Controlling Access to Web Pages

The Web, by default, is pretty much wide open. If you put a page on the Web then anyone who can get the URL (Web address) can usually see it. Since this isn’t always what you want, Web servers have methods for controlling access to Web content – but you have to know how these protections work.

The Apache Web server – what is in use here in ECE as well as on 60%+ of the Websites around the world – has a very simple mechanism to control access. When a request comes in to view a particular Web page, Apache first looks to see if there is a file named .htaccess in that same directory or one of its parent directories. If there isn’t then Apache immediately lets the visitor view the requested page. If the .htaccess file exists, Apache processes its contents first to make sure access to the requested page should be allowed.

Restricting your pages so only ECE people can access them

Often you might want to limit access so only ECE-affiliated individuals have access to your page. In this case you don’t need to create an .htpassword file at all – just put the following lines into your .htaccess file:

	<Files *>
		AuthType Basic
		AuthName "your UW account name and password"
		Require valid-user
		Satisfy all
	</Files>

If you wish to limit access to particular groups of individuals within ECE, you can easily do that as long as the group of people correspond to an Unix group. Some common groups are faculty, staff, graduate, and undergrad. If, for example, you wished to only allow faculty and staff to see a particular directory, you could do this with the following .htaccess code:

	<Files *>
		AuthType Basic
		AuthName "your UW account name and password"
		Require group faculty staff
		Satisfy all
	</Files>

Or, to restrict the pages to a specific list of users, include those users’ account names like so:

	<Files *>
		AuthType Basic
		AuthName "your UW account name and password"
		Require user joe mary sue allison
		Satisfy all
	</Files>

Note: An ECE account corresponding to the UW account (NetID) must exist in order for a person to log in to password-protected pages on the ECE web server. People not affiliated with ECE will not be able to log in, even if they have a NetID.

Note: If you only want to protect a particular file or web page, replace the asterisk on the “Files” entry with the name of the file to be protected (Example: <Files topsecret.html>).

Creating your own login info

As an alternative approach, you can create special login information. Anyone with these login credentials will be able to access the page, but other people will not. This may be useful if you want to allow people from outside UW to access your web page, for instance.

To do this, you first need to create a password file (typically named .htpasswd). This is accomplished from the command line on the web server, using the htpasswd command. Let’s say you wanted to create a login name “sealab2021” – this is how you’d do it (alter the first command so you change directory to your actual directory, not the fictitious one shown) :

	$ cd /var/www/html/research/mylab/
	$ htpasswd -c .htpasswd sealab2021

You’d then be prompted to type in the new password for the username sealab2021.

Note: When using the htpasswd command, the “-c” switch should ONLY be used when creating a new password file. If you’re adding additional login information to an existing file, you should not type that switch.

In this instance, your .htaccess file would need to look like this:

	<Files *>
		AuthType Basic
		AuthName "Your Account"
		AuthUserFile /var/www/html/research/mylab/.htpasswd
		Require valid-user
		Satisfy all
	</Files>

Note: the “AuthName” line can be changed, if you want the pop-up prompt to use different wording.