Presentation on theme: "Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology."— Presentation transcript:
Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology Training Services
Topics Restricting Access Restricting Access By Domain –Domain Examples –Demo: Restricting Access by Domain Restricting Access Using SUNet IDs (Stanford University’s WebAuth) –WebAuth Examples –Demo: Restricting Access Using WebAuth Restricting Access Using The Basic http Password Protection Protocol –Step A: Create A.htpasswd Database File –Step B: Create A.htaccess File –Key Points About The.htaccess File –Demo: Restricting Access Using Passwords Resources
Restricting Access Directories/folders are protected, not specific files. Place files you wish to be restricted into the protected directories. A text file,.htaccess, is placed into the protected directory. This instructs the server to restrict the files located in that directory.
Restricting Access By Domain You can prevent access to your web site based on the domain of the machine which is doing the browsing. For example, you can prevent non-Stanford computers from accessing your web site. Or you want to only allow certain computers to access your web site. Remember, however, that restricting access by domain will not prevent non- Stanford PEOPLE from accessing your directory, it will only prevent non-Stanford MACHINES from accessing the directory. Legitimate Stanford users could be prevented from accessing the directory (for example, if they are on vacation and are using an internet café or are at home and are using a non-Stanford ISP). –order allow,deny (“everyone but these computers are to be allowed”) –order deny,allow (“only these computers are to be allowed”) –deny from all (“nobody has access”) –deny from domain (“everyone has access except for computers from domain”) –deny from hostname (“everyone has access except for this specific computer”) –allow from all (“everyone has access”) –allow from domain (“allow access to computers from domain”) –allow from hostname (“allow access to this specific computer”)
Domain Examples Prevent non-Stanford computers from accessing a directory: order deny,allow deny from all allow from stanford.edu Only allow the computer with the IP address 126.96.36.199 access to the directory: order deny,allow deny from all allow from 188.8.131.52 Allow all computers except those from Berkeley to access the directory: order allow,deny allow from all deny from berkeley.edu
Restricting Access Using SUNet IDs (Stanford University’s WebAuth) You can limit access to directories based on Stanford SUNet IDs. To do this, place a.htaccess text file in the directory you wish to restrict access with the following: To allow access to anyone with a SUNet ID: AuthType StanfordAuth require valid-user To allow access only to certain SUNet Ids (in this case, jdoe and jsmith): AuthType StanfordAuth require user jdoe jsmith To allow access only to groups defined in the Workgroup Manager: AuthType StanfordAuth require group groupname To allow access only to certain Stanford affiliations (faculty, staff, student, stanford, academic, administrative) AuthType StanfordAuth require group stanford:affiliation
WebAuth Examples AuthType StanfordAuth require valid-user AuthType StanfordAuth require user jdoe AuthType StanfordAuth require group stanford:faculty AuthType StanfordAuth require group ~markb:friends For information about creating groups, visit the Workgroup Manager at http://workgroup.stanford.edu.
Demo: Restricting Access Using WebAuth.htaccess:
Restricting Access Using The Basic http Password Protection Protocol Step A: Create a.htpasswd database for the usernames and passwords Step B: Create the.htaccess file
Step A: Create A.htpasswd Database File 1)Telnet to your account 2)Change the directory to the directory you wish to protect 3)Issue "htpasswd -c.htpasswd user1" Enter the password Enter the password a second time 4)If you wish to add more users/passwords, issue "htpasswd.htpasswd user2"
Step B: Create A.htaccess File Using a text editor, create a file called ".htaccess" AuthUserFile /path/to/restricted/folder/.htpasswd AuthName “Realm Name” AuthType Basic require valid-user
Key Points About The.htaccess File The argument to AuthUserFile must be the full path of the database used to authenticate remote users. If you don't know the full path, you can use the unix pwd command to find out. The argument to AuthName must be just one word -- if you want more than one word, you must enclose them in quotes: AuthName MyRestrictedPages orAuthName “My Restricted Page” but notAuthName My Restricted Page Case counts - Limit must be Limit; GET must be in all uppercase; AuthName is all one word. Make sure you leave a blank line at the end.
Demo: Restricting Access Using Passwords.htpasswd:.htaccess:
Resources User Access Restriction Overview: http://www.stanford.edu/leland/user-auth.html Leland User Access Restriction tutorial: http://www.stanford.edu/leland/userauth-tutorial.html Stanford University Web Authentication: http://www.stanford.edu/services/webauth/ Workgroup Manager: http://workgroup.stanford.edu