Answers Search Help
Boston University home page
  Introduction
  Why Restrict Access?
  Outline
    Essential Steps
  Create a Subdirectory
  Protect Your Subdirectory
  Hands On: Touring Restricted Directories
  Hands On: Downloading .htaccess files
    Restriction Options:
  BU Community
  BU Departments
  BU Status
  BU Individuals
  BU Class
  Any Individual
  Hands On: BU Community
  Hands On: BU Departments
  Hands On: BU Status
  Hands On: BU Individuals
  Hands On: Any Individual
    Also see
  Searchable Restricted Pages
   

Restricting Access to Specific Individuals Worldwide

When to use

Follow these steps when you want a file to be viewed only by specific individuals worldwide. Since they are not members of the BU community, they do not have BU login names and Kerberos passwords. To restrict access in this way, you will have to create usernames and passwords for each user and distribute those usernames and passwords to each individual.

CODE EXAMPLE:

AuthType Basic
AuthUserFile /full-path-to/htpasswd.users
AuthName "Description for Login Box"
require valid-user

Steps

1. Create a subdirectory within your web publishing directory for the documents you want to restrict.

You must do this because you cannot mix restricted documents with unrestricted documents in the same directory. Also, if you want one set of restrictions on some documents and another set of restrictions on other documents, you must create separate subdirectories. Note: If the documents you want to restrict are already segregated into separate subdirectories, you can skip this step.

NOTE: If you are unfamiliar with UNIX file permissions, it is best to use an FTP program for this step.

2. Create an .htaccess file.

With a text editor such as NotePad or SimpleText on your computer, create a new file. Do not use Microsoft Word format (the .doc extension) to create this file. If you use a word processor, such as Word, to create this file, you must save it as Text or Text-only format. If you do not, the file with not operate correctly. Copy the code listed above ("Code You Use") and paste it into the file.

The .htaccess file contains the information about who is allowed into the directory. The access controls specified in a .htaccess file apply to all documents within that directory as well as documents in any subdirectories.

3. Modify the .htaccess file.

Edit the code in your .htaccess file to indicate the location on the server of your restricted directory as well as the description for the login box that users will see when entering their login and password information.

Replace full-path-to with the full directory path to your restricted directory:

For publishers on www.bu.edu:

The full path begins with:
/afs/bu.edu/cwis/web/
and is followed by your specific directory location using this scheme:
first-letter/second-letter/groupname/directoryname/
For example, a restricted directory named seminar within the History department website would use this code:
AuthUserFile
/afs/bu.edu/cwis/web/h/i/history/seminar/htpasswd.users

For publishers on people.bu.edu:

The full path begins with:
/web/people/
and is followed by your specific directory location using this scheme:
first-letter/second-letter/username/directoryname/

For example, a restricted directory named kids within the people.bu.edu website of a user named jones would use this code:
AuthUserFile
/web/people/j/o/jones/kids/htpasswd.users

Replace "Description for Login Box" with the text you want displayed in the window that pops up when the user is asked to log in. Your title should be surrounded by quotation marks.

For example, if you want the pop-up login window to display the message "Restricted to friends of Nancy Jones. Login required." you would use this code:
AuthName "Restricted to friends of Nancy Jones. Login required."

4. Save the .htaccess file.

After editing your code in a text editor, save the file using this filename:

.htaccess
The name must begin with a . (period) and it must be in all lowercase letters. If you use a word processor such as Word to create this file, you must save it as Text or Text-only. If you do not, the file with not operate correctly.

5. Upload the .htaccess file into your restricted directory.

Using an FTP program, upload the .htaccess file into the directory where you are storing your restricted files.

Once uploaded, you should check the file on the server and make sure the filename is .htaccess -- many text editors will automatically append the .txt file extension to the end of the filename. If your text editor has done this, rename the file simply to .htaccess.

6. Run telnet, log onto the acs3.bu.edu server, authenticate yourself for access to the directory, and change your location to the directory you are restricting.

  1. Run telnet or ssh and log on to acs3.bu.edu. Supply your BU login name and Kerberos password as usual.
  2. At the acs3 prompt, type:
    klog
  3. At the Password prompt, type your Kerberos password.
  4. Change your location to the directory you are restricting.
    For example (using the same example filenames as in step #3 above):

For publishers on www.bu.edu:

cd  /afs/bu.edu/cwis/web/h/i/history/seminar/

For publishers on people.bu.edu:

cd  /web/people/j/o/jones/kids/

7. Create the username(s) and password(s) for the restricted directory.

This is a multi-step process and you must repeat it for each new user and password you want to enter.

Please note that you must have changed your directory to the .htaccess file's location and created a valid .htaccess file (with the currect file name and location) for the next steps. If you have not successfully completed the above steps, then the htpasswd.users file will not be created.

  1. While inside the protected directory in your telnet session, run the program that generates the passwords for your users. Type:
    htpasswd --user username
    Replace username with the name you want to give your user.
    For example, if you are setting a password for Jill Smith, you might select "jsmith" as her username. The command you would type is:
    htpasswd --user jsmith
  2. At the Enter Passwd prompt, type the password you want for that user. The password can be a maximum of 8 characters and is case sensitive. It will be encrypted on the server so you will not be able to view it after you type it in. Don't forget this password. You will have to give the login name and password to each user.
  3. Repeat this step for each user you want to add. If you intend to grant access to a large number of people (over 20), consider creating just one username and password and letting everyone share it.

8. Verify your username(s).

When you are finished, view the htpasswd.users file that the program created. Type:
more htpasswd.users

The file will contain each username and the encypted password you created in the previous step, each on its own line, separated by a colon. The file will look something like this:

jsmith:w0Gsk3ruz4578
jdoe:82a45kbqek09

Notice the passwords do not appear as standard text. They are encrypted, so it is very important that you made note of the passwords you entered in step 6b above.

9. Run command(s) that allows the server to access the password list.

The server must be able to read your htpasswd.users file to verify each user. Run the following command(s) from within your restricted directory:

For publishers on www.bu.edu:

Run this ONE command:
chmod  g+r,o=  htpasswd.users

For publishers on people.bu.edu:

Run these TWO commands (in this order):
chgrp2www  htpasswd.users
chmod  g+r,o=  htpasswd.users

10 Distribute the usernames and passwords to your users.

Also send them the URL to your protected documents.

rule

Notes

  1. Since the passwords are encrypted, you cannot retrieve them if users forget them. So keep a copy of usernames and passwords for yourself. If a user forgets a password, and you don't know it either, you will have to run the htpasswd program again to create a new password for that user.
  2. To add an additional user later, just run the htpasswd to create a new username and password for that person.
  3. To remove a user from the list of people authorized to view your files, just delete that user from the htpasswd.users file. Download the .htaccess file to your computer using an FTP program, edit the file with NotePad or SimpleText, then upload the file back into your protected directory.
WebCentral Using Publishing Learning Training Consulting WebCentral
Answers Search Help
NIS  |  OIT  |  Boston University  |   February 2, 2007