case western reserve university



April 13, 2005

Securing web pages for password authentication

I received a question today about securing webpages, so now that I've told you how to use ssi files with your secure page, it makes sense to tell you how to make the secure page. Please note that these instructions are only for accounts on the Aurora (Benbecula) Server. If you are maintaining a site on a different server you should check with your server administrator.

Let's Begin
  1. Go to
  2. Login with your web account name and password. This would be the same one you use with Dreamweaver or your ftp program of choice to upload your files to the webserver.
  3. Follow the link for Access Control. You will arrive at a page that allows you to control both who can access your pages and which pages you need to secure.
  4. Determine who will be allowed access, by defining your users and groups. Use the following links to make this happen.
    Maintain Users
    Allows you to create a new user and password. This is especially useful if you need to allow non-case users to access your site. If you are only allowing Case consituents you may skip this step. To create users, enter new users in the text box in the form of user:password, listing each user on a new line. If users already exist they will be listed, although their password will be '********'. To delete a user, simply delete that user's entry. To modify a user, simply change that user's information. Please note that you will need to maintain your own records of the passwords you assign. If you do not, and your user forgets the password, simply replace the asterisks with a newly assigned password of your choice.
    Maintain Groups
    Allows you to create a group of users by listing their user ids. You may group Case users and your newly created users into the same group. Follow the 'create a new group' link, establish a name (one word) for your group, then type in the user ID's of your group members, one per line, in the text box. You may want to keep a copy of this list in a text file somewhere on your own computer. If you accidently reset the group, the names will disappear. It will be easier to paste in a copy of your list than to have ITS retrieve a back-up of the file. If you are using a generic group such as all Case students, you may skip this step.
  5. Determine which file(s) or directories you would like to secure for password only access. Follow the 'Restrict a File' or 'Restrict a Directory' link to make this happen.
  6. Here you'll be given a drop down menu of all of your directories. Select the appropriate directory, then (if applicable) the appropriate file.

  7. You'll now be at a page that includes a text box to input your parameters. The parameters will be whether to allow or disallow access to a certain group or individual. To do this you will type Allow or Disallow, Group or User and the group name or user ID

For example if you wanted to give access to all students and me you would type:

Allow User hac4

As I mentioned, you may also have reason to disallow a user or group. For example, if you were throwing a surprise party thanking Jeremy for building the blogging system, you might not want him to be able to access 'partyinvitation.html'. In that case you would type:

Disallow User jms18

Please Note:
You will see that there is a drop down menu that lists the groups. This is for reference only. When you choose something in the list, it is not automatically added to your text box. You will have to type your groups of choice into the box, then press the 'update access directives' button.

What this does is create a .auroraaccess text file (for directories) that is automatically inserted into your chosen directory on the webserver. This lets the server know that only the predefined users or groups are allowed access. If you restrict a file, it creates a file with a name specific to yours, such as 'partyinvitation.html.access'.

Additional documentation is available online at

Posted by hac4 at 02:59 PM | Comments (0) | TrackBack (0)
Category: Heidi's Entries; Tips & Tricks

April 04, 2005

Using ssi files with secured pages

Many of you are using Server Side Includes files for menus, footers, and other elements of your websites that are used on multiple pages. Learn more about ssi.

SSI files are a great time-saver when it comes to updating your site, but what happens when you want to use them in a secured environment, i.e. with a file or directory that you've secured for viewing only by authenticated users*? If you've tried this, you've noticed that your files don't work properly, your stylesheet doesn't appear, and everything looks horribly wrong. What you need for these to work properly is to secure a copy of your ssi files.

Here's how:

  1. Create a new directory (on the same level as your ssi directory) called ssi-sec

  2. Open your text-editor of choice and create a file named: .auroraaccess

  3. Within that file, type: secure on

  4. Save and exit the file and upload it to your ssi-sec directory. While this file sh and login with your account ID and password. (NOT your Case ID and password) and follow the instructions for restricting a file or directory. Those maintaining websites on other servers, should consult with their server administrator for authentication instructions.

    Posted by hac4 at 10:20 AM | Comments (4) | TrackBack (0)
    Category: Heidi's Entries; Server Side Includes

    March 22, 2005

    Automatic 'Print this page'

    If you want to provide a way for the user to print the current page, include this little javascript snippet.

    Continue reading "Automatic 'Print this page'"

    Posted by kla3 at 11:54 AM | Comments (0) | TrackBack (0)
    Category: Kevin's Stuff; Tips & Tricks

    March 07, 2005

    Javascript - 'Bookmark this page!'

    Use this little javascript in your pages to enable the user to automatically "bookmark" your webpage.

    Continue reading "Javascript - 'Bookmark this page!'"

    Posted by kla3 at 11:52 AM | Comments (3) | TrackBack (0)
    Category: Tips & Tricks

    March 04, 2005

    URL Redirect

    If a page on your site has moved, or your whole site for that matter, you will need to redirect your visitors automatically to a new page. Use this meta refresh to send them to the "new" page...

    Continue reading "URL Redirect"

    Posted by kla3 at 11:48 AM | Comments (0) | TrackBack (0)
    Category: Tips & Tricks

    February 28, 2005

    Introducing the Web Development Blog

    We'll be using this space to post announcements, tips and tricks regarding web development here at Case. We'll also be relying on you for suggestions, so please don't hesitate to write either Kevin or Heidi with your suggestions regarding this blog.

    Tip# 1:
    If you are the maintainer of a website, put your name and/or linked e-mail address in your footermenu, so that people with questions about the site can easily contact you. If you have multiple maintainers and can't fit everyone in your footer, then just make sure those people are listed (and easily identified) in a staff directory or similar contact page on your site.

    Reminder# 1:
    Jeremy asked me to post a list of the web colors. For quick reference they are as follows:

    Cranberry #7c2433
    Forest #3e775d
    Lime #93a530
    Navy #003962
    Olive #6f7730
    Purple #6e5d91
    Rust #a96b00
    Teal #00646e
    Turquoise #037596


    Posted by hac4 at 06:27 PM | Comments (0) | TrackBack (0)
    Category: Announcements; Heidi's Entries; Template Toolkit