User Authentication Manager:
Password Protecting Web Folders
You can control access to a particular directory on your web server using
a concept commonly termed "user authentication". The "Basic" user-authentication
allows you to restrict access to users who can provide a valid username/password
pair. The User Authentication Manager provides you with a web-based interface
to set up password protected directories and provides your clients with
a web-based interface such that they can change their passwords.
Before you install and use the User Authentication Manager on your Virtual
Server, you should make yourself familiar with the definitions and directives
that are associated with user authentication. An excellent online resource
is available at the NCSA
User Authentication Tutorial.
To install the User Authentication Manager on your Virtual Server you need
to Telnet or SSH
to your Virtual Server and do the following:
To prevent anyone from accessing your User Authentication Manager, yet still
allowing yourself access with administrative privileges, you need to add
directive to your web server's configuration file. Specifically, you need
to append the following lines to your web server config file (~/www/conf/httpd.conf).
AuthName "User Authentication Manager"
<Limit GET POST>
require user admin
This directive limits access to the User Authentication Manager
(which is installed in your ~/www/cgi-bin/library/htaccess
directory), allowing only those clients that authenticate using the user
name "admin". The encrypted password for the user "admin" is stored in the
file (this password file was installed as part of the archive you untarred
during installation). The admin password is initially set to "5e5ame". You
are strongly encouraged to change this password which can be done by connecting
to your Virtual Server via Telnet
or SSH and performing the following steps:
% cd (change
to your home directory)
% htpasswd ~/www/httpd/htpasswd/admin.passwd
You will then be prompted for a new password and asked to retype your new
After you make changes to the access.conf
file, you will need to restart your Apache server so that the changes
are recognized. You can do this by connecting to your Virtual Server
and executing the command restart_apache.
If you want to allow users to change passwords remotely (described below)
you will also need to be sure that the option ExecCGI
is added to the htdocs Directory
definition. The htdocs Directory
definition is found in your ~/www/conf
directory under the name access.conf
(or httpd.conf, the same
file you modified above). In this file, locate the htdocs Directory
definition.... it should look something like:
Modify the Options to include
ExecCGI (as shown below).
# This may also be "None", "All", or any combination
# "Includes", or "FollowSymLinks"
Options Indexes FollowSymLinks Includes
FollowSymLinks Includes ExecCGI
| NOTE: After you
make changes to the access.conf file, you will need to restart
your Apache server so that the changes are recognized. You can do
this by connecting to your Virtual Server and executing the command
Accessing the User
You can access the User Authentication Manager on your Virtual Server by
typing the following URL into the web browser of your choice:
You will be prompted for a user name and password before you can use the
User Authentication Manager. Use "admin" and the user name and the password
you selected during the configuration step above. After you have authenticated,
you will be prompted for either 1) a directory that is currently password
protected, or 2) a directory which you would like to password protect. Enter
the directory with respect to your home directory. For example, use "/www/htdocs/some/directory/"
instead of "/usr/home/yourloginname/www/htdocs/some/directory/".
The User Authentication Manager assumes that you have some basic knowledge
about .htaccess files. Should you find that you need more information
about specific features of the User Authentication Manager, you should refer
to the following URLs:
- If the directory previously was configured for authentication, the
User Authentication Manager will display the contents of the .htaccess
file in this directory in a web-based form. You can then add new users
or groups, remove current users or groups, change the password of current
users, or change the composition of current groups. You will also see
that the <Limit> definition(s)
are displayed in a web-based form.
- If the directory you selected was not previously password protected.
The User Authentication Manager will create a default .htaccess
file in that directory and then display it in a web-based form. You
can then add new users and new groups as you desire.
Allowing Users to
Change Passwords Remotely
Before a user can be provided with the capability of changing his or her
using the User Authentication Manager, you must first use the User Authentication
Manager to view or create a password protected directory. This is outlined
in the "Accessing your User Authentication Manager" step above.
When you use the User Authentication Manager to view or create the .htaccess
in a directory, a few changes are made to the file and directory contents.
One such change includes making a "shortcut" to the User Authentication
Manager in that directory. This "shortcut" is not too different than that
you would find on a Windows 95 or Macintosh desktop and does not impact
your disk usage in any significant way.
After you have accessed the directory using the User Authentication Manager,
you can now allow any user to change his or her password via a web based
form. The user need simply access the User Authentication Manager "shortcut"
that is copied into the directory. For example, you might add something
like this to the web content in the protected directory:
When your users access the User Authentication Manager in the directory,
the Manager will display a form which allows the user to change their password.
More Information on Alternative Methods
If the User Authentication Manager does not work for you, you may try the
Authentication, Authorization, and Access Control, which has
simple command line instructions for creating password protected directories.