Legacy Web Publishing - Password Protect Webpages

Below is a brief explanation of how to set up password protection of webpages hosted on our Legacy Web Publishing system.

First, you can only protect directories. You cannot specify individual pages. But this is easily worked around by making subdirectories.

These notes only explain how to set up passwords for individual users. You can give each user on a page their own username and password, or you can give the same username and password to everyone who needs access to the pages. The latter is much easier to maintain, and works well for almost all pages that require passwords, such as a course, department, committee, etc.

Getting Started

Create a directory in your web space. Inside of it, create a file called .htaccess (notice that the file name begins with a period). The .htaccess file should contain these lines, modified to match your website (explanations of each line are just below):

AuthUserFile /path/to/directory/.htpasswd
AuthGroupFile /dev/null
AuthName "My private pages"
AuthType Basic

<Limit GET>
require user janeuser
</Limit>

Location

AuthUserFile is a fully qualified path to your password file for these protected pages. The AuthUserFile will eventually contain the username(s) (that you will define in just a minute; not Unix usernames) and password(s). You do not need to create the password file. The notes further down explain how this will be done.

If your pages are served on www, the path will be in /htdocs, similar to this:
/htdocs/Somedir/mydirectory/private/.htpasswd

On all other machines, the path will be in /home, similar to this:
/home/username/public_html/private/.htpasswd

AuthGroupFile is a fully qualified path to your group file, which will contain group names and who in the password file is in each group. In this simple case, it is blank by using /dev/null.

AuthName is the title of the dialog box that prompts users for a username and password when they try to access the pages. If there are spaces in AuthName, then it must be in quotes.

The method (i.e., GET) listed in the Limit directive must be in uppercase. Then, the last element of "require user <name>" will be the username that you give to people who will access the page (e.g., janeuser).

Next, you'll need to create the password file that you specified in AuthUserFile by running the htpasswd command. The first time you run it, you must use the -c option to create the file. As arguments, give it the password file name and the new username:

spot> /usr/local/apache/bin/htpasswd -c /path/to/directory/.htpasswd janeuser

Do not use your IdentiKey or Unix password.

Finally, you need to change permissions on the files so that the web server can read them:

spot> chmod 644 .htaccess
spot> chmod 644 .htpasswd

Change the Password

To change the password, run the command without the -c:

spot> /usr/local/apache/bin/htpasswd /path/to/directory/.htpasswd janeuser

Add More Users with Different Passwords

To add more users with different passwords, run the command without the -c and with a new username:

spot> /usr/local/apache/bin/htpasswd /path/to/directory/.htpasswd joeuser

The command will prompt you for a password. Again, notice that the username (janeuser) has nothing to do with Unix usernames. These are specific to your webpages and can be anything you like. Do not use your IdentiKey or Unix password.