University of Kentucky, Lexington
Restricting Access to Web Pages

These notes are for the old CERN server now being replaced. See the new instructions for information reflecting the new server.

It is possible to restrict access to your Web pages. The most straightforward methods restrict access to an entire subdirectory and the pages it contains by client address or by password. Either method requires some setup by us before they can be used, so contact us at webmaster@www.uky.edu in advance. We will need to know the subdirectory you will be protecting. Generally you will set up a special protected subdirectory or subdirectories within one of your existing assigned Web directories.

These access restrictions do not provide foolproof security. They can be circumvented by a determined intruder.

Restricting Access By Client Address

The is useful, for example, for limiting access to a group of pages to only University of Kentucky users. First contact us as described previously. You will then create a file called .htaccess within your directory to be protected. It will contain lines like this:

   AuthType   Basic
   ServerId   WWW
   GetMask    @128.163.*.*	
The GetMask line describes the client addresses that can access the pages. In this example only clients at the University of Kentucky's Lexington campus would be allowed. This would exclude most users from the Community Colleges and customers of the MCI UK Online service. The Lexington-area MCI UK Online customers could be added by changing the GetMask to:
   GetMask    @128.163.*.*,@*.uky.campus.mci.net
The Community Colleges and other organizations connected with the University would require adding additional addresses to the list.

Anyone with a userid on a University system with a Web browser (sac.uky.edu or ukcc.uky.edu, for example) could log on to that system from anywhere on the Internet and would appear to the Web server as a Lexington campus user. This would give them access to your protected pages in this example.

Restricting Access By Password

This method requires that users enter a userid and password that you have defined before accessing your protected pages. First contact us as described previously. You will then create a file called .htaccess within your directory to be protected. It will contain lines like this:

   AuthType       Basic
   ServerId       WWW
   PasswordFile   /usr/local/www/htdocs/.../password.web
   GetMask        user1, user2, ...
The PasswordFile line contains the full path to the file password.web within your protected directory. The GetMask line contains a list of userids that will be allowed to access the pages in your protected subdirectory. You will define these userids yourself - they have no connection with the system userids on the Web server or any other system.

Next you must build your password file which will define the userids and their associated passwords. First telnet to www.uky.edu and change directories to your protected subdirectory:

   cd /usr/local/www/htdocs/...
Next use the htadm command to create the password file and define the userids:
   ~www/bin/htadm -create password.web
   ~www/bin/htadm -adduser password.web user1 pass1
   ~www/bin/htadm -adduser password.web user2 pass2
   ...
Note that userids and passwords are restricted to eight characters and some browsers cannot correctly handle special characters in either. After each adduser operation you will be prompted to enter the full name to be associated with the userid. The htadm command also has a -passwd option for changing the password of an existing user and a -deluser option for deleting a userid.

For some applications it may be possible to reduce the amount of work involved by giving the same userid and password to groups, like all of the students in a particular class. If this level of control is appropriate it significantly reduces the number of userids you will need to define.

After you have created your userids and passwords you must distribute them to the individuals who will use them, using a method as secure as is appropriate for your application. Remember that these userids and passwords have no connection or relationship with the userids and passwords on the Web server system or any other system. They are solely for controlling access to your pages. There is no mechanism for the users to change their own passwords.

The first time a browser attempts to access one of your protected pages the user will be prompted for a userid and password. If a userid listed in your .htaccess file and defined in your password.web file is entered with the correct password access to the pages in the protected directory is granted.

Once a valid userid and password have been entered through a Web browser it will be authorized for access even if the user walks away from the machine running the browser. This is a security exposure that would allow anyone who subsequently uses the browser to access your pages. Generally if the user quits from the browser the authorization will be cancelled. You may want to recommend this on your pages.

Last updated 17 January 1997.


UK Home Page Providers Info