Since Apache is used on more than 50% of the sites on the WWW, we'll start there. Apache allows you to protect a document, an entire directory, or files that match a certain pattern, and allow them to be accessed by a certain user, a group of users, or users from a certain domain or machine.
These settings can be made either in the main server configuration files, or in a .htaccess (pronounced "dot H T Access") file in the direcory to be affected. I will assume that the settings will be made in a .htaccess file, since that is the usual way of doing this.
There are several steps in the process, and you need to do those ones that apply to your situation, and the effect that you are trying to achieve.
First you will need to create a .htpasswd file, containing the names and passwords of the users that will need to have access to the site. On Unix systems, the password is encrypted, and must be created using the htpasswd program. Typing "htpasswd" at the command line will produce the output:
Usage: htpasswd [-c] passwordfile username
The -c flag creates a new file
If you get a "Command not found" error message, contact your sysadmin.
ALWAYS put the password file outside of the document root of your server. I typically put the file in a directory called "passwd" that is on the same directory level as the htdocs directory. This is so that malicious persons cannot download my password files for perusal at their own leisure.
It is conventional to call the file ".htpasswd" Thus, to create a new password file with your username and password in it, type:
htpasswd -c .htpasswd myusername
You will them be queried for a password, and then asked to confirm that password. If you look at the file that was created, it will contain a line that looks something like:
You can add additional names to the file by repeating the command without the -c switch.
On Apache for Win32, the passwords are encrypted using the MD5 algorithm, rather than the Unix crypt algorithm, so the password file will look a little different.
If you wish to add several of the users to a group, create another file called .htgroup, with entries in it like:
group: user1 anotheruser myusername
You next step is to actually protect the directory or file(s) in question.
In the directory to be protected, create a file called .htaccess, and put something in it like:
require group groupname
In this example, the directory requires the user to be a member of the group "groupname". The AuthName is the word that will appear on the authentication dialog. AuthType must be Basic, since no other authentication schemes are supported at this time.
To allow just one username, rather than a whole group, use the following:
require user me
For more information on protecting just one document, or a set of ducuments matching a particular pattern, see the Files and FilesMatch directives on the Apache Core Documentation page.
Table of Contents |
Just so there is no chance of ambiguity, let me say up front that I feel that the way that IIS has chosen to do HTTP authentication is very broken. OK, that's out of the way ...
In order to password protect documents using IIS, you have to actually create accounts on the NT machine. You then assign permissions to the various documents so that those users have permission to read those documents. While this sounds simple enough, keep in mind that this means that user accounts and passwords are being passed across the Internet in plain text. Of course, this is also the case with ordinary Basic Authentication, but with other HTTP servers, intercepting this name/password pair simply means that you can access those web pages, while with IIS it means that you might actually be able to log into the NT machine running the HTTP server.
IIS also has an authentication scheme called "NT Challenge and Response", which uses some variety of encryption with the password. However, this is not supported by the Netscape browser, and is not part of the HTTP standard, so should not be used unless you are sure that all of your client browsers will be IE.
Table of Contents |
The Netscape family of HTTP servers have a GUI for setting permissions on files and directories, and for creating authentication accounts and groups. This can be accessed via the ordinary adminstration interface. Unfortunately, I am no longer running Netscape servers on any of the machines that I have access to, so I am not sure of the tab that you need to go to to make these settings.
The 2.x servers also had some command-line utilities in a directory called "Extras" that allowed you to add/edit/remove login accounts and group. This was very handy, as it allowed you to make these changes via CGI programs as well. Unfortunately, these utilities were no longer available in the 3.x versions.
Also, by way of another disclaimer, I should add that in version 3 of the various servers, Netscape changed the way that it did a lot of things, and that is about the time that I stopped using Netscape, so I am not sure how that is done in the new versions.
Table of Contents |