Several methods of authentication are available for protecting web pages. 1) It is now possible to require authentication using a file services username and password before a person can access a web page.
There are two additional methods of authentication available for the File Services web server: 2) authentication by name and password, and 3) authentication by source IP address. These functions are similar, although not identical, to similar functions provided on the coral (Apache) web server.
It is possible to include both authentication by name and authentication by source IP in the same web page.
Please note: These methods of authentication provide a minimal level of protection for web pages. However, you should not consider it 'security.' Given the very nature of a web server, you should expect that a determined hacker can find a way to view these web pages. Consider authentication as a valuable tool to keep curious eyes from specific web pages. Or you can use it to provide a reasonable level of protection for copyrighted material. However, if you have something that absolutely needs to be secure, it shouldn't be placed on a public web server.
Scripters, please note: These methods of authentication use "scripts." They can be included in any ASP file that also uses scripts, with the following exception. They work fine when VBScript or JScript is the default language. They do not currently work when the including ASP uses PerlScript as the default language.
Authentication By File Services Username and Password
Authentication By Name and Password
Authentication By Source IP Address
A web page can now require authentication. This will require a person to enter their file services username and password before accessing the page. After authentication, the person's username is available, to be used in subsequent processing. Access may also be restricted to a list of specific usernames.
To use the authentication mechanism, you must do the following.
1. The web page that uses authentication must be an Active Server Page -- that is, the name of the page must end with a .asp extension.
2. Choose a directory for all ASP scripts that require authentication. The suggested name is "scripts" although this isn't required.
3. The page using authentication must begin with the following.
<%@ LANGUAGE = VBScript %>
<% Option Explicit %>
<!-- #include virtual="/common/authname.inc" -->
-- continue with the rest of your page --
This must be at the beginning of the page, before anything else.
4. Within your scripts directory (whatever you have called it), create a directory named "authname" (without the quotes). This must be named exactly as identified. This directory is used to temporarily store information as users are authenticated. You must change the permissions of this folder so that the user "WebServe" has Delete permissions in addition to the Read/Execute permissions that are normally placed on a directory within WWW. You must also give the username "WebServe-scripts" Change permissions. With these permissions in place, the full permissions on the authname folder should look like the following:
Administrators: Full Control (All)(All)
CREATOR OWNER: Full Control (All)(All)
<your username>: Change (RWXD),(RWXD)
WebServe: Special Access(RXD),(RXD)
Webserve-scripts: Change(RWXD),(RWXD)
It is important that the permissions for WebServe and WebServe-scripts be set exactly as indicated to allow the authentication process to work properly and to insure the integrity of the authentication. (For example, if WebServe has Write access to the directory, someone could conceivably bypass the authentication mechanism.)
(Normally, files are created and deleted within the authname directory. The name of the file is the username of the authenticated user. If something unusual happens within the authentication process, it is possible to have files left behind in this directory. Feel free to delete any files in this directory that are more than a day old.)
5. After authentication, the variable "authname" will contain the name of the authenticated user, and can be used in the script as needed.
Restricting Access to a Specific List of Usernames
It's possible to restrict access to a page to a specific list of usernames. To start, set up authname as described above. Then, in the same directory as the script, create a file named authname.txt. This file should include a list of usernames, one per line. People who access this page will be authenticated, and their username must appear in the list of names, or they will be denied access to the page. An authname.txt file should look like the following:
mweaver
jsmith
bjones
Note that if you create an authname.txt file in a directory, it will apply to all scripts in that directory that require authentication. If you need a different list of valid usernames for different scripts, you will have to put them in different directories.
Finally, you might have a series of pages that require authentication. It would be annoying to have to respond to the “Authentication Required” prompt for each page. To get around this, include authname.inc as described above on the first page in the series, and use authname2.inc on subsequent pages. Authname2.inc does the same thing as authname.inc without the prompt.
This method of authentication allows you to specify one or more names, and corresponding passwords, that can be used to access a web page.
<!--#include virtual="/common/authenticate.inc"-->
The line must be typed exactly as it is above, including the (<) and (>) at the beginning and end. (Depending on how your browser is set up, the above statement may appear on two or more lines. It is actually just a single line.) You might find it easiest to just copy and paste from this page. This will add the authentication to your web page. Note that you must do this for EACH page that you want to include user authentication.
There are two ways you can create an htpasswd file.
NAME
htpasswd - Create and update user authentication files
SYNOPSIS
htpasswd [-c] passwdfile username
DESCRIPTION
htpasswd is used to create and update files used to store usernames
and password for basic authentication of users.
OPTIONS
-c Create the passwdfile. If passwdfile already exists, it is deleted
first.
passwdfile
Name and path of the file to contain the username and password. If -c is
given, this file is created if it does not already exist, or deleted
and recreated if it does exist.
username
The username to create or update in passwdfile. If username does not
exist in this file, an entry is added. If it does exist, the password
is changed.
For example, to create an htpasswd file in your WWW directory, you must first
logon to the Bucknell domain, get a U drive connection to your personal File
Services space, and enter the following command from a Windows 95/NT command
prompt:
\\web3\utils\htpasswd -c u:\public\www\htpasswd myname
You will be prompted for a password to associate with the username "myname"
and then you will be prompted to confirm the password. This will create the
htpasswd file, and add the user "myname" with the specified password.
Subsequently, when anyone attempts to access a page that you have set up for
authentication, they will be prompted for a username and password. They should
enter a username and password that you have added to your htpasswd file.
To add additional usernames to your htpasswd file, you would use the following
command:
\\web\utils\htpasswd u:\public\www\htpasswd anothername
Note the absence of the (-c) parameter. This is only used when initially creating
the htpasswd file.
For information about where to put your htpasswd file, see the section below.
With this method of authentication, you can insure that the user viewing the web page is coming from a specific IP address, or a range of IP addresses. This is a good tool if you want to restrict access to a web page from only computers at Bucknell, for example.
<!--#include
virtual="/common/htaccess.inc"--> The htaccess file contains commands to allow or deny access to specific IP addresses, or groups of IP addresses. You can use any text editor to create the htaccess file. There are two basic commands: allow and deny. The syntax of both commands is identical, as follows:
<command>:<ip address>
where <command> is either "allow" or "deny", and <ip address> is all, or part, of an ip address in normal dotted notation. You can have any number of these commands with the htaccess file.
For example, an htaccess file might have the single command:
allow:134.82.50.5
This would restrict access to only the single computer with the specified IP address.
The htaccess file will be processed as follows. First, all allow commands will be processed, then all deny commands will be processed. If, at the end of the process, the source IP address has satisfied one or more allow commands, but has not satisfied any deny commands, then the browser will be permitted to access the web page. If the source IP address does not satisfy any allow command, then access to the page will not be permitted. And if the source IP address satisfies one or more deny commands, access will also not be permitted.
In the allow command, you can also specify "all" to initially allow access to all IP addresses. (The same shortcut is not available for the deny command, since "deny:all" is effectively the initial state before any commands have been processed.)
Note that the order of commands within the htaccess file is irrelevant. All allow commands will be processed, then all deny commands will be processed.
For information about where to put your htaccess file, see the section below.
Some sample htaccess files:
allow:134.82.9.9
where 134.82.9.9 represents the IP address of your computer.
allow:134.82
Note the use of the partial IP address. All Bucknell addresses begin with 134.82.
allow:all
deny:134.82.9.9
where 134.82.9.9 is the computer that you want to keep out. (Why do you want to do this?)
allow:134.82
deny:134.82.88
deny:134.82.89
deny:134.82.90
…
deny:134.82.129
deny:134.82.140
deny:134.82.141
...
deny 134.82.147
This needs to include all the subnets from 88 through129 and 141 through 147. (This list of ResNet subnets is valid as of May, 2002. If it is important that you exclude any group of subnets from access to your web page, please check with the tech desk to verify a current list of subnets. You may have to check back from time to time to verify that the list hasn't changed.)
The web server will look for your htpasswd or htaccess file in the same folder as your web document. If no file named htpasswd or htaccess is found in that folder, it will continue to search up the folder hierarchy until if finds the correct file. For example, if your web document is located at:
u:\public\www\mydocs\private\webdoc.asp
The web server would search for your htpasswd file in the following order:
So, if you create an htpasswd file at the folder u:\public\www, you can use
it to authenticate users to any web pages in your entire www folder. If you
want to use a different set of usernames and password to authenticate users
of web pages in a particular folder, just create an htpasswd file in that folder,
with the desired usernames and passwords. The same would apply to the htaccess
file