Apache Basic Authentication

Apache Basic Authentication

The Apache web server allows for per-directory configuration through the use of .htaccess files. Users can password protect directories using the built-in Basic Authentication mechanism. For more robust authentication schemes, users can consider using either Shibboleth, or the now-deprecated Webauth.

For more detailed information on this subject please see the Apache 2.2 authentication page.

With basic authentication, a web page maintainer can create a username/password combination which is required to access the contents of the given directory. The username and password are chosen by the web page maintainer; they are not related to any other system-wide usernames or passwords used to access other systems. Maintaining and distributing the credentials is the responsibility of the web page maintainer. To enable basic authentication on a web directory, perform the following steps.

  • Create the password file if necessary and add an account
  • 	# htpasswd -c /path/to/my/web/directory/passwords myuser
    	New password: mypassword
    	Re-type new password: mypassword
    	Adding password for user myuser
    

    htpasswd will prompt you for the password, and then ask you confirm it. The passwords file must be readable by the web server and cannot be inside the password protected directory. Run the htpasswd command without arguement for a short listing of the possible options and arguements.

  • Create and configure the .htaccess file
  • You must create an .htaccess which contains keywords which will tell the web server to require authentication for access to that directory. This is simply a text file that can be created in any editor capable of creating plain text files. Using the password file in the example above, the simplest .htaccess file would look as follows:

    	AuthType Basic
    	AuthName "Restricted Files"
    	AuthUserFile /path/to/my/web/directory/passwords 
     	shibdisable On
    	Require user myuser
    

    Once these two files are created, the directory containing the .htaccess will require authentication. The htpasswd command can be used to add or modify user/password combinations at a later time.