Networking / Beginners

Requiring User Authentication

User authentication controls file access at the user and group level by requiring a username and password before access is granted. Listing below is an example Directory container with these added levels of access control.

User Authentication for Web Access <Directory /home/httpd/internal/accounting>
AuthName "Accounting"
AuthType Basic
AuthUserFile /usr/local/etc/http.passwords
AuthGroupFile /usr/local/etc/http.groups
require hdqtrs rec bill pay
order deny,allow
deny from all
allow from example.org
</Directory>

The first two directives in this directory container are AuthName and AuthType. AuthName defines the name of the authentication realm-a value that is placed on the WWW-Authenticate header sent to the client. A realm is a group of server resources that share the same authentication. In the example, the directory /home/httpd/internal/accounting is the only item in the Accounting realm. But it would be possible to have other password-protected directories or documents in the Accounting realm. If we did, a user that authenticated for any resource in the Accounting realm would be authenticated for all resources in that realm.

The AuthType directive specifies the type of password authentication that will be used. This can be either Basic or Digest. When Basic is specified, a plain clear text password is used for authentication. When Digest is specified, Message Digest 5 (MD5) is used for authentication. Digest is rarely used, partly because it is not completely implemented in all browsers. But more importantly, it is not used because data that requires strong authentication is better protected using Secure Sockets Layer (SSL) security, which is covered later in this tutorial.

In Listing previous, access is granted if the user belongs to a valid group and has a valid password. These groups and passwords are not the groups and passwords used by login. These groups and passwords are specifically defined for the web server. The files you create for this purpose are the ones pointed to by the AuthUserFile and AuthGroupFile entries.

Add a password to the web server password file with the htpasswd command that comes with the Apache system. Add groups to the group file by editing the file with any text editor. The entries in the group file start with the group name followed by a colon and a list of users that belong to the group; for example, hdqtrs: amanda pat craig kathy.

The Require directive requires the user to enter the web username and password. In Listing previous, access is limited to users who belong to one of the groups hdqtrs, rec, bill, or pay; and who enter a valid password. Alternatively, the keyword valid-user could have been used on the Require directive command-line instead of a list of groups. If it were, any user with a valid password would have been given access, and the group file would have been ignored.

The Order, Deny, and Allow directives perform the same function in Listing previous as they did in Listing previous. Listing previous adds password authentication to host authentication. However, host authentication is not a prerequisite for password authentication. If the Order, Deny, and Allow directives were not used in Listing previous, any system on the Internet would be allowed to access the documents if the user on that system had the correct username and password.

[Previous] [Contents] [Next]