Mosaic User Access Control Tutorial

Windows Version

This tutorial was originally written by Marc Andreessen, formerly of NCSA, and is based heavily on work done by Ari Luotonen at CERN and Rob McCool at NCSA. In particular, Ari wrote the client-side code currently in Mosaic 2.0 (X), and Rob wrote the server code for NCSA httpd (Unix). It has been edited for the Windows httpd by:

Robert B. Denny

<rdenny@netcom.com>

Introduction

This tutorial surveys the current methods in NCSA Mosaic for Windows 2.0 and Windows httpd for restricting access to documents. The tutorial also walks through setup and use of these methods.

The "basic" access/authentication feature allows access restriction based on several criteria:

Username/password-level access authorization.
Rejection or acceptance of connections based on Internet address of client.
A combination of the above two methods.

There are two levels at which access control can work: per-server and per-directory. This tutorial primarily covers per-directory access control. See Access Configuration for more information on setting up server-wide access control.

Per-directory access control means that users with write access to part of the filesystem that is being served can control access to their files as they wish. They need not have root access on the system or write access to the server's primary config files.

Access control for a given directory is controlled by a file (normally) named #haccess.ctl that resides in that directory. The server reads this file on each access to a document in that directory (or documents in subdirectories).

Prepared Examples

Following are several examples of the range of access authorization capabilities available. The examples require the server, of course, so your server must be on-line with the example components configured. They are pre-configured as part of the Windows httpd installation kit.

Simple protection by password.

This document is accessible only to user fido with password bones.

There is no correspondence between usernames and passwords on specific server systems (e.g. in a Windows sharing password file, or the NT security system) and usernames and passwords in the access control schemes we're discussing for use in the Web. As illustrated in the examples, Web-based access control uses wholly distinct password files; a user need never have an actual account on a given server system in order to be validated for access to files being served from that system and protected with HTTP-based access control.

The #haccess.ctl file used in this case is as follows:

AuthUserFile c:/httpd/conf/authusr.pwd
AuthGroupFile c:/httpd/conf/empty.pwd
AuthName Example
AuthType Basic

<Limit GET>
require user fido
</Limit>

Windows Mosaic (2.0a4) remembers the username and password you last entered and uses it in subsequent requests. Since the next example requires a different username and password, it will fail when you first try it. You will see the "Authorization Failed" alert. Answer "Yes" to try again, and then you'll get a chance to enter a new username and password.

Protection by password; multiple users allowed.

This document is accessible to user rover with password bacon and user jumpy with password kibbles.

The #haccess.ctl file used in this case is as follows:

AuthUserFile c:/httpd/conf/authusr.pwd
AuthGroupFile c:/httpd/conf/empty.pwd
AuthName Example
AuthType Basic

<Limit GET>
require user rover
require user jumpy
</Limit>

Protection by network domain.

This document is only accessible to clients running on machines inside domain ncsa.uiuc.edu.

The #haccess.ctl file used in this case is as follows:

AuthUserFile c:/httpd/conf/empty.pwd
AuthGroupFile c:/httpd/conf/empty.pwd
AuthName Example
AuthType Basic

<Limit GET>
order deny,allow
deny from all
allow from .ncsa.uiuc.edu
</Limit>

Protection by network domain -- exclusion.

This document is accessible to clients running on machines anywhere but inside domain ncsa.uiuc.edu.

The #haccess.ctl file used in this case is as follows:

AuthUserFile c:/httpd/conf/empty.pwd
AuthGroupFile c:/httpd/conf/empty.pwd
AuthName Example
AuthType Basic

<Limit GET>
order allow,deny
allow from all
deny from .ncsa.uiuc.edu
</Limit>

By-Password Access Control: Step By Step

So let's suppose you want to restrict files in a directory called turkey to username pumpkin and password pie. Here's what to do:

Create a file called #haccess.ctl in directory turkey that looks like this:
```
AuthUserFile c:/httpd/conf/authusr.pwd
AuthGroupFile c:/httpd/conf/empty.pwd
AuthName ByPassword
AuthType Basic

<Limit GET>
require user pumpkin
</Limit>
```
The user and group password files may be located in any directory. The Windows version of httpd requires a valid filespec for both the user and group password files. The distribution kit contains a file called empty.pwd which can be used as a placeholder when password files aren't needed.
AuthName can be anything you want. AuthType should always currently be Basic.
Create the password file c:/httpd/conf/authusr.pwd.
Use the htpasswd program distributed with NCSA httpd as follows:
```
htpasswd -c c:\httpd\conf\authusr.pwd pumpkin
```
Type the password -- pie -- twice as instructed. Check the resulting file to get a warm feeling of self-satisfaction; it should look like this:
```
pumpkin:y1ia3tjWkhCK2
```

That's all. Now try to access a file in directory turkey. The browser should ask for a username and password, and not give you access to the file if you don't enter pumpkin and pie. If you are using a browser that doesn't handle access control, you will not be able to access the document at all.

How Secure Is It?

The password is passed over the network not encrypted but not as plain text -- it is "uuencoded". Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet.

So basically this method of access control is roughly as safe as FTP and telnet-style username and password security -- if you trust your machine to be on the Internet, open to attempts to telnet in by anyone who wants to try, then you have no reason not to trust this method also.

Multiple Usernames/Passwords

If you want to give access to a directory to more than one username/password pair, follow the same steps as for a single username/password with the following additions:

Add additional users to the directory's #haccess.ctl file.

Use the htpasswd command without the -c flag to additional users; e.g.:

htpasswd c:\httpd\conf\authusr.pwd peanuts
htpasswd c:\httpd\conf\authusr.pwd almonds
htpasswd c:\httpd\conf\authusr.pwd walnuts

Create a group file.
Call it c:\httpd\conf\authgrp.pwd and have it look something like this:
```
my-users: pumpkin peanuts almonds walnuts
```
where pumpkin, peanuts, almonds, and walnuts are the usernames.
Then modify the #haccess.ctl file in the directory to look like this:
```
AuthUserFile c:/httpd/conf/authusr.pwd
AuthGroupFile c:/httpd/conf/authgrp.pwd
AuthName ByPassword
AuthType Basic

<Limit GET>
require group my-users
</Limit>
```
Note that AuthGroupFile now points to your group file and that group my-users (rather than individual user pumpkin) is now required for access.

That's it. Now any user in group my-users can use his/her individual username and password to gain access to directory turkey.

For More Information

CERN has extensive documentation on HTTP-based access control.

Return to the Overview

Robert B. Denny <rdenny@netcom.com>