How to Password-Protect a Web Subdirectory

In this example, you'll learn how to password-protect a directory in your personal Web space for three names (Peggy, Danette, and Bill) who will all have the password secrets (use capitalization where indicated). To see this example, see http://www.personal.psu.edu/mcr/party/.

To make this work, you will create three small text files that will go into a directory in your personal www directory.

Step 1: Create the directory you wish to password-protect.

Use your favorite secure file transfer method to connect to the personal server (sftp.personal.psu.edu) and create a directory called "party" in your www directory. The files you create will go inside the "party" directory. (Information on secure file transfer methods are available on-line)

Step 2: Create your .htaccess file.

• Create a file containing the following text in your favorite text editor. (Note that the example uses the user ID "mcr" - where you see m/c/mcr/ you must substitute your own user ID.) Save this file as .htaccess .

AuthUserFile /.../dce.psu.edu/fs/users/m/c/mcr/www/party/.htpasswd

AuthGroupFile /.../dce.psu.edu/fs/users/m/c/mcr/www/party/.htgroup

AuthName "private directory"

AuthType Basic

Require group allowed

NOTE: The <Require> line is added to make sure that all methods (GET, POST, etc.) are restricted. More information about the <Require> directive can be found at http://httpd.apache.org/docs/mod/core.html#require on the Web.

A note about text editors in Windows: This procedure requires that you create files with just an extension, and no file name (that is, with nothing before the dot). This causes some problems with some text editors. When saving or opening one of these ".ht___" files, your editing program might show you a warning message saying that this file form is not recognized. This only means that that the program does not know the extension. This should not matter, however, as long as the file is named properly.

For simplicity, we recommend that Notepad be used on Windows, with the following added step: Notepad will silently add the extension ".txt" to these files, such that a file you save as ".htaccess" will be saved as ".htaccess.txt" and in Windows XP, this extension will not show up when you look at the file in certain views. Therefore, type quotes around the filename when you type it in. This will tell Notepad to name it exactly as you entered and add nothing.


In the case of departments the AuthUserFile and AuthGroupFile variables would be as shown below:


AuthUserFile /.../dce.psu.edu/fs/services/www/dept/dept_name/party/.htpasswd

AuthGroupFile /.../dce.psu.edu/fs/services/www/dept/dept_name/party/.htgroup

where dept_name corresponds to the department name, e.g. in the case of the department formerly known as the Center for Academic Computing, it would be "cac".

In the case of Courses the AuthUserFile and AuthGroupFile variables would be as shown below:


AuthUserFile /.../dce.psu.edu/fs/services/www/courses/course/coursenumber_instructor's_userid/.htpasswd

AuthGroupFile /.../dce.psu.edu/fs/services/www/courses/course/coursenumber_instructor's_userid/.htgroup

Refer to questions 8 and 9 in the COLASODA FAQ for more information on the directory naming conventions.

 

• Now upload this file to the "party" directory that you created inside your "www" directory. Use the "ASCII" (for PC's) or "Text" (for MACs) mode for uploading the file to the personal server.

Step 3: Create your .htpasswd file.

• Go to the Encrypted Password Generator Page and follow the directions to get the password information for creating your .htpasswd file. (Make up a user name, and choose a password.) Note: user names and passwords are case-sensitive, so, they will have to be typed the same way each time. After you fill out the form, it will display a string of thirteen characters.
• Copy this into a file using your favorite text editor and save the file as .htpasswd. You could make a different password for each person, but for this example only one password is used for all three. Your file will have the following form:

  Peggy:ScPZpSSk3v.YQ
  
  Danette:ScPZpSSk3v.YQ
  
  Bill:ScPZpSSk3v.YQ

• Now upload this file to the "party" directory that you created inside your "www" directory. Again, use the "ASCII" (for PC's) or "Text" (for MACs) mode for file transfer.

Step 4: Create your .htgroup file.

• Again use your favorite text editor to make a file containing the list of privileged users that you choose for creating the .htpasswd file. It should have the following form. Note that in our case Peggy, Danette, and Bill are the privileged users for the "party" directory. Again, note that these user names are case-sensitive. The name of the group is "allowed" in this example, and needs to be the same in this file and in the Require line in your .htaccess file.

allowed: Peggy Danette Bill

• Save this file as .htgroup.
• Now upload this file to the "party" directory that you created inside your "www" directory. Once again, use the "ASCII" (for PC's) or "Text" (for MACs) mode for file transfer.

Step 5: Modify the Access Control List (ACL) for the "party" directory.

• While the above steps protect the pages from web access, the files are themselves still visible to anyone who has access to PASS. To have the files secure in the real sense, you also need to change the ACLs for the "party" directory.


Visit the site https://www.work.psu.edu to do this. This link opens in another browser window, so that you can have both the instructions (this page) and the "www.work.psu.edu" site in the two browser windows at the same time .

For directories in Personal space

Use the "ACL Explorer" link on https://www.work.psu.edu to set the ACLs for the "party" directory.  Authenticate with your Penn State Access Account  userid and password.

Click the "Control" buttonnext to "Your Web director:"or specify the  directory in the field provided. Click the Show Files arrow then click your directory "party".

For this directory, choose group from the pull-down menu.  In the field provided, type www.personal.psu.edu.  Check the 'r' and 'x' ACLs for this directory.  Click the 'Modify Access" button at the top left of the screen. Every file in the "party" directory should be set to have read access for the group www.personal.psu.edu, so assign 'r' to the group www.personal.psu.edu for each file (as you did for the "party" directory).

Warning: a user other than the webserver and the owner of the web space might be able to access the files, using means such as FTP, a UNIX account, or PASS to see your files and download them . To prevent this, you will also need to disallow access for each "group_obj," "other_obj," and "any_other". For these ACL types make sure all of the 'rwxcid' boxes are un-checked.

Click "Modify Access" button at the top of the screen for each file. Now the "party" directory (and all the files in it) are readable only by you and the personal web server and your files are secure in the true sense.

For directories in Departmental/COLA space

Use the "ACL explorer" link on https://www.work.psu.edu to set the ACLs for the "party" directory.Authenticate with your Penn State Access Account  userid and password. In the "Change directory" list that is displayed in the left portion of that page, select the "party" directory or enter that directory in the "Jump to" directory text box. Make sure you use the complete path while entering it in the text box, e.g. "/.../dce.psu.edu/fs/services/www/dept/dept_name/party/" in our case.

For this directory, choose group from the pull-down menu.  In the field provided, type www.courses.psu.edu.  Check the 'r' and 'x' ACLs for this directory.  Click the 'Modify Access" button at the top left of the screen. Every file in the "party" directory should be set to have read access for the group www.courses.psu.edu, so assign 'r' to the group www.courses.psu.edu for each file (as you did for the "party" directory).

For directories in departmental space, you will need to enter group "www.psu.edu" and check 'r'. Then click the "Modify Access" button.

Warning: a user other than the webserver and the owner of the web space might be able to access the files through other means such as FTP, a UNIX account, or PASS to see your files. To prevent this, you will also need to disallow access for each "group_obj," "other_obj," and "any_other". For these ACL types make sure all of the 'rwxcid' boxes are un-checked.

Click "Modify Access" button at the top of the screen for each file. Now the "party" directory (and all the files in it) are readable only by you and the personal web server and your files are secure in the true sense.

Testing and Troubleshooting

Remember, the Personal Web server is case-sensitive. If you have trouble, check to make sure you're using the correct case.

Make sure you name the three files correctly. They must be named as follows or it won't work.

.htaccess

.htpasswd

.htgroup

If you get a Internal Server Error" message, chances are you did not upload the files using the "ASCII" (for PC's) or "Text" (for MACs) mode. Again upload the files, this time using the right mode as specified in the previous line.

Frequently asked questions and answers pertaining to CAC Web service are available at the following URL: http://www.personal.psu.edu/faq/cacweb.html