Access controlget help

If your web pages are installed on the www.sfu.ca server or any server with the SFU Central Authentication Service (CAS) Apache module installed, you can limit access to them by setting up a prompt for an account and password. Some of the possibilities are to grant access to:

  1. any SFU account/password
  2. selected SFU accounts/passwords
  3. the members of an SFU mailing list, upon receipt of their accounts/passwords
  4. an account/password combination that you invent (and give to selected SFU or non-SFU people)
  5. any machine in the sfu.ca domain (without prompting), otherwise any SFU account/password

You can mix and match these, for example you might do 2 and 3.

Limiting access to pages installed in WebDAV space (webdav.sfu.ca)

Adjacent to your pages, you need to set up a file called .htaccess. The AuthUserFile line in .htaccess, if needed, must read

AuthUserFile /webdav/web/foldername/.htpasswd

Specify the folder in which your web pages are installed, instead of foldername.


Limiting access to pages installed on Unix (fraser.sfu.ca)

Using any Unix editor, put a file called .htaccess in the directory that contains the web pages to be restricted. All sub-directories will be similarly restricted. If you have parallel directories to be restricted, put a .htaccess file in each of them. Permit it appropriately:

chmod 644 .htaccess

Some simple examples

Add content like this to .htaccess:

Example 1 .htaccess file to always prompt for an account and password
AuthType CAS
require valid-sfu-user
To provide upward computability with earlier ways of protecting access to web pages, you can replace the AuthType CAS withAuthType Basic.


or this:


Example 2 .htaccess file to allow machines in the sfu.ca domain to access your pages, otherwise prompt for an account and password
AuthType CAS
allow from sfu.ca
require valid-sfu-user
Read example 1's notes.
The only difference between examples 1 and 2 is the "allow from .sfu.ca" line.


another example:


Example 3 .htaccess file always prompts for an account and password, but only allows access if the connection is from a machine in the sfu.ca domain
AuthType CAS
allow from sfu.ca
require valid-sfu-user
satisfy all
Read notes from examples 1 and 2.
The default for the satisfy line is satisfy any which is why example 2 allows access from an SFU machine or when someone supplies an id and password. In this example, access is only granted if the user is connected from a machine at SFU and they can supply a valid SFU computing id and password.

 

one final example:

 

Example 4 .htaccess file containing multiple conditions
AuthType CAS
require sfu-user kipling !hist999-d1
require user externaljones
This .htaccess file will give access to the members of the hist999-d1 course mailing list, plus to the SFU account kipling (the TA), plus to the invented account externaljones (to allow a colleague at UBC to access your pages).