How To Configure Apache Web Login Authentication and Authorization
by Applied InformaticsAuthentication is any process by which you verify whether someone is who they claim to be. Apache authentication can be configured to require web site visitors to login with a user id and password. This is different from adding a login form on a web page and creating your own authentication.
Login protection is applied to the web pages stored in a directory. The login dialog box which requests the user id and password is provided by the web browser at the request of Apache. Apache allows the configuration to be entered in its’ configuration files (i.e. main configuration file /etc/httpd/conf/httpd.conf, supplementary configuration files /etc/httpd/conf.d/component.conf or in a file which resides within the directory) to be password protected.
Authentication: Prove it is you. Authenticate the login by requiring a password only the user would know.
Authorization: Only certain users or members of a privileged group are allowed.
Directory protection using .htaccess and .htpasswd
Edit the server configuration file (httpd.conf) to enable/allow a directory structure on the server to be password protected. Basically default access permission statement need modification.
The creation and addition of two files specifying the actual logins and passwords. (.htaccess and .htpasswd)
When trying to access a file in a protected directory, the user will be presented with a window (dialog box) requesting a username and password. This protection applies to all sub-directories. Other .htaccess files in sub directories may specify access rules.
Apache authentication uses the modules mod_auth and mod_access.
Apache configuration file:
You will need to have a server configuration that permits putting authentication directives in these files. This is done with the AllowOverride directive, which specifies which directives, if any, may be put in per-directory configuration files.
Since we’re talking here about authentication, you will need an AllowOverride directive like the following:
AllowOverride AuthConfig
How does it work?
Apache configuration file:
Change to and/or specify directory to protect:
AllowOverride All
OR
AllowOverride AuthConfig
Next, you need to create a password file. This file should be placed somewhere not accessible from the web. This is so that it cannot be downloaded. For example, if your documents are served out of /usr/local/apache/htdocs, you might want to put the password file(s) in /usr/local/apache/passwd.
To create the file, use the htpasswd utility that comes with Apache. This will be located in the bin directory of wherever you installed Apache. If you have installed Apache from a third-party package, it may be in your execution path.
To create the file, you have to type:
htpasswd -c /usr/local/apache/passwd/passwords Admin
This will ask you for the password, and then ask you to type it again to confirm it:
# htpasswd -c /usr/local/apache/passwd/passwords Admin
New password: password
Re-type new password: password
Adding password for user Admin
Next, you’ll need to configure the server to request a password and tell server which users are allowed access. You can do this either by editing httpd.conf file or using an .htaccess file. For example, if you wish to protect directory /usr/local/apache/htdocs/secret, you can use the following directives, either placed in the file /usr/local/apache/htdocs/secret/.htaccess, or placed in httpd.conf inside a <Directory “/usr/local/apache/htdocs/secret”> section.
AuthType Basic
AuthName "Restricted Files"
AuthUserFile "/usr/local/apache/passwd/passwords"
Require user Admin
AuthType directive selects the method that is used to authenticate user. AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions, first, the client often presents this information to user as part of password dialog box. Second, it is used by client to determine what password to send for a given authenticated area. The AuthUserFile directive sets the path to password file that we just created with htpasswd.
Finally, the Require directive provides authorization part of the process by setting the user who is allowed to access this region of server.
Adding More Than One User
If you want to allow more than one person to access, you’ll need to create a group file that associates group names with a list of users in that group. The format of this file is pretty simple, and you can create it with your favorite editor. The contents of the file will look like this:
GroupName: Admin user2 user3 user4
This is a list of members of the group in a long line separated by spaces.
To add a user to your already existing password file, type:
htpasswd /usr/local/apache/passwd/passwords user2
You’ll get same response as before, but it will be appended to the existing file, rather than creating a new file. (It’s the -c that makes it create a new password file).
Now, you need to modify your .htaccess file or block to look like the following:
AuthType Basic
AuthName "By Invitation Only"
# Optional line:
AuthBasicProvider file
AuthUserFile "/usr/local/apache/passwd/passwords"
AuthGroupFile "/usr/local/apache/passwd/groups"
Require group GroupName
We are done! Anyone who is listed in the group GroupName, and has an entry in the password file, will be allowed access to the site, if they type the correct password.