Home > Help Files > Web > Password Secured Webpages

Password Secured Web Pages

To make a password secured web page, you must put two files in the directory you want to secure: .htaccess & .htpasswd.

The information that goes in .htpasswd consists of user/password combinations. To write this file, you need to use a special program called htpasswd and add each authorized user one at a time.

In our example, we want to password restrict the user adent's ~adent/public_html/restricted directory. So... 

  1. Login to login server kepler.berkeley.edu
% /usr/bin/htpasswd -c ~adent/public_html/restricted/.htpasswd adent  <enter>

    You are then prompted to enter a password for the user. (Note that this password is unrelated to the UNIX system password.) You also need to change the permissions on this file:

  2. To add another user to your .htpasswd file, type the same command without -c. e.g.: 
    % /usr/bin/htpasswd ~adent/public_html/restricted/.htpasswd rory <enter>
  3. chmod a+r ~adent/public_html/.htpasswd

  4. What's left is to tell the webserver about your password file and how to limit access to this directory. That's where the .htaccess file comes in.

    An example .htaccess file is a text file that looks like this: 

    AuthUserFile /home1/adent/public_html/restricted/.htpasswd
AuthName "ME-class protection example"
AuthType Basic
<Limit GET>
require user adent
order deny,allow
deny from all
allow from .berkeley.edu
</Limit>

    You'll want to leave it as it stands for the most part. The parts you want to change are the first line (a pointer to the .htpasswd file you created earlier), AuthName (a header that shows up while authenticating the user), and the require user line (put the login name there).

    Note that the 3 lines (order... through allow...) prevent any computer from outside of U.C. Berkeley from accessing the directory. If you have students viewing this from another campus or llbl.gov, you'll want to get rid of these lines. Also note that the CS dept's transcend research project has been allowing outside sites to proxy into Berkeley, defeating the "allow from berkeley.edu" line.

  5. You'll also have to change permissions on this file also:
    chmod a+r .htaccess

  6. You can get more details about the clause by visiting: http://httpd.apache.org/docs/mod/core.html#limit

 

Comments to consult@newton.berkeley.edu
© 1998-2009 UC Regents