Access Control for Your Web Pages (Raven and basic-auth)

1. All users of Raven
2. All DAMTP Users With Raven Accounts
3. A Specific Group of Raven Accounts That You Define
4. Basic Authentication using a UserID and Password that You Define
5. All Raven Accounts can access a specific file
6. All Raven Accounts can access specific files
7. Logout of Raven
8. Testing your .htaccess code
9. Where to find what other Raven directives are allowed
10. Useful links

Examples of these methods of access control.

Unless otherwise indicated, all the access control directives described below need to be put in a file called .htaccess (short for hypertext access). When the web server finds a file with this name in a particular directory, it will apply the directives to this directory and all the files and subdirectories contained within it (recursively).

All Raven Accounts

All Raven Accounts can access this directory

 order deny,allow
 deny from all
 AuthType Ucam-WebAuth
 Require valid-user
 Satisfy any

All DAMTP Users With Raven Accounts

All DAMTP Users With Raven Accounts can access this directory

 order deny,allow
 deny from all
 AuthType Ucam-WebAuth
 AuthGroupFile /opt/httpd/conf/damtpgroup
 Require group damtpusers
 Satisfy any

A Specific Group of Raven Accounts That You Define

A Specific Group of Raven Accounts That You Define

 order deny,allow
 deny from all
 AuthType Ucam-WebAuth
 AuthGroupFile /home/raid/supp/mr349/public_html/restricted/.htravengroups
 Require group mygroup
 Satisfy any

The .htravengroups file will be of the form:

groupname1: username1 username2 username3 username4 etc
groupname2: username5 username2 username3 etc

Basic Authentication using a UserID and Password that You Define

This is NOT a very secure way to control access to a directory. The password is sent as clear text with NO encryption across the Internet. This is useful for a little bit of security protection of relatively unimportant documents. For example if you are working on a paper with collaborators in another University.

The .htaccess file I have used for this example is:

 AuthType Basic
 AuthName "Password Required"
 AuthUserFile /home/raid/supp/mr349/password/password.file
 Require valid-user

Just to be sure the password file is not served by the web-server there is a .htaccess file in /home/raid/supp/mr349/password/ with the following entry:

deny from all

The password file content is below (please note the password file is not in the www directory tree as you don't want the web server serving up your password file):

bob:mFOXu4tavzogU

of the form:

${userID}:${encrypted_password}

You can generate the password part of this file (after the ${userID} bit) using this bit of perl (from the UNIX command line):

perl -e 'print(crypt("bob","mF")."\n");'

which is of the form:
perl -e 'print(crypt("${password}","${SALT}")."\n");'

by replacing bob with a userID, and you can replace the ${SALT} with two different text characters if you wish such as xX or Kw.

• example of local access control with a .htaccess file. (The userID is "bob" and the password is "bob".)

Note that these userids and passwords are sent in clear text across HTTP (port 80). So plaese DO NOT use a userID and password that you would use for your normal UNIX/Windows user accounts.

All Raven Accounts can access a specific file

All Raven Accounts can access a specific file

<Files fileraven.html>
order deny,allow
deny from all
AuthType Ucam-WebAuth
Require valid-user
Satisfy any
</Files>

All Raven Accounts can access specific files

<FilesMatch (little|mermaid).html>

    Order allow,deny
    Deny from all
    AuthType Ucam-WebAuth
    Require valid-user
    Satisfy any

</FilesMatch>

Logout of Raven

There is a trick to allow people to logout from Raven when they are finished looking at your pages. To make this work put html into your web page:

 <a href="logout">Logout</a> from < href="http://raven.cam.ac.uk">Raven</a>

and put this into a .htaccess file in the same directory:

<Files logout>
 SetHandler AALogout
 Satisfy any
</Files>

Note: the Satisfy any is so that you do not have to be logged into Raven to logout. If your Raven session had timed out while you had a page open, then in order to logout from it you would need to reauthenticate to Raven.

Testing your .htaccess code

You are inside damtp and you want to test that the code in .htaccess file does what you want it to do. Say your code is supposed to only allow people from a .damtp.cam.ac.uk access to your files without a raven password and everyone else must use their raven login. How do you test everyone else gets prompted for their raven username and password.

Amend the code. Change the Allow from .damtp.cam.ac.uk line to a specific damtp computer say nassau, giving Allow from nassau.damtp.cam.ac.uk. Then log into nassau run lynx and you should be able to directly access your page. Now from your own computer or a different one, try to access the page, if the "Raven Authentication Service" window appears the page is protected by Raven and your code is correct. Now reset the Allow from ... statement.

When you are running this kind of testing, you'll find having a logout link very handy.

Where to find what other Raven directives are allowed

There is a page managed by the computing service which contains the full list of Raven directives along with examples.

Useful Links

• Raven directives and examples
• Allow a website to use both Raven and another authentication method for non Cambridge users
• The Raven wiki provides a collection of ideas, experiences and suggestions for using the Raven service
• About Raven
• FAQ on Raven