|
Introduction
This document describes the procedure used to restrict access to Web pages
on the two main Binghamton University Web servers, Bingweb and Bingwww. Username/Password
restriction is limited to University faculty and staff only!
Binghamton University has two main web servers: 1) Bingwww, the departmental/office web server and 2) Bingweb, the instructional/personal web server. By default web pages on Bingwww and Bingweb are visible to the world. If you want to control access to your web pages you can do so by using something called Basic HTTP Authorization. Access to your Web pages can either be restricted by host (for instance, The Binghamton University Campus), through a username and password, or by a combination of both.
How secure is it?
Username/Password-based authorization will present the user with a dialogue
box in which he must fill in the correct username and password before the
Web page will be displayed. With this kind of authorization scheme, passwords
are passed over the network in uuencoded format. What this means is that the
passwords are neither encrypted nor sent as plain text. So, anyone who happens
to be snooping network traffic will not see the password in the clear but
can easily decode it if he happens to get the right network packet. It is
about as secure (or insecure) as using telnet to login to a remote system.
Caution:
Any user who is logged on to the Bingwww or Bingweb (Bingsuns) system can
easily bypass the access restrictions of Web pages controlled by Basic HTTP
Authorization by reading your Web pages directly through the local filesystem,
. This is because in a large multi-user environment with a shared web server
(such as Bingwww and Bingweb), your pages must be readable by all local users
in order for the Web server to be able to serve them. Because of the various
security limitations discussed here, a good rule of thumb is if you
absolutely, positively do not want the wrong people viewing certain information,
then you probably shouldn't put it on a Bingwww or Bingweb Web page.
The
Process:
Restricting access to your Web pages requires the placement of a special file,
named .htaccess, in any directory in which you want this restriction
to take place. All pages which reside within a directory that contains a .htaccess
file will have their access limited according to the contents of the file.
Subdirectories inherit their access control rules from the parent directory.
If you only want to place access limitations on a single Web page, that page
still must reside in a separate directory. Any other files that happen to
reside in the same directory or its subdirectories will have their access
similarly restricted.
Username/Password Restriction
If you want to restrict your Web pages through a username and password,
a password file also needs to be created. This is in addition to the placement
of the .htaccess file as described in the previous paragraph. Unlike the .htaccess
file, the password file does not have to reside within your Web space so there
is no additional action necessary on your part; however, it must reside on
the same Web server. For ths reason if you are implementing username/password
restriction you can only use this procedure if your Web pages reside on Bingwww
or Bingweb.
The
Form:
If you complete and submit the access restriction
form, enough information will be gathered to create a .htaccess file for you.
You will then be presented with instructions on how to proceed with the installation
of the file. If you are requesting username/password restriction, the password
file will be created for you by the web administrator and you will receive
confirmation via email that this has been done (usually within 2-3 days).
Where do your web pages reside? This form will only allow you to limit access to web pages which reside on either Bingweb (the instructional/personal web server) or Bingwww (the departmental/office web server).