Web application security has always been a hot topic among most of mailing list which discuss about security, web application or even in web programming language. Why does web application security never get off topic? It's because the popularity of the web is growing all the time and many application has been ported to web application. You can see lots of the examples on the Internet from a simple application until a critical application being used by many companies. By publishing the application to the Internet, we must ready for any risk and potential threat that could visit everyday and everytime. This tutorial is trying to introduce one way of protecting our valuable asset on the web by using a simple authentication method provided by Apache web server.
All you need is an Apache web server and you are ready to start this simple tutorial. You can later combine this method with more advanced method, for example with a database which store username/password list for all authorized people. It's also easier to manage as you can build your own user management system, but save that for later. We will start with the simple one by using a plain text to keep the valid user to access the site. We will assume that we want to protect secret directory which is located on willy's directory and it can be accessed by opening http://localhost/~willy/secret/.
Let's go to the secret directory by issuing:
cd public_html/secret
Next, make a new file called .htaccess in this directory (or any directory which you want to protect) with a contect of:
AuthName "This is restricted area"AuthType BasicAuthUserFile /home/willy/valid-user-listrequire valid-user
Next, we will make a new file called valid-user-list which will be used to save the valid user account (for example willy). Make this file in an unaccessible location from outside (for example in our home directory), as it's a plain text, so if you put it on an accessible location, it can be directly downloaded by the visitors. We make this file by using this command:
htpasswd -c /home/willy/valid-user-list willy
It will prompt for a password for account willy. Give the password and you are done. It will start working automatically and try launching the browser and open http://localhost/~willy/secret. You will be prompted for an username/password. If you type the correct username/password, then you will be able to see the content of the directory, but if you press escape to cancel it, you will be presented with a unique page which said that an authorization is needed to view the page.
Please note that -c parameter is being used only for the first time. It's being used to create the file. If you want to add new user into the file, don't use the -c parameter, or it will wipe out your old list, since it will truncate the content and create a new one.
If you don't see the dialog prompt after trying this, maybe you will have to look for your Apache configuration (usually httpd.conf). Please make sure that you have this line on your configuration file
AccessFileName .htaccess
and
<Files ~ "^\.ht">Order allow,denyDeny from all</Files>
If you don't have this, add it and restart your web server and give it a try again.
There is no 100% security. All we can do is try to protect our asset as good as possible. Using htaccess is not the perfect way, but at least we can avoid direct access to our valuable asset. There's always a new method being developed by other people. Just to be sure to look for it on the Internet and analyze it whether it is suitable for your case.
Last Update : 14 April 2007 :: 08:55:07
Comments