Old:Basic authentication and redirection

From The Uniform Server Wiki
Jump to navigation Jump to search

MPG UniCenter

Extending Apache’s basic authentication using mod rewrite.

Power of htaccess and mod rewrite - 3.5-Apollo

This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder .

Private page

Apache's basic authentication is not very flexible however you can bend it a little using mod rewrite and create something usful without the need for any scripting such as PHP or Perl.

You must use a secured server so name/password pair and personal data on a page are encrypted. That said you can test on a standard Uniform Server installation.

This solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.

  1. I have created a folder named secure in the root folder www.
    1. Folder secure contains John.html, Dave.html and Mike.html these are the personal data pages.
    2. This folder also contains an index.html page which states something like “you need to login” its a default should the login fail.
  1. My main index page in the root folder www contains the following link:
    <a href="secure/index.html">Secure login</a>
    When clicked takes me to the protected folder.
  2. Open the file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\www delete its content and add name/password pairs e.g
    John:21
    Dave Smith:22
    Mike:23
    

    Use real passwords e.g Mst23Xfrs (21,22,23 makes it easier to test).

    Note: You can use spaces in the name.

  3. Copy .htaccess from the root folder www to folder secure (this saves the pain of creating one) once copied open the file delete its contents and add the following:
    AuthUserFile /htpasswd/www/.htpasswd
    Require valid-user
    
    Options +FollowSymLinks
    #Options +Indexes
    RewriteEngine On
    RewriteBase /
    
    RewriteCond $1 !^John\.html
    RewriteCond %{REMOTE_user} ^John$
    RewriteRule (.*) /secure/John.html [R,L]
    
    RewriteCond $1 !^Dave\.html
    RewriteCond %{REMOTE_user} ^Dave\ Smith$
    RewriteRule (.*) /secure/Dave.html [R,L]
    
    RewriteCond $1 !^Mike\.html
    RewriteCond %{REMOTE_user} ^Mike$
    RewriteRule (.*) /secure/Mike.html [R,L]
    
    • Each page to be protected requires three lines:
    • After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
    • The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
    • Third line accepts any uri and maps it to a single page. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
    • If for whatever reason no match is found it drops out of this and picks up the index page.

    Note 1: The space between Dave Smith needs to be escaped using a backslash “\ “ (without the quotes)

    Note 2: You will need to restart your browser to re-login.

    I stress the need for encryption because when using http, name/password is sent in plain text.

    Top

    Private page

    Apache's basic authentication is not very flexible however you can bend it a little using mod rewrite and create something usful without the need for any scripting such as PHP or Perl.

    You must use a secured server so name/password pair and personal data on a page are encrypted. That said you can test on a standard Uniform Server installation.

    This solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.

    1. I have created a folder named secure in the root folder www.
      1. Folder secure contains John.html, Dave.html and Mike.html these are the personal data pages.
      2. This folder also contains an index.html page which states something like “you need to login” it a default should the login fail.
    1. My main index page in the root folder www contains the following link:
      <a href="secure/index.html">Secure login</a>
      When clicked takes me to the protected folder.
    2. Open the file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\www delete its content and add name/password pairs e.g
      John:21
      Dave Smith:22
      Mike:23
      

      Use real passwords e.g Mst23Xfrs (21,22,23 makes it easier to test).

      Note: You can use spaces in the name.

    3. Copy .htaccess from the root folder www to folder secure (this saves the pain of creating one) once copied open the file delete its contents and add the following:
      AuthName "Please Login or whatever you would like displayed"
      AuthType Basic
      AuthUserFile /htpasswd/www/.htpasswd
      Require valid-user
      
      Options +FollowSymLinks
      RewriteEngine On
      RewriteBase /secure
      
      RewriteCond %{REMOTE_user} ^John$
      RewriteRule (.*) John.html [L]
      
      RewriteCond %{REMOTE_user} ^Dave\ Smith$
      RewriteRule (.*) Dave.html [L]
      
      RewriteCond %{REMOTE_user} ^Mike$
      RewriteRule (.*) Mike.html [L]
      
      • Each page to be protected requires two lines the first checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.)
      • The second line redirects to the appropriate page note the (.*) means any page requested by that user will be mapped to the page that follows the (.*) [L] last rule.
      • If for whatever reason no match is found it drops out of this and picks up the index page.

      Note 1: The space between Dave Smith needs to be escaped using a backslash “\ “ (without the quotes)

      Note 2: You will need to restart your browser to re-login.

      Again I stress the need for encryption because when using http, name/password is sent in plain text.


      Top

      Private folder

      This page is a DRAFT hence locked.

      If I have time will be complete by the weekend!!!

      xxxxxxxxxxxxxx


      Top


      Ric