Old:Basic authentication and redirection: Difference between revisions

From The Uniform Server Wiki
Jump to navigation Jump to search
m (Protected "Basic authentication and redirection" [edit=sysop:move=sysop])
Line 14: Line 14:
This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder .
This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder .


== Private Server ==
== Private page ==
Uniform Server already has this authentication mechanism in place.
Apache's basic authentication is not very flexible however you can bend it a little using mod rewrite and create something usful without the need for any scripting such as PHP or Perl.


Name-password pairs are stored in the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' it has the default pair '''root:root''' (order name:password)
You must use a secured server so name/password pair and personal data on a page are encrypted. That said you can test on a standard Uniform Server installation.


To enable Uniform Server as a private server open the file '''.htaccess''' contained in folder '''www''' and uncomment the following four lines as shown:
This solution uses only a '''.htacces''' file with mode-rewrite performing the redirection this example demonstrates the concept.
 
# I have created a folder named '''secure''' in the root folder '''www'''.
## Folder secure contains '''John.html''', '''Dave.html''' and '''Mike.html''' these are the personal data pages.
## This folder also contains an '''index.html''' page which states something like “'''you need to login'''” its a default should the login fail.
<ol start="2">
<li> My main index page in the root folder '''www''' contains the following link:<br>'''<nowiki><a href="secure/index.html">Secure login</a></nowiki>'''<br>When clicked takes me to the protected folder.
 
<li> Open the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' delete its content and add name/password pairs e.g
<pre>
John:21
Dave Smith:22
Mike:23
</pre>
 
Use real passwords e.g '''Mst23Xfrs''' (21,22,23 makes it easier to test).
 
'''''Note'':''' You can use spaces in the name.
 
<li> Copy '''.htaccess''' from the root folder '''www''' to folder '''secure''' (this saves the pain of creating one) once copied open the file delete its contents and add the following:


<pre>
<pre>
AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user
Require valid-user
Options +FollowSymLinks
#Options +Indexes
RewriteEngine On
RewriteBase /
RewriteCond $1 !^John\.html
RewriteCond %{REMOTE_user} ^John$
RewriteRule (.*) /secure/John.html [R,L]
RewriteCond $1 !^Dave\.html
RewriteCond %{REMOTE_user} ^Dave\ Smith$
RewriteRule (.*) /secure/Dave.html [R,L]
RewriteCond $1 !^Mike\.html
RewriteCond %{REMOTE_user} ^Mike$
RewriteRule (.*) /secure/Mike.html [R,L]
</pre>
</pre>


Run the servers, type '''<nowiki>http:/localhost</nowiki>''' into your browser address bar and you will be challenged for a user name and password, to gain access enter '''root''' and '''root'''.
*Each page to be protected requires three lines:
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
:* The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
:* Third line accepts any uri and maps it to a single page. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
*If for whatever reason no match is found it drops out of this and picks up the index page.


The '''htaccess''' file protects the folder it’s contained in and all sub-folders hence if you try to directly access a page anywhere on the server you will be challenged. '''Validation''' is stored meaning you are required to authenticate only once and will not be challenged again.
'''''Note 1'':'''  The space between '''Dave Smith''' needs to be escaped using a backslash '''“\ “''' (without the quotes)


'''''Note 1'':''' When testing this can be a problem because you need to reset the stored validation the only way I know of doing this is to restart the browser. This breaks the server link removing any stored information. Another minor irritation is stored pages in the browser cache; clean this to avoid misleading results.
'''''Note 2'':''' You will need to restart your browser to re-login.


Generally you would like to have an Internet presence hence do not want to protect the entire server only a small area. On the main index page you would provide a login link to this protected area. Its possible to restrict users to a single page or restrict them to a private folder, I cover these two options below.
I stress the need for encryption because when using '''http''', name/password is sent in '''plain text'''.
 
'''''Note 2'':''' Before continuing restore the above four lines back to their defaults as shown below:
<pre>
#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user
</pre>


'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''

Revision as of 20:39, 18 July 2008

MPG UniCenter

Extending Apache’s basic authentication using mod rewrite.

Power of htaccess and mod rewrite - 3.5-Apollo

This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder .

Private page

Apache's basic authentication is not very flexible however you can bend it a little using mod rewrite and create something usful without the need for any scripting such as PHP or Perl.

You must use a secured server so name/password pair and personal data on a page are encrypted. That said you can test on a standard Uniform Server installation.

This solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.

  1. I have created a folder named secure in the root folder www.
    1. Folder secure contains John.html, Dave.html and Mike.html these are the personal data pages.
    2. This folder also contains an index.html page which states something like “you need to login” its a default should the login fail.
  1. My main index page in the root folder www contains the following link:
    <a href="secure/index.html">Secure login</a>
    When clicked takes me to the protected folder.
  2. Open the file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\www delete its content and add name/password pairs e.g
    John:21
    Dave Smith:22
    Mike:23
    

    Use real passwords e.g Mst23Xfrs (21,22,23 makes it easier to test).

    Note: You can use spaces in the name.

  3. Copy .htaccess from the root folder www to folder secure (this saves the pain of creating one) once copied open the file delete its contents and add the following:
    AuthUserFile /htpasswd/www/.htpasswd
    Require valid-user
    
    Options +FollowSymLinks
    #Options +Indexes
    RewriteEngine On
    RewriteBase /
    
    RewriteCond $1 !^John\.html
    RewriteCond %{REMOTE_user} ^John$
    RewriteRule (.*) /secure/John.html [R,L]
    
    RewriteCond $1 !^Dave\.html
    RewriteCond %{REMOTE_user} ^Dave\ Smith$
    RewriteRule (.*) /secure/Dave.html [R,L]
    
    RewriteCond $1 !^Mike\.html
    RewriteCond %{REMOTE_user} ^Mike$
    RewriteRule (.*) /secure/Mike.html [R,L]
    
    • Each page to be protected requires three lines:
    • After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
    • The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
    • Third line accepts any uri and maps it to a single page. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
    • If for whatever reason no match is found it drops out of this and picks up the index page.

    Note 1: The space between Dave Smith needs to be escaped using a backslash “\ “ (without the quotes)

    Note 2: You will need to restart your browser to re-login.

    I stress the need for encryption because when using http, name/password is sent in plain text.

    Top

    Private page

    Apache's basic authentication is not very flexible however you can bend it a little using mod rewrite and create something usful without the need for any scripting such as PHP or Perl.

    You must use a secured server so name/password pair and personal data on a page are encrypted. That said you can test on a standard Uniform Server installation.

    This solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.

    1. I have created a folder named secure in the root folder www.
      1. Folder secure contains John.html, Dave.html and Mike.html these are the personal data pages.
      2. This folder also contains an index.html page which states something like “you need to login” it a default should the login fail.
    1. My main index page in the root folder www contains the following link:
      <a href="secure/index.html">Secure login</a>
      When clicked takes me to the protected folder.
    2. Open the file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\www delete its content and add name/password pairs e.g
      John:21
      Dave Smith:22
      Mike:23
      

      Use real passwords e.g Mst23Xfrs (21,22,23 makes it easier to test).

      Note: You can use spaces in the name.

    3. Copy .htaccess from the root folder www to folder secure (this saves the pain of creating one) once copied open the file delete its contents and add the following:
      AuthName "Please Login or whatever you would like displayed"
      AuthType Basic
      AuthUserFile /htpasswd/www/.htpasswd
      Require valid-user
      
      Options +FollowSymLinks
      RewriteEngine On
      RewriteBase /secure
      
      RewriteCond %{REMOTE_user} ^John$
      RewriteRule (.*) John.html [L]
      
      RewriteCond %{REMOTE_user} ^Dave\ Smith$
      RewriteRule (.*) Dave.html [L]
      
      RewriteCond %{REMOTE_user} ^Mike$
      RewriteRule (.*) Mike.html [L]
      
      • Each page to be protected requires two lines the first checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.)
      • The second line redirects to the appropriate page note the (.*) means any page requested by that user will be mapped to the page that follows the (.*) [L] last rule.
      • If for whatever reason no match is found it drops out of this and picks up the index page.

      Note 1: The space between Dave Smith needs to be escaped using a backslash “\ “ (without the quotes)

      Note 2: You will need to restart your browser to re-login.

      Again I stress the need for encryption because when using http, name/password is sent in plain text.


      Top

      Private folder

      This page is a DRAFT hence locked.

      If I have time will be complete by the weekend!!!

      xxxxxxxxxxxxxx


      Top


      Ric