Apache Guide: Apache Authentication, Part 1

Authentication is any process by which you verify that someone is who they claim they are. Authorization is any process by which someone is allowed to be where they want to go, or to have information that they want to have.

Authentication is any process by which you verify that someone is who they claim they are. In this article, Rich Bowen introduces some basic methods of authenticating users under Apache.

If you have information on your Web site that is sensitive or intended for only a small group of people, the techniques in this article will help you make sure that the people that see those pages are the people that you wanted to see them.

This is the first in a two-part series. In this article, I'm going to cover the standard way of protecting parts of your Web site that most of you are going to use. In the next part I'll talk about using databases, rather than text files, to contain your user and group information. Somewhere in here I'll talk about using things other than usernames and passwords to protect your web site from "intruders"--such as the IP address of the visitor.

The Prerequisites

Everything from here on assumes that your web server permits .htaccess files. This is something that your server administrator (assuming that's not you) should easily be able to tell you and set up for you. The relevant directive is the AllowOverride directive.

And you'll need to know a little bit about the directory structure of your server, in order to know where some files are kept. This should not be terribly difficult, and I'll try to make this clear when we come to that point.

Beginning with the Basics

Here's the basics of password protecting a directory on your server.

You'll need to create a password file. This file should be placed somewhere outside of your document directory. This is so that folks cannot download the password file. For example, if your documents are served out of /usr/local/apache/htdocs you might want to put the password file(s) in /usr/local/apache/passwd.

To create the file, use the htpasswd utility that came with Apache. This is located in the bin directory of wherever you installed Apache. To create the file, type:

       htpasswd -c /usr/local/apache/passwd/password rbowen

htpasswd will ask you for the password and then ask you to type it again to confirm it:

        # htpasswd -c /usr/local/apache/passwd/passwords rbowen
        New password: mypassword
        Re-type new password: mypassword
        Adding password for user rbowen

If htpasswd is not in your path, of course you'll have to type the full path to the file to get it to run. On my server, it's located at /usr/local/apache/bin/htpasswd

Next, you'll need to create a file in the directory you want to protect. This file is usually called .htaccess, although on Windows it's called htaccess (without the leading period). .htaccess needs to contain the following lines:

        AuthType Basic
        AuthName "By Invitation Only"
        AuthUserFile /usr/local/apache/passwd/passwords
        AuthGroupFile /dev/null
        require user rbowen

The next time that you load a file from that directory, you should see the familiar username/password dialog box pop up. If you don't chances are pretty good that you are not permitted to use .htaccess files in the directory in question.

Letting More Than One Person In

This article was originally published on Jul 24, 2000
Page 1 of 3

Thanks for your registration, follow us on our social networks to keep up-to-date