Authentication & .htaccess

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Hypertext Transfer Protocol Kyle Roth Mark Hoover.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Hypertext Transport Protocol CS Dick Steflik.
 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Web Client/Server Communication A290/A590, Fall /09/2014.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Session 11: Security with ASP.NET
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Developing a Web Site. Web Site Navigational Structures A storyboard is a diagram of a Web site’s structure, showing all the pages in the site and indicating.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Apache and... Virtual Hosts ---- aliases mod_rewrite ---- htaccess AFNOG 11 Kigali, Rwanda May 2010 Dorcas Muthoni Courtesy: Hervey Allen.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Web Site Access Control Using the Apache Web Server Instructor: Joseph.
1 Welcome to CSC 301 Web Programming Charles Frank.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
Module 11: Securing a Microsoft ASP.NET Web Application.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
1 Apache and... Virtual Hosts ---- aliases mod_rewrite ---- htaccess AFNOG X Cairo, Egypt May 2009 Hervey Allen.
.htaccess Apache server directives BTM 395: Internet Programming.
Murach's HTML5 and CSS3, C1© 2012, Mike Murach & Associates, Inc. Slide 1.
Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Authentication Names and Passwords Names and Passwords Also can use Groups Also can use Groups Webmaster can “require” authentication Webmaster can “require”
More than one site? Use multiple configuration files Use multiple configuration files  httpd –d {path}  Assumes “conf/httpd.conf” Logging transactions.
Configuring and Deploying Web Applications Lesson 7.
ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Web Server Design Week 10 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/17/10.
1 UNIT 13 The World Wide Web. Introduction 2 Agenda The World Wide Web Search Engines Video Streaming 3.
1 UNIT 13 The World Wide Web. Introduction 2 The World Wide Web: ▫ Commonly referred to as WWW or the Web. ▫ Is a service on the Internet. It consists.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
What’s Really Happening
Authentication & Authorisation Is the user allowed to access the site?
Cookies Tutorial Cavisson Systems Inc..
Tonga Institute of Higher Education IT 141: Information Systems
Apache and... Virtual Hosts ---- aliases mod_rewrite ---- htaccess
COMP2322 Lab 2 HTTP Steven Lee Feb. 8, 2017.
Chapter 8 Building the Transaction Database
Enhanced Web Site Design Stanford University Continuing Studies CS 22
Hypertext Transport Protocol
Networks Problem Set 1 Due Oct 3 Bonus Date Oct 2
Web Server Design Week 11 Old Dominion University
HTTP Protocol.
Tutorial (4): HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
MIT GSL 2018 week 1 | day 4 Introduction to Web Development II.
Multifactor Authentication & First Time Login
Tonga Institute of Higher Education IT 141: Information Systems
IS 4506 Server Configuration (HTTP Server)
Configuring Internet-related services
PHP and Forms.
CS323 Android Topics Network Basics for an Android App
Tonga Institute of Higher Education IT 141: Information Systems
HyperText Transfer Protocol
Web Server Design Week 10 Old Dominion University
Web Server Design Week 11 Old Dominion University
Requests and Server Response Codes
Web Server Design Week 11 Old Dominion University
Chapter 7 Network Applications
Information Retrieval and Web Design
Web Servers (IIS and Apache)
CS/COE 1520 Jarrett Billingsley
* Web Servers/Clients * The HTTP Protocol
Presentation transcript:

Authentication & .htaccess Basic Web authentication and using Apache’s .htaccess files

HTTP Servers Web pages are hosting by HTTP servers Web servers send and receive data using the Hypertext Transfer Protocol (HTTP) Servers can send & receive data on virtually any protocol, but HTTP is the standard for web pages

Apache Apache uses configuration files called .htaccess files These are Hypertext Access files (htaccess) These files always start with a dot .htaccess Note that the . makes them invisible.

Server Configurations Every Apache server has a master server configuration file Apache allows you to make folder (directory) specific configuration files that override the master defaults These files allow you to customize your hosting for tasks like authentication, error handling (like 404 pages), redirects, etc.

Server Configurations Ideally, you use the master configuration of the server. If for some reason you don’t have permissions to it (like in the case of Banjo), then you can use .htaccess files. Other servers may not have these specific configurations. Many instead just use code! 

Server Configurations Server-side code is the most powerful and flexible, but that means that it must be programmed. Configuration files are much faster, but they are not as flexible or powerful. .htaccess files can become very difficult to use as the complexity of the site increases. For simple tasks, they are very quick to make.

.htaccess .htaccess files take commands called directives Each directive allows you to specify certain behaviors This means that the server has to constantly open and read the .htaccess files, which can be bad for performance.

.htaccess .htaccess files are very fast to setup and use for small tasks You can only have one .htaccess file per folder. Each .htaccess file will affect the folder it is in and the sub- folders under it.

.htaccess Each sub-folder could again have its own .htaccess file, but it would hurt performance. Every .htaccess file slows down the server .htaccess files are case-sensitive

DirectoryIndex The DirectoryIndex directive tells Apache which file is the index. The default is index.html, but you can provide a different name. The directive takes a file name from the same folder. Example of overriding the default index.html DirectoryIndex main.html

HTTP Status Codes HTTP packets are sent along with status codes The status code is a standardized int value that tells you what happened This means that whatever language you are programming in, you can always expect a numeric code to tell you what happened

HTTP Status Codes 404 means file not found 403 means forbidden 401 means unauthorized (authentication required) 200 means success 418 means “I’m a teapot” More Status Codes http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

ErrorDocument The ErrorDocument directive tells Apache how to handle certain errors. The ErrorDocument directive takes two parameters, an error code and a response (a message or a file) ErrorDocument allows us to specify an error and send back a custom html file.

ErrorDocument ErrorDocument reads file paths starting at your RIT www folder, so your paths start with a slash and your userid followed by the path from www. Example: ErrorDocument 404 /abc1234/error/error.html *your path must start with a / for this to work

Auth Workflow Client requests protected resource Apache sends: 401 Authentication Required header Realm: authentication name which is associated with the protected area of the web site. Client Alert box pops up, displaying The Realm, where you type in the appropriate username and password for that realm. Server verifies that the username in the approved list, and the password is correct. If so, send the resource to client.

Auth Types There are several types of authentication. The most basic one uses a password file, but it is not the most secure.

.htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user

.htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user AuthType tells Apache what type of authentication to use. In this case, we’re using RIT’s auth server, “Shibboleth.”

.htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user AuthName tells the browser the name of the service you are logging into so that you know what account to login with. In this case the browser would get a login window saying something like (varies by browser) “Login with your RIT account”.

.htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user This is a variable passed between Shibboleth that flags the fact that we are required to establish a connection with Shibboleth in order to authorize.

.htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user SSLRequireSSL tells Apache that it must only allow access to this folder when in HTTPS. Normal http connections will fail with 403 errors. This ensures that the connection is encrypted.

.htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user Require tells Apache to require only certain users access. This can be an individual list or names or a groups, or it can be special types of users like valid-user. Valid-user just tells Apache to use any valid user. In this example that would be anyone who logged in with an RIT account

.htaccess Auth Once logged in, how do you log out? Clear browser cache Can I change the looks of the auth window? No, but that’s where web servers and logins come in *Remember this is basic auth.*

Exercise

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.