Operations > Computing > FAQ

Controlling Access to Web Pages

The Web, by default, is pretty much wide open. If you put a page on the Web then anyone who can get the URL (Web address) can usually see it. Since this isn't always what you want, Web servers have methods for controlling access to Web content - but you have to know how these protections work.

The Apache Web server - what is in use here in EE as well as on 60%+ of the Websites around the world - has a very simple mechanism to control access. When a request comes in to view a particular Web page, Apache first looks to see if there is a file named .htaccess in that same directory or one of its parent directories. If there isn't then Apache immediately lets the visitor view the requested page. If the .htaccess file exists, Apache processes its contents first to make sure access to the requested page should be allowed.

The .htaccess file

.htaccess files are simple text files, so they can be created or edited with any text editor (e.g. Notepad, Simpletext, Pico). In it's simplest form it might look like this:

     AuthType Basic
     AuthName "Your Account"
     AuthUserFile /home/httpd/files/.htpasswd
     require user joe jane

If someone tried to view a Web page that was in a directory with this .htaccess file, a box would pop up asking them to log in with "Your Account". The information that person typed would be compared to the .htpasswd file listed - if they weren't "joe" or "jane", or if they didn't enter their password correctly, they would not be allowed to view any page in that directory.

Note that this method - called "Basic" authentication - requires that you also create a password file (.htpasswd). You can do this from the command line on the Web server, using the htpasswd command:

     htpasswd -c .htpasswd accountname  (if your password file doesn't exist)
     htpasswd .htpasswd accountname     (add/edit an entry to an existing password file)

In both cases you'll then be prompted to type in the new password. While typing it, your keystrokes will not be echoed to the screen.

It is important to note that the "-c" flag should ONLY be used when creating a new password file. If you use it with an existing file, that file will be deleted and replaced with a new file that only contains the one entry you've just typed in.

"Require Valid-User" vs. "Require User"

If your .htaccess file has the line "require valid-user" in it, then anyone with a valid account that's listed in the specified .htpasswd file will be able to access the directory. Users not listed in the file will not be granted access.

"require user list_of_usernames" is more strict. For access to be granted, a user has to have a valid account and has to be listed in the list of usernames. So if you only want users jane, bob, and tim to have access you'd use the line "require user jane bob tim" in your .htaccess file.

Using EE accounts for control

Often it's easiest to let people use their EE accounts when they log in to view a protected Web page. We've tried to make this easy by allowing you to directly access the EE account database. In this case your .htaccess file needs to look like this:

     AuthType Basic
     AuthName "EE Account Login"
     require valid-user

Another advantage to using EE accounts is you won't need to do any creating or editing of password files - the .htaccess file is all you'll need. Note that "require valid-user" in this case will allow anyone with an EE account to access your files - use "require user username1 username2 ..." for tighter control.

If you wish to limit access to particular groups of individuals within EE, you can easily do that as long as the group of people correspond to an Unix group. Some common groups are faculty, staff, graduate, and undergrad. If, for example, you wished to only allow faculty and staff to see a particular directory, you could do this with the following .htaccess code:

     AuthType Basic
     AuthName "EE Account Login"
     require group faculty staff

Using UW accounts for control

It is not possible to use UW accounts to limit access on the EE Webserver. If you need to grant access to someone who doesn't have an EE account, you'll need to create your own .htpasswd file and refer to that. If this is for a class, remember that non-EE students are allowed to have EE accounts as long as they are taking at least one EE course - this means you can still use EE accounts for access control, even if some or all of your students are from other departments.

EE logo