How would I go about creating a link that contains confidential information specific to the user and when clicked, it would open up a tab that requires authorization in order to access the information.
I've been given advice to use Apache and Drupal but I'm not sure how to start things. Any form of advice would be GREATLY appreciated.
You can use Shield module of Drupal for your purpose.
OR
You should be able to do this using the combination of mod_env and the Satisfy any directive. You can use SetEnvIf to check against the Request_URI, even if it's not a physical path. You can then check if the variable is set in an Allow statement. So either you need to log in with password, or the allows you in without password:
//Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/your/url require_auth=true
// Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
//Setup a deny/allow
Order Deny,Allow
//Deny from everyone
Deny from all
//except if either of these are satisfied
Satisfy any
1. a valid authenticated user
Require valid-user
or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
Related
I'm trying to place an entire directory behind Apache Authentication on an IBMi AS/400 V7R2. I need to specify credentials which have no relationship with the AS/400 other than the fact they are defined in a file on the IFS. I'm new to the IBMi world and am unsure where Apache was installed. I know I need to include a handful of Apache modules, but don't know where those are. I also do not know where I can find the htpasswd.exe equivalent so I was going to be hopeful and use http://www.htaccesstools.com/htpasswd-generator-windows/. The file which contains the credentials must have the password encrypted as well. I've tried various strings in a which command in PASE with no luck.
I've also seen two different ways to include the password file (PasswdFile and AuthUserFile) but can't find the difference. My assumption is that PasswdFile is used for actual IBMi system users and AuthUserFile is meant to be used with a .htpasswd.exe generated file for arbitrary users.
Code Examples I've tried:
<Directory "/path/to/secure/directory">
PasswdFile /path/to/.htpasswd
AuthType Basic
AuthName "To access the requested page, please enter your login credentials."
AllowOverride AuthConfig Options
Options Indexes
Require valid-user
</Directory>
OR
<Directory "/path/to/secure/directory">
AuthType Basic
AuthName "Secure Login"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
The modules I was going to include to cover all of my bases until it was working include:
mod_access.so
mod_auth.so
mod_auth_anon.so
mod_auth_dbm.so
mod_auth_digest.so
Has anyone done this before, or knows how to do this on IBMi and can lend some guidance? Most articles specific to Apache for IBMi usually explain how to authenticate against existing IBMi users and then everything for .htpasswd base authentication is not specific to IBMi, so I don't know if Apache for IBMi is different in this case or if I'm doing something wrong.
Hope this works.
I would say you're stuck using either the system user ids and password or validation lists. check out this link:
http://www-01.ibm.com/software/webservers/httpservers/doc/v4r4/wmg/RZAG2M07.HTM#HDRPASSWDF
I want to show an error page for basic auth in apache, if it fails authentication.
currently it is prompting for username and password again and again until we hit cancel or using correct credentials.
<Directory /var/www/html>
AuthType basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /etc/httpd/pass
Require valid-user
</Directory>
Here, i need to customize that if user enters invalid credentials for say 3 times, it should by default throw error page.
You can use an ErrorDocument directive
ErrorDocument 401 /errors/error_unauthorized.html
However, this happens when someone gives up and presses cancel, not when they fail to auth a certain number of times. So, the short answer is, no you can't do that.
The longer answer is that if you use some other form of auth (such as form-based, cookie auth, like most sites use these days), then you have much more control over failure states. But of course you'd have to code the handlers on the server side to make that happen.
Hi I am new here so little bit hesitating in asking question as i don't know the rules, But i will give a try.
I have successfully password protected a website using .htaccess and .htpasswd,
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/.htpasswd
AuthGroupFile /dev/null
require valid-user
SetEnvIf Request_URI "^/dir1" dir1_uri
SetEnvIf Request_URI "^/dir2" dir2_uri
Order Allow,Deny
Allow from env=dir1_uri
Allow from env=dir2_uri
Satisfy any
As you can see i am allowing access to the dir1 and dir2.
Problem is that when i access the dir1 or dir2 through browser, the Authentication window pop up, this should not happen. Though it open the site when I cancel the pop up and can access the website without any problem. But it always pop up whenever i visit them. I don't know why this is happening.
Please help me.
Finally I able to resolve it and it was due to my own mistake.
By debugging for continuous 6-7 hours I found that the style sheet containing background-url property referencing to images which are in the restrictive directory or not existing are causing to pop up authentication pop up. I fixed them and it is now working.
I have a directory on my website that I need to make sure no one but myself can get into. From the reading I've done, it looks like there are two ways to protect a directory:
Password protect the directory using the .htaccess file
Deny access to all IP addresses but my own from accessing the directory, also using the .htaccess file
I need to protect the files in the directory as securely as possible, so I figured I'd use both of those methods for double protection.
Question 1: Am I missing anything? (i.e. is there another layer of protection I can add?)
Question 2: What would I need to put in a .htaccess file to get the above to work?
Your .htaccess file would contain:
AuthUserFile /usr/local/nate/safe_place/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Files"
AuthType Basic
require user nate
order deny, allow
deny from all
allow from 127.0.0.1
The .htaccess file goes in the directory you're trying to protect.
You also need a .htpasswd file (shown above as /usr/local/nate/safe_place/.htpasswd) which contains the text username:password_hash. So if we use "nate" as an example and "secret" as the password (please don't use that) you get:
nate:XmN6pwFyy3Il2
You can use this tool to generate your own password file: http://www.tools.dynamicdrive.com/password/
Just make sure that no one can read your .htpasswd file. Also note that basic authentication does no encryption by itself. If you're on an open network, anyone can see your password and all the secret data going over the network. Make sure you visit your site via https if it's really that secret.
You can read more about .htaccess files here:
http://www.javascriptkit.com/howto/htaccess.shtml
Assuming you're running Apache and have an AllowOverride directive permitting .htaccess files to use <Limit>, the following should be a good starting place for you:
<Limit GET>
Order deny,allow
Deny from all
Allow from IP_ADDRESS_HERE
</Limit>
More documentation on <Limit>: http://httpd.apache.org/docs/current/mod/core.html#limit
and for access control: http://httpd.apache.org/docs/2.2/howto/access.html
I have a CakePHP Application which I want to protect with a password. The tricky thing is, that all files/locations should be only accessible with a password EXCEPT one specific Address (a function withing a CakePHP-controller)
The Address is like that:
http://example.com/MyApp/MyController/MyFunction?MyParam=MyValue
All other locations should be only accessible with a password
http://example.com/MyApp/MyController/MyOtherFunction
http://example.com/MyApp/MyController/MyOtherFunction
http://example.com/MyApp/MyOtherController/MyOtherFunction
Well, I tried it first in the root .htaccess-File, but the whole rewrite-thing of CakePHP makes it very difficult and in .htaccess-Files are no <LocationMatch> directive allowed. So I tried it with <FilesMatch>, but the real File is always the same: index.php. mod_rewrite rewrites all Addresses to
http://example.com/MyApp/app/webroot/index.php?url=$1
In the next step I tried it in the apache-configuration and put there this section
<LocationMatch ^/MyApp/MyController/MyFunction.*>
AuthType Basic
AuthName "Secure Area"
AuthUserFile /path/to/.htpasswd
Require user MyUser
</LocationMatch>
Well the regex matched, but it was the wrong way. It protects MyFunction but not the rest.
Are you using .htpasswd? You might be better using Cake Auth, then you can do this in the appropriate controller:
function beforeFilter() {
$this->Auth->allow('MyFunction');
}