Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication & .htaccess

Published byAmber Mills Modified over 6 years ago

Similar presentations

Presentation on theme: "Authentication & .htaccess"— Presentation transcript:

1 Authentication & .htaccess
Basic Web authentication and using Apache’s .htaccess files

2 HTTP Servers Web pages are hosting by HTTP servers
Web servers send and receive data using the Hypertext Transfer Protocol (HTTP) Servers can send & receive data on virtually any protocol, but HTTP is the standard for web pages

3 Apache Apache uses configuration files called .htaccess files
These are Hypertext Access files (htaccess) These files always start with a dot .htaccess Note that the . makes them invisible.

4 Server Configurations
Every Apache server has a master server configuration file Apache allows you to make folder (directory) specific configuration files that override the master defaults These files allow you to customize your hosting for tasks like authentication, error handling (like 404 pages), redirects, etc.

5 Server Configurations
Ideally, you use the master configuration of the server. If for some reason you don’t have permissions to it (like in the case of Banjo), then you can use .htaccess files. Other servers may not have these specific configurations. Many instead just use code! 

6 Server Configurations
Server-side code is the most powerful and flexible, but that means that it must be programmed. Configuration files are much faster, but they are not as flexible or powerful. .htaccess files can become very difficult to use as the complexity of the site increases. For simple tasks, they are very quick to make.

7 .htaccess .htaccess files take commands called directives
Each directive allows you to specify certain behaviors This means that the server has to constantly open and read the .htaccess files, which can be bad for performance.

8 .htaccess .htaccess files are very fast to setup and use for small tasks You can only have one .htaccess file per folder. Each .htaccess file will affect the folder it is in and the sub- folders under it.

9 .htaccess Each sub-folder could again have its own .htaccess file, but it would hurt performance. Every .htaccess file slows down the server .htaccess files are case-sensitive

10 DirectoryIndex The DirectoryIndex directive tells Apache which file is the index. The default is index.html, but you can provide a different name. The directive takes a file name from the same folder. Example of overriding the default index.html DirectoryIndex main.html

11 HTTP Status Codes HTTP packets are sent along with status codes
The status code is a standardized int value that tells you what happened This means that whatever language you are programming in, you can always expect a numeric code to tell you what happened

12 HTTP Status Codes 404 means file not found 403 means forbidden
401 means unauthorized (authentication required) 200 means success 418 means “I’m a teapot” More Status Codes

13 ErrorDocument The ErrorDocument directive tells Apache how to handle certain errors. The ErrorDocument directive takes two parameters, an error code and a response (a message or a file) ErrorDocument allows us to specify an error and send back a custom html file.

14 ErrorDocument ErrorDocument reads file paths starting at your RIT www folder, so your paths start with a slash and your userid followed by the path from www. Example: ErrorDocument /abc1234/error/error.html *your path must start with a / for this to work

15 Auth Workflow Client requests protected resource Apache sends:
401 Authentication Required header Realm: authentication name which is associated with the protected area of the web site. Client Alert box pops up, displaying The Realm, where you type in the appropriate username and password for that realm. Server verifies that the username in the approved list, and the password is correct. If so, send the resource to client.

16 Auth Types There are several types of authentication.
The most basic one uses a password file, but it is not the most secure.

17 .htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user

18 .htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user AuthType tells Apache what type of authentication to use. In this case, we’re using RIT’s auth server, “Shibboleth.”

19 .htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user AuthName tells the browser the name of the service you are logging into so that you know what account to login with. In this case the browser would get a login window saying something like (varies by browser) “Login with your RIT account”.

20 .htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user This is a variable passed between Shibboleth that flags the fact that we are required to establish a connection with Shibboleth in order to authorize.

21 .htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user SSLRequireSSL tells Apache that it must only allow access to this folder when in HTTPS. Normal http connections will fail with 403 errors. This ensures that the connection is encrypted.

22 .htaccess auth AuthType shibboleth AuthName "RIT" ShibRequireSession On SSLRequireSSL require valid-user Require tells Apache to require only certain users access. This can be an individual list or names or a groups, or it can be special types of users like valid-user. Valid-user just tells Apache to use any valid user. In this example that would be anyone who logged in with an RIT account

23 .htaccess Auth Once logged in, how do you log out?
Clear browser cache Can I change the looks of the auth window? No, but that’s where web servers and logins come in *Remember this is basic auth.*

24 Exercise

Download ppt "Authentication & .htaccess"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Hypertext Transfer Protocol Kyle Roth Mark Hoover.

Hypertext Transfer Protocol Kyle Roth Mark Hoover.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.

 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Web Client/Server Communication A290/A590, Fall 2014 09/09/2014.

Web Client/Server Communication A290/A590, Fall /09/2014.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.

An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Copyright 2000 eMation SECURITY - Controlling Data Access with

Copyright 2000 eMation SECURITY - Controlling Data Access with
Developing a Web Site. Web Site Navigational Structures A storyboard is a diagram of a Web site’s structure, showing all the pages in the site and indicating.

Developing a Web Site. Web Site Navigational Structures A storyboard is a diagram of a Web site’s structure, showing all the pages in the site and indicating.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Apache and... Virtual Hosts ---- aliases mod_rewrite ---- htaccess AFNOG 11 Kigali, Rwanda May 2010 Dorcas Muthoni Courtesy: Hervey Allen.

Apache and... Virtual Hosts ---- aliases mod_rewrite ---- htaccess AFNOG 11 Kigali, Rwanda May 2010 Dorcas Muthoni Courtesy: Hervey Allen.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.

.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim 09.11.2004.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Similar presentations

Ads by Google