -- The layout should be something like this:

    AuthType Basic
    AuthName CHOOSE-A-NAME
    AuthUserFile /afs/iastate.edu/SOMETHING/.htpasswd
    AuthGroupFile /afs/iastate.edu/SOMETHING/.htgroup

    <Limit GET POST>
    require group CHOOSE-A-GROUP-NAME
    require user BOB
    require user ME
    </Limit>

    For CHOOSE-A-NAME, do that. For SOMETHING, put in the appropriate directory structure, up the the current directory. (If you don't know that directory, use
    pwd
    to find it.) GET and POST are just in caps; leave them. For CHOOSE-A-GROUP-NAME, do that, too, if you want a group name. (I actually haven't played with groups much, so you might have to toy with this and figure it out yourself. Other documentation is available if you do a search elsewhere on the web, but keep in mind Project Vincent is set up somewhat differently for the privs I've already mentioned. This part would be the same, tho.) Also put in names for any users you want. These can be upper, lower, or mixed case, and they have nothing to do with Project Vincent usernames unless you make them that way.

  4. Edit a file called .htgroup if you choose to play with groups. The layout for that is something like the following; just replace the all-caps stuff with the appropriate groups and users that you are making up.

    GROUP1: USER1 USER2 USER3
    GROUP2: USER3 USER4
  5. add www

  6. Create passwords for each of the users you made up. I'm not sure about groups, but I don't think you create passwords for them. I think being a part of a group still requires your username and password, but it could conceivably make it easier to give a group access and then just update the group list in the .htgroup file rather than messing with individual users all the time in the .htaccess file. To create a password for a user, use
    htpasswd -c .htpasswd JOEUSER
    for the first one (the -c creates a new file), and drop the -c (just use
    htpasswd .htpasswd BOBUSER
    ) for additional users. When you type that, it will prompt you for a password and a second time for verification (won't echo on the screen). Note that it only uuencodes the password in .htpasswd, which is one of the reasons this isn't the ultimate security.

  7. Test it. Try logging in with correct and incorrect passwords. If something doesn't work, double-check your work.

This document is available at http://dsblack.public.iastate.edu/help/passwords.html.