	Department of Engineering

University of Cambridge > Engineering Department > computing help

Protecting WWW directories with passwords

The password method described below protects directories rather than files (i.e. you can't use it to protect some files in a directory but not others). It's not a very safe method, but it's not too hard to set up. See Protecting Confidential Documents at Your Site for details.

Suppose the information is about a project called "orange", and you choose "apple" as the username and "banana" as the password. Suppose also that the full file-name of the directory on the server is /some/fruits (if you don't know what the eventual location of this directory will be on the server, you'll need to contact the webmaster of the site). Then the following should work

Create a file called .htaccess containing the following text

	AuthUserFile /some/fruits/.htpasswd
	AuthGroupFile /dev/null
	AuthName orange
	AuthType Basic
      
	<Limit GET POST PUT>
        require user apple
	</Limit>

Install it in the directory you want to protect.

Find a (Unix) machine that has the htpasswd command installed (our linux servers for example), run
```
 
        htpasswd -c .htpasswd apple
```
and type "banana" each time you're asked for a password. This will create a file called ".htpasswd" which will also need installing. Both .htaccess and .htpasswd need to be readable by the webserver, in the same way that pages usually are.
Test it! Trying to access a file in the protected directory should display a dialog box inviting you to join project orange. Using the user name "apple" and password "banana" should let you see the file. Other name/password combinations shouldn't work.

You can have a list of users in the " .htaccess" file. Having

        require user apple kiwi plum

would let 3 users in, all using the same password. Note that this method should only be used for low-grade security. If you want to set-up several users each with a different password, use something like

       htpasswd -bc .htpasswd user1 password1
       htpasswd -b  .htpasswd user2 password2
       htpasswd -b  .htpasswd user3 password3

If you want you write your own login-failure page, add something like this to your " .htaccess" file

       ErrorDocument 401 http://www.somesite.somewhere/failure.html

Whether this "ErrorDocument" command works depends on the configuration of the server concerned.

If you're dealing with files on our www-g server you need to remember to download/upload files. For example, here's what you'd need to do to add user karl to an existing list of passworded users

Use ssh to get into plane (plane has the newest version of the software you need).
Use smbclient to connect to update-www, and download a copy of .htpasswd .
Run /opt/web-world/bin/htpasswd -m .htpasswd karl (the -m flag makes it use a more secure encryption than the default).
Upload the changed .htpasswd file.

See

htpasswd documentation
Apache's Authentication, Authorization, and Access Control page
sitedeveloper tutorial

for more details.

| computing help | WWW |