Legacy Web Publishing - Password Protect Web Pages

Below is a brief explanation of how to set up password protection of web pages hosted on our Legacy Web Publishing system.

First you can only protect directories. You cannot specify individual pages. But this is easily worked around by making subdirectories.

These notes only explain how to set up passwords for individual users. You can give each user on a page their own username and password, or you can give the same username and password to everyone who needs access to the pages. The latter is much easier to maintain, and works well for almost all pages that require passwords, such as a course, department, committee, etc.

Getting Started

Create a directory in your web space. Inside of it, create a file called .htaccess (notice that the file name begins with a period). The .htaccess file should contain these lines, modified to match your web site (explanations of each line are just below):

AuthUserFile /path/to/directory/.htpasswd
AuthGroupFile /dev/null
AuthName "My private pages"
AuthType Basic

<Limit GET>
require user janeuser
</Limit>

Location

AuthUserFile is a fully qualified path to your password file for these protected pages. The AuthUserFile will eventually contain the username(s) (that you will define in just a minute; not unix usernames) and password(s). You do not need to create the password file. The notes further down explain how this will be done.

If your pages are served on www, the path will be in /htdocs, similar to this:
/htdocs/Somedir/mydirectory/private/.htpasswd

On all other machines, the path will be in /home, similar to this:
/home/username/public_html/private/.htpasswd

AuthGroupFile is a fully qualified path to your group file, which will contain group names and who in the password file is in each group. In this simple case, it is blank by using /dev/null.

AuthName is the title of the dialog box that appears which asks for username and password when someone tries to access the pages. If there are spaces in AuthName, it must be in quotes.

The method (ie, GET) listed in the Limit directive must be in uppercase. Then, the last element of "require user <name>" will be the username that you give to people who will access the page, i.e., janeuser
Next, you'll need to create the password file that you specified in AuthUserFile by running the htpasswd command. The first time you run it you must use the -c option to create the file. As arguments you give it the password file name and the new username:

spot> /usr/local/apache/bin/htpasswd -c /path/to/directory/.htpasswd janeuser

DO NOT USE YOUR IDENTIKEY OR UNIX PASSWORD.

Finally, you need to change permissions on the files so that the web server can read them:

spot> chmod 644 .htaccess
spot> chmod 644 .htpasswd

Change the Password

To change the password, run the command without the -c:

spot> /usr/local/apache/bin/htpasswd /path/to/directory/.htpasswd janeuser

Add More Users with Different Passwords

To add more users with different passwords, run the command without the -c and with a new username:

spot> /usr/local/apache/bin/htpasswd /path/to/directory/.htpasswd joeuser

The command will prompt you for a password. Again notice that the username (janeuser) has nothing to do with unix usernames. These are specific to your web pages and can be anything you like. DO NOT USE YOUR IDENTIKEY OR UNIX PASSWORD.