A Central Authentication Service (CAS) is available in the Personal Homepage server. On these pages, you can learn how to enable access control, and control access through CAS. Domain and Basic Password and Group Protection access control methods are also provided. More information is available on the CAS Home Page.
Enabling Access Control
To restrict access from web browsers, you should set up the following file(s), depending on the type of access control you would like to use:
- .htaccess (required)
This type of file affects the directory it is in and all sub-directories. To protect all your web pages, put a .htaccess in your “public_html” directory. Sub-directories of a directory with a .htaccess file will be under its control unless they have their own .htaccess file.
.htpasswd (optional)
This is necessary if you are using the “Basic” authentication method. Each line of this file contains a username and an encrypted password.
.htgroup (optional)
This file allows you to assign sets of users to named groups.
Controlling Access By CAS
You can restrict access to people with an ITSC Network Account via CAS. There are two phases in granting access. The first phase is authentication where CAS verifies that the user’s credentials are valid. The second phase is authorization where a ldap module (“mod_authnz_ldap”) determines if the authenticated user is allowed access to the resource in question.
The .htaccess
file below allows access to your web pages only to people with a valid ITSC Network Account and password. This .htaccess
file does not require a .htpasswd
file:
AuthType CAS require valid-user
You can restrict your pages to specific people with an ITSC Network Account by adding these accounts after "require user"
.
AuthType CAS require user john peter ben
There are other flexible ways to specify groups of authorized people through "require ldap-filter"
directives.
AuthType CAS require ldap-filter &(departmentnumber=CSE)(ustaffiliations=STUDENT-PG)
The above .htaccess file restricts access to postgraduate students in the Department of Computer Science and Engineering only. The user attributes’ list for constructing a "ldap-filter"
is available here.
Domain
You can allow or deny access according to the name of the machine doing the browsing. This can be done at either the domain or host name level. For example, it could set up as world, HKUST machines only, or only your machine.
Setting up access control by domain
The .htaccess
file shown below allows access from machine within HKUST domain only.
order deny,allow deny from all allow from .ust.hk
Understanding the Syntax
Access directives
The following three access directives are used for domain protection. You will always need order
first, followed by the other two:
-
-
order
order
Specify
allow,deny
for “everyone but those” anddeny,allow
for “only these”. Spaces are not allowed next to the comma. -
-
-
deny from
host host …
Specify either
all
, a domain name, or a host name. -
-
-
allow from
host host …
Specify either
all
, a domain name, or a host name. -
Basic Password and Group Protection
For greater control, you can restrict access to a set of users, each of whom must enter a valid username and password to look at your pages. You create the username and password, and inform your users to grant them access. This username and password pair is completely separate from those used to access ITSC general services or other services.
Setting up access control by user-defined username and password file
The .htaccess
file shown below limits access to the web page to users in the given password file.
AuthUserFile /home/<"username">/public_html/.htpasswd AuthName ByPassword AuthType Basic require user usera userb userc ...
Assuming your account is cc_test and you would like to limit the access to john, peter and ben, your .htaccess
file will looks like:
AuthUserFile /home/cc_test/public_html/.htpasswd AuthName ByPassword AuthType Basic require user john peter ben
The .htpasswd
contains list of users and UNIX encrypted passwords pair in following format:
usera:QDFpR/cbBgJ8Q userb:HQxv/8uQHe.Qk userc:BASZJcujRHRyk ...
We provide a simple web interface here to generate the encrypted passwd with a cleartext one. If you are using UNIX timesharing system, an .htpasswd
file can be created through the htpasswd program. For example:
htpasswd -c .htpasswd usera |
The program will then ask for usera
‘s password and add it to the newly created password file. When you want to add userb
, leave out the “-c” switch:
htpasswd .htpasswd userb |
Group file .htgroup
is a text file with lines that consists of a group name followed by a list of users. For example:
friends: usera userb webmaster: usera userb userc
You can add the directive AuthGroupFile
in .htaccess
as below, to limit access to specific group of users:
AuthUserFile /home/<"username">/public_html/.htpasswd AuthGroupFile /home/<"username">/public_html/.htgroup AuthName ByPassword AuthType Basic require group friends
Understanding the Syntax
Configuration directives
-
-
AuthType
type
Must be
Basic
-
-
-
AuthName
name
The symbolic name of this access file. It apppears when a user is prompted for a password. Specify whatever you think is appropriate.
-
-
-
AuthUserFile
file
Specifies the absolute path of the user’s password file.
-
-
-
AuthGroupFile
file
Specifies the absolute path of the user’s group access file.
-
Access Directives
-
require valid-user
Allow all users in the
AuthUserFile
file access upon providing a valid password.
-
-
require user
user1 user2 …
Specify which users (separated by spaces) in the
AuthUserFile
file are allowed access upon providing a valid password. -
-
require group
group1 group2 …
Specify which groups of users in the AuthGroupFile
file are allowed access upon providing a valid password.