The Web Development Blog has moved to http://www.heidicool.com/blog/. Please visit me there to read the latest entries and to update your bookmarks and RSS feeds.
April 13, 2005
Securing web pages for password authentication
I received a question today about securing webpages, so now that I've told you how to use ssi files with your secure page, it makes sense to tell you how to make the secure page. Please note that these instructions are only for accounts on the Aurora (Benbecula) Server. If you are maintaining a site on a different server you should check with your server administrator.
- Go to http://www.cwru.edu:8000/apas/apas.html
- Login with your web account name and password. This would be the same one you use with Dreamweaver or your ftp program of choice to upload your files to the webserver.
- Follow the link for Access Control. You will arrive at a page that allows you to control both who can access your pages and which pages you need to secure.
- Determine who will be allowed access, by defining your users and groups. Use the following links to make this happen.
- Maintain Users
- Allows you to create a new user and password. This is especially useful if you need to allow non-case users to access your site. If you are only allowing Case consituents you may skip this step. To create users, enter new users in the text box in the form of user:password, listing each user on a new line. If users already exist they will be listed, although their password will be '********'. To delete a user, simply delete that user's entry. To modify a user, simply change that user's information. Please note that you will need to maintain your own records of the passwords you assign. If you do not, and your user forgets the password, simply replace the asterisks with a newly assigned password of your choice.
- Maintain Groups
- Allows you to create a group of users by listing their user ids. You may group Case users and your newly created users into the same group. Follow the 'create a new group' link, establish a name (one word) for your group, then type in the user ID's of your group members, one per line, in the text box. You may want to keep a copy of this list in a text file somewhere on your own computer. If you accidently reset the group, the names will disappear. It will be easier to paste in a copy of your list than to have ITS retrieve a back-up of the file. If you are using a generic group such as all Case students, you may skip this step.
- Determine which file(s) or directories you would like to secure for password only access. Follow the 'Restrict a File' or 'Restrict a Directory' link to make this happen.
- Here you'll be given a drop down menu of all of your directories. Select the appropriate directory, then (if applicable) the appropriate file.
- You'll now be at a page that includes a text box to input your parameters. The parameters will be whether to allow or disallow access to a certain group or individual. To do this you will type Allow or Disallow, Group or User and the group name or user ID
For example if you wanted to give access to all students and me you would type:
Allow Group CWRU_STUDENT
Allow User hac4
As I mentioned, you may also have reason to disallow a user or group. For example, if you were throwing a surprise party thanking Jeremy for building the blogging system, you might not want him to be able to access 'partyinvitation.html'. In that case you would type:
Allow Group CWRU_FACSTAFF
Disallow User jms18
You will see that there is a drop down menu that lists the groups. This is for reference only. When you choose something in the list, it is not automatically added to your text box. You will have to type your groups of choice into the box, then press the 'update access directives' button.
What this does is create a .auroraaccess text file (for directories) that is automatically inserted into your chosen directory on the webserver. This lets the server know that only the predefined users or groups are allowed access. If you restrict a file, it creates a file with a name specific to yours, such as 'partyinvitation.html.access'.
Additional documentation is available online at http://www.cwru.edu:8000/help/AuroraAccess.html.
TrackbacksTrackback URL for this entry is: Securing web pages for password authentication
Office of Marketing and Communications