School of GeoSciences

School of GeoSciences

Web Access Control

Authentication and Access Control

If you wish to control access to a directory in your web space you can set up a .htaccess file. Detailed documentation is available:

For most people, some simple examples will cover their requirements.

Protecting Web Pages with EASE

It is straight-forward to use the University's Cosign based Single Sign-On Service - EASE. This is appropriate when access to the directory is to be permitted to one or more people who have a relationship with the University. This can be staff, students, visitors, and EASE friends.

EASE protection is available via https only. EASE sets the REMOTE_USER variable.

In the directory you wish to protect, create .htaccess with commands to check for the variable and redirect via https if it is not set, thus:

RewriteEngine On
RewriteCond %{ENV:REMOTE_USER} ^$
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

This now only allows access to somebody with an EASE account - either members of the University or EASE friends (potentially anyone). EASE friend account names always contain an @ symbol, so to further restrict to only members of the University, add the following:

RewriteCond %{ENV:REMOTE_USER} @
RewriteRule ^ - [F]

To restrict to a list of people (in this example grant1, gograf, crewman and friend@example.com) add this instead:

RewriteCond %{ENV:REMOTE_USER} !^(grant1|gograf|crewman|friend@example.com)$
RewriteRule ^ - [F]

In both of these examples, the RewriteCond is tested - if it succeeds, the RewriteRule is applied - which says the page is Forbidden.

If you need help with expressing more complicated rules, please contact the IT Team.

In a CGI or PHP script, use these environment variables:

  • REMOTE_USER contains the name of the EASE authenticated user (or is empty if there is none).
  • SCRIPT_URI is set to the requested URI. Replacing http: with https: will create a URI suitable for a "login" link.

Single User and Password

This is appropriate where a directory contains items where it would be best if they were not widely published, but you want to give a number of people a common password to let them in.

It is NOT appropriate for setting up a large set of users. The maintenance effort will be too great, and there is a significant security risk if a large number of usernames and passwords are stored in this way. In particular, you should never use this mechanism to store a secure password used on other systems (e.g. EASE).

In the directory you wish to protect, create .htaccess with content similar to:

AuthUserFile /web/UUN/.htpasswd
AuthName "This is secret - enter the password"
AuthType Basic
Require user friend
Generating the Secrets for your .htpasswd file

The generic name for the file containing passwords is .htpasswd. The file can have any other name as long as it is referred to in your .htaccess file. The web server is configured not to publish files with names beginning .ht - so naming it that way is a good idea. As a further security measure do not put the file in your public_html directory - this further reduces the chance of it being accidentally published.

On our linux systems htpasswd manages .htpasswd files. See man htpasswd for complete instructions on how to use it. Here is an example of using the htpasswd command to create the password file mentioned above (the -s chooses SHA encryption):

htpasswd -s -c /web/UUN/.htpasswd friend

Your .htaccess and .htpasswd files must be world-readable:

chmod a+r /web/UUN/.htpasswd
chmod a+r /web/UUN/public_html/wherever/.htaccess