Robert What is good design?

Good design was to be anchored in the minds of the people. Max Bill (Ulm School of Design) coined the term in 1949 for a traveling exhibition by the Schweizerischer Werkbund. Subjective taste was replaced by strict, supposedly objective criteria.

Popularity: unranked [?]

View previous featured articles

A little something on Apache’s access controls
comment No Comments Written by Robert on April 10, 2008 – 10:26 am

Incorporation of any of mod_auth, mod_auth_db or mod_auth_dbm modules into your Apache allows you to utilize HTTP authentication. These modules differ only with respect to how name and password data are stored. The _db and _dbm modules use various versions of the db/dbm simple database package that is available for Linux/Unix. The basic mode_auth module works with text files defining your users and their passwords, and also any user-groups that you wish to have.

(The passwords in the password file are held in encrypted form.) The text files are simpler; but if you are likely to have hundreds of users, you should use one of the db packages to avoid performance problems with large text files. Authentication-based restrictions are typically applied to a directory (and its subdirectories) and are again defined using a Directory directive in the httpd.conf file. The first time that a client attempts to access a resource in a controlled directory, Apache will respond with a HTTP 401 ‘authorization required’ challenge. This challenge will contain a name (the ‘realm’ name) that the server administrator has chosen for the collection of resources. The client’s browser will handle the challenge by displaying a simple dialog informing the user that a name and password must be provided to access resources in the named ‘realm’.

Apache keeps the connection open until the client’s identification data are returned and can be checked. If the name and password are validated, Apache returns the resource. The client’s browser keeps a record of the name, password, realm triple and will automatically handle any subsequent challenges related to other resources in the same realm. Normally, the password is sent encoded as base 64; this is not a cryptographic encoding – it is really just a letter substitution scheme that avoids possible problems from special characters in a password. In principle, a more secure scheme based on the MD5 hashing algorithm can be used to secure passwords; in practice, most browsers do not support this feature (Internet Explorer 5 and above can handle more demanding security controls). The actual control on a resource may:

simply require that the user has supplied a valid name-password combination;

list the names of those users who are permitted access to the resource;

specify the name of a user-group, as defined in a ‘groups’ file, whereby all members of the group are permitted to access the resource.

The web server administrator must allocate usernames and passwords and create the files (or db/dbm entries) for the users and groups. There is a utility program, /local/ apache/bin/htpasswd, that can be used to create an initial password file or add a user to the password file:

#Create the password file in current directory
   htpasswd –c .htppasswds firstuser
   #add another user
 htpasswd .htppasswds anotheruser

The htpasswd program prompts for the password that is to be allocated to the user. Group files are simple text files; each line in the file defines a group and its members: BridgePlayers: anne david carol phillip peter jon james The password files should be placed in a directory in the main Apache installation directory. An example of a Directory directive specifying an authorization control is:

<Directory /local/apache/htdocs/notices>
   AuthName “Private Departmental Notices”
   AuthType Basic
   AuthUserFile /local/apache/pwrds/.htpasswds
   AuthGroupFile /local/apache/pwrds/.htgroups
   Require valid-user
 </Directory>

The AuthName option specifies the name of the realm; the AuthType option will specify ‘Basic’ (if you are targeting browsers that support the feature, you can specify MD5 encryption of the passwords sent by clients). The AuthUserFile and AuthGroupFile identify the locations of the associated password and group files. The Require valid-user control accepts any user who enters their password correctly. Alternative controls would be Require user carol phillip (list the names of the users who are allowed access to the resource) or Require group BridgePlayers (allow access by all members in BridgePlayers group). Authorization and IP/domain restrictions can be combined:

<Directory /local/apache/htdocs/DevelopMent/hotstuff>
   Order deny, allow

Deny from all
   Allow from 130.130
   AuthName …
   …
   Require group staff
   Satisfy all
 </Directory>

This example requires that users be at hosts on the 130.130 network, and that they have established themselves, by entering a name and password, as being a member of the staff group. You could use a constraint Satisfy any; this would require that either the users were working from the specified domain, or that they had entered a name and password for a staff member.

Popularity: 6% [?]

If you enjoyed the article, why not subscribe?
Posted to » Web general
Tags: , , ,

Browse Timeline

Related Post

Post a Comment

About The Author: Robert



Want to subscribe?

 Subscribe in a reader Or, subscribe via email:
Enter your email address:  
Find entries :