Copyright
The University of Iowa
  Phonebook/E-mail Policies A-Z Search UI Homepage
 
 

Public Web Resources

Password Protection of www.uiowa.edu Web Pages

Important Notice

It is very important to remember that this process only prevents the web server from serving documents and files that you've protected. It does not prevent people with shell login access to www.uiowa.edu from going and looking at the files from a telnet login.

Faculty members. If you are storing copyrighted materials on this server for a course, please password-protect the appropriate directories.

 

 

This document describes how to restrict access to content within your account by username and password. This is done by using .htaccess controls and securing web documents on a per folder basis. The web page owner controls access to others by using the .htaccess control procedures described in this document.

.htaccess controls require that you create two files and FTP them to your web server.

  1. The .htaccess file contains the control commands. You put the .htaccess file in the folder you want to protect. 

  2. The .htpasswd file contains the usernames (ID's) and the encrypted passwords for those users you wish to allow access to your protected web folders. Never put the .htpasswd file in a web-accessible tree (i.e. don't place it in the /web/ folder or any  folders below).

Requirements

  • You must have an account on www.uiowa.edu
  • Use the .htaccess Password Generator tool to create encrypted passwords to be used in the .htpasswd file.
  • Create the .htaccess and .htpasswd files using an ordinary text editor like Windows Notepad or Simple Text for the Mac. Note these files must not contain extensions (e.g. .txt, .doc, etc.)
  • FTP the two files (.htaccess, .htpasswd) to your account on the web server (www.uiowa.edu).
    • The .htaccess file needs to be placed within the folder that is being protected
    • The .htpasswd files need to be in a folder that is not visible to anyone but you as the owner - we recommend placing them within your root folder, not within the production folder or any folders below it.
  • Note: Because www.uiowa.edu is a Unix server, it is case sensitive so it is recommended to use all lower case for all filenames, usernames and passwords.
  • Note: Throughout this document you are instructed to enter specific information unique to your setup. If the text in this document is displayed in italic print (or italic bold print), it is referencing unique variable information, do not type it exactly as it appears - instead substitute the variables with your specific information.

Steps to Protect a Web Folder

Creating the .htaccess file

  1. Open a blank page in a simple text editor such as MS Windows' Notepad or the Mac's Simple Text. The .htaccess file must be a text file (not a formatted document such as MS Word, WordPad, etc.)
  2. Type in (or copy and paste) the following information, substitute the bold italic variables for your specific information (i.e. /xxxxxxxx should be your account name).

    AuthType Basic
    AuthUserFile /local/www/home/xxxxxxxx/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Site Login" or Login

    require user username

    The statements in the above .htaccess file are described below, including the appropriate syntax (e.g. spacing, etc.)

    AuthType Basic Defines the level or type of security that is being used, there should be a space before the word Basic.
    AuthUserFile /local/www/home/xxxxxxxx/.htpasswd Indicates where to find the .htpasswd file, we recommend placing it in your home/root folder but if you prefer to place it elsewhere-type in your preferred location here. Be sure to use the .htpasswd name exactly (with the (.) period leader) in all lower case. There should be a space after the word AuthUserFile.
    AuthGroupFile /dev/null This statement is a variable used for creating group ID's and passwords.  It is not used for creating a single user-name and password detailed here so copy the statement exactly as written.  There should be a space after the word AuthGroupFile.
    AuthName "Site Login" or Login This statement ("Site Login" or Login) will be the title of the password box that will display to prompt your users for their login ID and password. There should be a space following the word AuthName. If you want to use spaces within the name (e.g. "Site Login") you must enclose the name within quotes (i.e. "Site Login") or you will receive a server error.  If you use a single word name (e.g. Login) do not enclose the name in quotes.  There should be a space after the word AuthName.
    require user username Username is the name of the ID that is specified in the .htpasswd file (see below).  There should be a space after the word require and after the word user.

     

  3. Save this file with the name of .htaccess - when saving the file just type .htaccess for the filename with no extension

    NOTE:     Many text editors will automatically assign an extension, often .txt. Because of this you may need to rename the file after you have transferred it to the server. 
  4. FTP the .htaccess file from your computer to the folder (directory) within your account that you wish to protect.

NOTE: Remember to verify the file name is .htaccess without an extension. If it has an extension, rename it with your FTP tool, for example WS_FTP has a Rename button on the Remote Site half of the window. This button will allow you to rename the selected file.

Creating the .htpasswd File

The password within the .htpasswd file is encrypted.  Because of this there is an extra step that must be done when creating the .htpasswd file. This extra step is generating the encrypted password. 

Encrypting a password is done easily by using the .htpasswd Password Generator utility. The steps below walk you through the process of creating the .htpasswd file by using the password generator tool.

  1. Open a blank page in a simple text editor such as MS Windows' Notepad or the Mac's Simple Text. The .htaccess file must be a text file (not a formatted document such as MS Word, WordPad, etc.)
  2. Using your web browser go this URL and follow the instructions on the screen  --  http://cs.its.uiowa.edu/wts/htpasswd.shtml
  3. If you followed the instructions on the above URL (Password Generator page), you should have copied the username:password that was generated to the .htpasswd file (which at the time was just a blank page in your text editor).
  4. Save the text file you just created  Be sure to name it .htpasswd  Don't worry about the gibberish looking text, that's okay-it's the encryption that was done with the password generator tool.

    NOTE:     When saving the file just type .htpasswd for the filename with no extension. Many text editors will automatically assign an extension, often .txt. Because of this you may need to rename the file after you have transferred it to the server. 
  5. FTP the .htpassword  file from your computer to your account. Be sure to put this file in a folder that is not accessible to others -- it is recommended to place the .htpasswd file in your home folder or root directory.  If you prefer you can place the file (.htpasswd) in a different folder other than your home folder, however, if you do this be sure that path is referenced correctly in the AuthUserFile statement of the .htaccess file.

    NOTE: Remember to verify the file name is .htpasswd without an extension. If it has an extension, rename it with your FTP tool, for example, WS_FTP has a Rename button on the Remote Site half of the window. This button will allow you to rename the selected file

Testing your Security

Now that you have created your ID, password and secured your folder(s), you should test it to be sure it works before you start distributing the ID to others. This is done by simply using your browser, going to your URL and use your new ID's and passwords to see if you get proper access.

  • Launch your browser, it may be beneficial to test both Netscape and Internet Explorer (IE).
  • Type in the following address for your URL: www.uiowa.edu/~account
  • If the .htaccess file is placed in your web folder and is correctly configured you should be presented with a login dialog box similar to figure 3. 


Figure 3: The login dialog box that is presented to your users when they try to access your web folder(s).

  • Enter the username (ID) you specified in your .htaccess file into the Username: field
  • Enter the corresponding password you created with the password generator tool into the Password: field
  • Click the OK button.
  • If the login box did not display, be sure all instances of browser(s) are closed.
  • If the login box did not display and/or you received a server error, check your .htaccess and .htpasswd files to be sure the correct information and syntax was used. 

    Most often errors occur because of improper syntax such as spacing, typos, or illegal characters were used. However, if after checking your files against this document and using basic alphanumeric characters you are still encountering problems, please call the ITS HelpDesk at 384-Help (4357).

University Operator: (319) 335-3500 * Copyright 2000, The University of Iowa, All rights reserved * Iowa City, Iowa 52242
   Maintained by University Webmaster