Service Note: This service is obsolete and this page is for reference purposes only.
Set up .htaccess to restrict access to specific web directories
Ever wanted to restrict access to some or all of your Web directories? .htaccess makes it possible. Using an .htaccess file you can both restrict access to specific Internet addresses and use Passport York to do user authentication.
Important Note: Since this system uses Passport York authentication, please advise users to log out once they no longer need access to your web site. Provide a link to the URL https://passportyork.yorku.ca/ppylogin/ppylogout on your web page and ask your users to click on it to logout.
Use your favorite text editor to create an .htaccess file and save it in the Central Web service account you want to protect. The file permission of the .htaccess file must be set to 640, which is user-read, user-write, and group-read. You can use most FTP clients to set the file permission.
- For instructions on how to use Authentication refer to the Authentication Directives.
- For instructions on how to control access to a protected site refer to Access Control "Require" Directives.
- For instructions on how to restrict access from Internet addresses, refer to Host-based Restrictions.
- For instructions on how to include the authenticated user's username to the html pages after login refer to Adding the user's username.
- For instructions on how to use configuration refer to the Configuration Directives.
Access Control "Require" Directives
The access control "require" directives are specified in the .htaccess file. These directives specify who has access to the protected web directory, and/or the different attributes that must match an authenticated user for them to access the protected web directory. You can specify one or more "require" directives . If you specify more than one "require" directive , access is granted provided any one of the "require" directives is fulfilled. If no "require" directives are specified then the directory has no access control and can be accessed by anyone.
The following is a list of commonly used Access Control "Require" Directives
Host-based Restriction Commands in .htaccess
"Host-based restriction commands" take precedence over the Authentication commands. Therefore, if you deny a certain machine from accessing a subdirectory, the user of that machine will receive a "forbidden" error message upon accessing the subdirectory and will not get a Passport York Login page.
Adding the user's username to the following HTML page
Once the user is logged in you can show their username by using the following command in your HTML page:
Note that this command will only work in an HTML page (i.e. file extension must be .htm or .html). Also, this HTML file must be placed in an .htaccess protected web directory in order to determine the username (i.e. there won't be a username if the user is not required to login to see your page).
If you're using active content (i.e. php, perl, etc.) then you will need to consult the documentation for the corresponding way to read the server variable "REMOTE_USER" (without the quotes).
"Configuration directives," with the exception of those related to logging, are specified in the .htaccess file.