Setting up Access Control for Web pages

Note: Starting June 16, 2003, the Apache web server replaced the iPlanet web server and thus the setting up of the access control for web pages is different for step 6 below. Please read http://www.itservices.hku.hk/faq/www/htaccess.htm for details.

We are pleased to announce that the software Netscape Enterprise Server for supporting the www.hku.hk and web.hku.hk servers has recently been upgraded from version 1.0 to version 2.01. The www.hku.hk server is for use by departments and student organisations of the Univserity whereas the web.hku.hk server is for supporting our users' personal web pages. The upgrade has been transparent to users. In addition to improved performance, it provides the web page access control features. A common way of controlling access to web pages is by means of username and password.

If a user browses a web page which is set up with access control by means of username, a login window will come up and the user will be asked to type in his access-control username and password. Only authorized users can gain access to such restricted pages.

Procedure for setting up web page access control by creating a list of usernames and passwords for the authorized users:

1. Use Telnet to login to www.hku.hk or web.hku.hk, and get to your home directory.

For www.hku.hk, the home directory should be /web/docs/dept_account, where dept_account is the departmental webmaster's account name. For web.hku.hk, the home directory is represented as ~username, where username is the user's account name, and the web pages are under the directory ~username/public_html which is called "document root" of the username's web pages.
 

2. Create (or update) the passwordFile for the purpose of access control by using the following command:


htpasswd -c passwordFile username

where username is the name of a user account which will have the right to gain access to the restricted web pages.

Example:

htpasswd -c courseUsers ottoluk

Here the passwordFile is named as courseUsers.
You will then be asked to enter a password for the user ottoluk twice. (You should, of course, inform the user of this username and password for him to gain access to the restricted web pages.)
 

3. You can repeat the above step, i.e. step 2, to add more users, except that now you type
   htpasswd passwordFile anotherUserName
   (Note: no "-c" flag after htpasswd.)

4. Change the permission of the passwordFile so that it can be read by others using the following command:

chmod 644 passwordFile

Example:

chmod 644 courseUsers

5. To delete a user from the passwordFile, use an editor, e.g. pico or vi, to edit the passwordFile and delete the unwant line corresponding to the user's name:

Example:

vi courseUsers

shows the following lines:

ottoluk:38hi3sylap
billgate:v8302icd92

where ottoluk and billgate are two authorized users' names (their corresponiding passwords are encrypted). You can delete either one or both of the lines to remove the user(s) from the authorized user list (i.e. the password file).
 

6. To put web page access control into effect:

Create a file called .nsconfig in the directory under which the files and its sub-directories are to be accessible only by the authorized users specified in the User Password file discussed above.

Example 1

Suppose the full path name of the passwordFile is /a3/otto/courseUsers and the full path name of the directory of the web page files which require access contol is /a3/otto/dir1/.

The file /a3/otto/dir1/.nsconfig should be created and it should contain:
 

<Files *>
RequireAuth userfile=/a3/otto/courseUsers realm=HKU userpat=*
</Files>

Make sure that the full path of the passwordFile is specified in the .nsconfig file.

Please note that the keywords RequireAuth, userfile, realm and userpat and their assigned values must be on the same line and that userpat specifies username's pattern and * is a wildcard character which means all users in the password file.

Also, change the permission of the file .nsconfig so that it can be read by others using the following command:

chmod 644 .nsconfig

When a user views a web page file under the directory /a3/otto/dir1/, the WWW server will authenticate the user's access to the web page by means of his username and password in the password file /a3/otto/courseUsers.

Example 2

The file /a3/otto/dir2/.nsconfig contains

<Files *>
RequireAuth userfile=/a3/otto/courseUsers realm=HKU userlist=afan,bcheng userpat=h96*
</Files>

Please note that the keywords RequireAuth, realm , userfile, userpat and also their assigned values must be on the same line, and that userlist specifies a list of authorized users, userpat specifies the pattern of authorized usernames, and "h96*" means all usernames starting with "h96".

In this case, not all users in the password file can gain access to the web pages under the directory /a3/otto/dir2/. Instead, the authorized users include only "afan", "bcheng", and usernames starting with "h96".

• Access control applies to the directory which contains the file .nsconfig and all its files and sub-directories. If you want to set up controlled access function for the web pages in another tree of directories, you need to copy the file .nsconfig to the parent directory of that sub-tree of directories. However, only a single passwordFile is required for the same group of authorized users.

For more information, please contact the undersigned.

Newton Lui
Tel: 2857 8633
Email: lty@cc.hku.hk

[Contents] [Next] [Previous]