HTTP User Authentication
- When an HTTP server receives a request, it may respond with a
401 message - authorisation required
- The message must include a
WWW-Authenticate
header field including a challenge
- The client may repeat the request with a
Authorisation
field set
- The server will then check this authorisation against an
authorisation file
Browser
- When the browser such as Netscape or IE receives a 401 response,
it will typically prompt for a user id and password
- These will then be sent in the
Authorisation field
- If the denied request already contained an authorisation, then
401 says that the authorisation failed
- No modifications need to be made to the browser
Server
- The server will check the user id and password somehow
- If failed, another 401 will be returned
- If succeeded
- a static page will just be delivered
- A CGI script (servlet, etc) will be called with the
USER_AGENT environment set, so the script
can identify the user
- The server needs to be setup to know
- which pages to check authorisation
- how to check authorisation
Apache setup
- If a directory contains a
.htaccess file, then
accesses to it and all subdirectories will require authorisation
- Authorisation is by checking user id and password against a
password file
- The usual password file should not be used, for security
- The password file must not be in the document tree, or browsers
can access it
- The password file can contain users not on the system, and
vice versa
Password file
- A password file is created using
htpasswd:
htpasswd -c /home/jan/web_passwds user1
- Additional users can be added by
htpasswd /home/jan/web_passwds user2
- For large numbers of users, there are other modules to allow
details to be stored in databases
AuthConfig
- The server needs to allow authorisation to be set by
.htaccess files
- The
AllowOverrideparameter needs to be set to
AuthConfig in access.conf:
AllowOverride AuthConfig
- By default, it is set to
None, so that
.htaccess has no effect
Sample .htaccess (1)
AuthName "my restricted area"
AuthType Basic
AuthUserFile /home/jan/web_passwds
require valid-user
Sample .htaccess (2)
Limit to certain users
AuthName "my restricted area"
AuthType Basic
AuthUserFile /home/jan/web_passwds
require user jan john bill
Sample .htaccess (3)
Limit to domain
AuthName "my restricted area"
AuthType Basic
AuthUserFile /home/jan/web_passwds
<Limit GET>
oder deny,allow
deny from all
all from .canberra.edu.au
</Limit>
What authorisation isn't
- It isn't encryption
- Passwords are sent uuencoded
- Documents are sent in clear text
- Similar security to
telnet
Jan Newmarch (http://pandonia.canberra.edu.au)
jan@ise.canberra.edu.au
Last modified: Tue Sep 5 13:26:57 EST 2000
Copyright ©Jan Newmarch