Authentication: Introduction: Difference between revisions
(New page: {{Uc nav Authentication}} '''Authentication Introduction''' I thought it worthwhile taking a detailed look at Apache’s basic authentication. Uniform Server already has the basic authen...) |
m (→Summary) |
||
Line 138: | Line 138: | ||
{| | {| | ||
| [[Image:uc_small_logo.gif]] || [[User: | | [[Image:uc_small_logo.gif]] || [[User:Ric|Ric]] | ||
|} | |} | ||
[[Category: Uniform Server 4.0-Mona]] | [[Category: Uniform Server 4.0-Mona]] | ||
[[Category: UniCenter]] | [[Category: UniCenter]] |
Revision as of 15:57, 23 April 2009
Authentication: Introduction | Preparation | Directories | Secure Directories | Groups | Single Files | Secure Single Files |
Basic Authentication |
Authentication Introduction
I thought it worthwhile taking a detailed look at Apache’s basic authentication. Uniform Server already has the basic authentication structure is in place if you run “Apanel” under configurations there are two links for “private server configuration” and “private secure server configuration” the links allow you to set a new user name and password for both server configurations.
Each root folder (ssl and www) contains a file named “.htaccess”, you enable private server access by un-commenting four lines in these files. For convenience this tutorial starts with the private server configuration and shows how to modify this architecture to target specific folders and files. Concludes by showing how to secure these using SSL to encrypt names, passwords and content.
Authentication directives
This tutorial will cover the following authentication directives and provide practical examples of their use. You can run each example on any Uniform Server however this tutorial was written specifically for the Mona series.
Directives
AuthName "restricted content" | AuthName text displayed to a user. This is also referred to as the realm its important because the name references a collection of resources. A user after entering a valid name and password has access to any other resources with an identical realm name (no need to re-enter name and password). You can use this to create areas, which share the same username and password. |
AuthType Basic | AuthType informs Apache what protocol to use for authentication. Uniform Server uses Basic you can use the alternative Digest note I do not cover this. |
AuthUserFile /htpasswd/www/.htpasswd | AuthUserFile informs Apache where to find the htpasswd file this contains name/password pairs. |
AuthGroupFile /htpasswd/www/.htgroup | AuthGroupFile, informs Apache where to find the .htgroup file this contains a list of groups and associated users. |
Require valid-user | Require parameter valid-user informs Apache to validate against any user listed in the password file. |
Require user {sub-list} | Require parameter user {sub-list} informs Apache to validate against only certain users listed in the password file. Can be used with Require group |
Require group name | If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names its desirable to put the sub-list into the groups files. This allows you to use the require line to restrict users to one or more particular groups. You can still target individual users using Require user. |
Although there are relatively few directives they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use however it suffers from being totally insecure names; passwords and content are sent in plain text over the Internet. That said once secured with SSL it becomes viable.
Remainder of this page looks at the current implementation on Uniform Server Top
Private Server
Private is referring to restricted access, to view any pages a user must enter a name and password, to implement this it must be enabled in file UniServer\udrive\www\.htaccess
Locate these lines:
#AuthName "Uniform Server - Server Access" #AuthType Basic #AuthUserFile /htpasswd/www/.htpasswd #Require valid-user
Uncomment (remove the hash #) as shown
AuthName "Uniform Server - Server Access" AuthType Basic AuthUserFile /htpasswd/www/.htpasswd Require valid-user
Save the file, run servers and enter http://loalhost into a browser. You are challenged to enter a name and password these are both root.
Password file
The password file (.htpasswd) must be located outside of the server root folder (www) this prevents access from the Internet.
Uniform Server locates it one level above root. The directive AuthUserFile informs Apache where to find the file, the path /htpasswd/www/.htpasswd is a system (disk) path and not a URL path.
The file may contain any number of name password pairs. If you wish to follow the examples edit this file UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown:
root:root John:john123 Dave Smith:dave123 Mike:mike123 Jane:jane123 Dawn:dawn123 Ruth Smith:ruth123
Note 1: No carriage return at the end of the last line.
Note 2: Names can have spaces however never use spaces in passwords. Save the file.
Note 3: Delete the first entry root:root (everyone knows this)
Test
Test each name/password pair (enter http://loalhost into browser)
Note: Before each test you must restart your browser (breaks link to server) otherwise you will not be re-challenged for a name and password.
Require valid-user and Require user
Require valid-user
The directive “Require valid-user” instructs Apache to allow anyone named in the password file to have access to the server on supplying their password.
You confirmed this in the above test.
Require user
Using the directive “Require user” we can individually name users in the password file. All others in that file will be denied access. (This example is not really practical it introduces the concept for later use)
Edit UniServer\udrive\www\.htaccess change the authentication block to look like this:
AuthName "Uniform Server - Server Access" AuthType Basic AuthUserFile /htpasswd/www/.htpasswd Require user John "Dave Smith"
Note: Names with spaces must be enclosed in quotes as shown.
Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied.
SSL Private secure server
The above can be applied to a private secure server configuration.
- The root folder UniServer\udrive\ssl contains an identical .htaccess file this you can modify as above.
- It also has a corresponding password file UniServer\udrive\htpasswd\ssl\.htpasswd where you can add name/password pairs.
- To perform tests make sure you have first generated a server certificate. Type the following into your browser https://localhost
Note: There is no real reason to have separate password files, just makes it a little easier to distinguish between the two parts of the server secure and non-secure.
Summary
It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to however it’s really indented to introduce the concept of a password file and require a user from that file.
You are more likely want to restrict access to specific directories (folders) and or files covered on this page
If you wish to follow the examples setup a folder structure and .htaccess files as describe on the next page.
Ric |