WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 10-06-2000 ]
Category
[ Information Technologies ]
sub-Categoy
[ Microsoft ]
      [Limiting Access Via Username And Password

      If you discover that you already have an ".htaccess" file, you'll probably discover that it might look something like this.

        <Limit GET POST PUT>
        order allow,deny
        allow from all
        </Limit>

      The terms GET, POST and PUT should be familiar to those who frequently browse their raw referal [sic] logs. They should also be familiar to those who use HTML forms and CGI. These are the types of requests the server is putting limitations on using the directives between the <Limit> and the </Limit> tags. The ".htaccess" file above allows the GET, POST and PUT methods from anyone. The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests.

      FYI: If you use Microsoft FrontPage extensions, you'll find that you already have an ".htaccess" file in your public HTML directory. In fact, there are probably a lot more directives there than you are prepared to read because FP extensions adds its own directive to the file. The reason I mention this is because when I installed Microsoft FrontPage extensions on my server account, I found that the ".htaccess" was automatically setup such that POST methods were disallowed. I didn't know this was the culprit for my CGI forms suddenly not working until someone pointed it out to me. So now you know, and you won't stay up three days trying to figure out what happened.

      Also, if you guessed that you could limit access to certain domains, you are right. Here's how you do it.

      To deny access to a certain domain:

        <Limit GET POST PUT>
        order allow,deny
        allow from all
        deny from annoying1.com
        deny from annoying2.com
        </Limit>
      where annoying1.com and annoying2.com are the domains you want to deny access. If you haven't guessed already, you can specify multiple domains by adding extra deny or allow statements. To allow access to only one domain:
        <Limit GET POST PUT>
        order deny,allow
        deny from all
        allow from acceptable.com
        </Limit>

      where acceptable.com is the domain you want to allow access.

      There are a few things to note. In all cases every allow and deny statement is evaluated. There is no short-circuiting. Also, keywords may only be separated by a comma. No whitespace is allowed between them as in the case of the statement: order allow,deny
      So how do we protect directories using usernames and passwords? In order to do that, we'll need to be introduced to a few more directives. They are: AuthType, AuthName, AuthUserFile, and the "require" keyword.

      AuthType directive
      Syntax: AuthType type
      There are two available values for type currently. They are "Basic" and "Digest."

      Basic: This causes the password to be sent over the network not encrypted but uuencoded. Someone who is watching the packets on a network could potentially see the password. This is as safe (or unsafe) as telnet's scheme for authentication.
      Using the "Basic" method, a one way encryption (CRYPT(3)) is applied to the password and saved in a local file (specified by AuthUserFile). The user's plain text password is encrypted using the same method and matched against the saved password for authentication. This is the method I will be using in this article.

      Digest: This causes the password as well as other information about the request to be hashed using MD5 (Message Digest 5). MD5, developed by the famous Ron Rivest, is an algorithm in the family of one-way hash functions. But because the comparison digest on the server must be stored in a fashion that is retrievable, (you can't use MD5 to store it) a more rigorous security is required on the server machine.

      FYI: For those requiring a level of security on par with e-commerce solutions, you should explore using SSL and CGI.

      AuthName directive
      Syntax: AuthName realm

      This directive sets the name of the authorization realm for a given directory. What this means is that the little dialup box asking for the password will have a field called Realm with the text that you put there. The text for realm cannot contain spaces unless contained within quotes. For my personal site, my AuthName directive:

      AuthName "Protected Area"

      produces this fine result in MSIE 5.0:

      AuthUserFile directive
      Syntax: AuthUserFile filename

      The filename is just the path to the file which contains the username and password information.

      For example:

      AuthUserFile /home/myname/etc/passwdfile
      The format of the file looks like this.
          username:encrypted_password
      A sample file might look like this:
      jimpark:y12ik12Wd

      To create the password, you create a little script or a program using crypt() to create the encrypted password or use the nifty program named htpasswd usually distributed with most servers. If it is not on your system, you can easily find it on the net as well.

      Using htpasswd is easy. For example, in order to create a password file named /home/myname/etc/passwdfile with "jimpark" as the first user, I would type:

      htpasswd -c /home/myname/etc/passwdfile jimpark

      The program will then ask for the password for jimpark twice. To add additional users to the password file, use the htpasswd program without the "-c" switch which would create a new file. To delete users, open up your favorite editor and nuke the pertaining lines. Easy!

      FYI: You can also specify groups using the AuthGroupFile directive. If you require a very large list of users, you could specify a database for storing and retrieving user information using the AuthDBMUserFile directive.

      require directive

      Syntax: require entity-name entity entity...

      This directive selects which users can access a directory.

      entity-name: This can be "user", after which usernames are expected or "group", after which group names are expected. There is also a third option which is "valid-user" which allows all valid users (all users in the AuthUserFile/AuthGroupFile) to
      Now we have all the pieces necessary to create our own ".htaccess" file. After creating the appropriate password file using htpasswd or some script we've written ourselves, we can now enter the following directives to the ".htaccess" file.

        AuthType Basic
        AuthName "Protected Stuff"
        AuthUserFile /home/mycompany/etc/passwdfile
        <Limit GET POST PUT>
        require valid-user
        </Limit>require directive
        Syntax: require entity-name entity entity...

      This directive selects which users can access a directory.

      entity-name: This can be "user", after which usernames are expected or "group", after which group names are expected. There is also a third option which is "valid-user" which allows all valid users (all users in the AuthUserFile/AuthGroupFile) to access a directory.]


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)