Skip to main content

Restrict access – Central Web

Set up .htaccess to restrict access to specific web directories

Ever wanted to restrict access to some or all of your Web directories?  .htaccess makes it possible.  Using an .htaccess file you can both restrict access to specific Internet addresses and use Passport York to do user authentication.

Important Note: Since this system uses Passport York authentication, please advise users to log out once they no longer need access to your web site. Provide a link to the URL https://passportyork.yorku.ca/ppylogin/ppylogout on your web page and ask your users to click on it to logout.

Use your favorite text editor to create an .htaccess file and save it in the Central Web service account you want to protect.  The file permission of the .htaccess file must be set to 640, which is user-read, user-write, and group-read.  You can use most FTP clients to set the file permission.

.htaccess Directives


Authentication Directives

Web users must authenticate prior to accessing a protected web page or directory.  To ensure authentication, both the "AuthName" and "AuthType" directives are required and must be specified in your .htaccess file.

AuthName The name specified to the "Authname" directive will appear at the top of the Passport York login page.  For example:
AuthType PYork The "AuthType" directive specifies that Passport York Authentication will be used to authenticate users before they can access a protected web directory.
For example, your htaccess file would look similar to:

AuthName "My protected web directory"  
AuthType 
PYork

 


 

Access Control "Require" Directives

The access control "require" directives are specified in the .htaccess file.  These directives specify who has access to the protected web directory, and/or the different attributes that must match an authenticated user for them to access the protected web directory.  You can specify one or more "require" directives .  If  you specify more than one "require" directive , access is granted provided any one of the "require" directives is fulfilled.  If no  "require" directives are specified then the directory has no access control and can be accessed by anyone.

The following is a list of commonly used Access Control "Require" Directives

Require valid-user

Allows access to any valid "Passport York" user that authenticates successfully.  Note: When you use the "Require valid-user" directive, DO NOT specify any other access control "require" directive - doing so will result in an error message.

e.g. AuthName "My protected web directory" 
AuthType PYork
require valid-user

Require user

Allows access to users with Passport York Login IDs that match the ones listed.  You can specify multiple users separated by spaces.

e.g. AuthName "My protected web directory" 
AuthType PYork
require user jdoe bsmith ajones

Require type

Allows access to users that match the specified user type.  For instance, you can restrict access to only students, or only faculty, or only faculty and grad students, etc.  You can specify access to more than one user type provided each type is placed on a separate line.  To specify a user type, the format is:

require type :

Commonly used types include:

  • Require type Employee:Staff
  • Require type Undergrad:Student
  • Require type Grad:Student
  • Require type Faculty:Unknown
  • Require type Nondeg:Student
  • Require type "Guest - Faculty:unknown"
  • Require type "Guest - Staff:unknown"

The following example shows how to setup an .htaccess file that will restrict access to faculty, undergrad students, and grad students.

e.g. AuthName "My protected web directory" 
AuthType PYork
Require type Faculty:Unknown
Require type Undergrad:Student
Require type Grad:Student

Require course

Allows access to users enrolled in the specified course.

e.g. AuthName "My protected web directory" 
AuthType PYork
Require course 2006_AK_ADMS_F_3000__3_A_EN_A_DIRD_01

Require courseprefix

Allows access to users enrolled in a course with the specified prefix.
Note:  To look-up course codes use the course code application.

e.g. AuthName "My protected web directory" 
AuthType PYork
Require courseprefix 2006_AK_ADMS_F_3000

PYorkAllowEveryone on

Rather than restricting access to current students, employees, and faculty, the  "PYorkAllowEveryone on" directive allows access to anyone that can login to Passport York including alumni, retirees, etc.
Note: If you specify this directive, the only  access control "require" directives you can specify are require valid-user and require user.

e.g. AuthName "My protected web directory" 
AuthType PYork
Require valid-user
PYorkAllowEveryone on

ErrorDocument ???

Failed access requests need to be redirected to an appropriate error page. You can accomplish this using Passport York's generic error page, or you can specify your own error page by using this directive:ErrorDocument 412 https://passportyork.yorku.ca/needauth.html


 

Host-based Restriction Commands in .htaccess

"Host-based restriction commands" take precedence over the Authentication commands.  Therefore, if you deny a certain machine from accessing a subdirectory, the user of that machine will receive a "forbidden" error message upon accessing the subdirectory and will not get a Passport York Login page.

Command: Instructions:
Allow form Allows access to the directory from certain machines and/or networks.

Allow form all
  • Allows public access.
Allow form IP-address
  • Allows access from a certain machine based on the IP address or hostname.  For example:Allow a single machine:
    Allow from mymachine.yorku.ca
    Allow multiple machines:
    Allow from mymachine.yorku.ca  130.63.100.101  othermachine.internet.com
Allow form subnet-address
  • Allows access from the specified subnet(s). For example:Allow machines from York's domain (by IP-subnet):
    Allow from 130.63
    Allow machines from York's domain (by named subnet):
    Allow from yorku.ca

Deny from
Denies access to the directory from certain machines and/or networks.

Deny form all
  • Denies public access.
Deny form IP-address
  • Denies access from a certain machine based on the IP address or hostname.  For example:Deny a single machine:
    Deny from mymachine.yorku.ca
    Deny  multiple machines:
    Deny from mymachine.yorku.ca  130.63.100.101  othermachine.internet.com
Deny form subnet-address
  • Deny access from the specified subnet(s). For example:Deny machines from York's domain (by IP-subnet):
    Deny from 130.63
    Deny machines from York's domain (by named subnet):
    Deny from yorku.ca

Order Specifies default access state and the order of precedence of the allow and deny statements.

Order deny, allow
  • Applies all deny-rules and then allow-rules.  Access is allowed by default.  Any client that does not match a Deny command or does match an Allow command will be allowed access to the server.
Order allow, deny
  • Applies all allow-rules and then deny-rules  Access is denied by default.  Any client that does not match an Allow command or does match a Deny command will be denied access to the server.

 


Adding the user's username to the following HTML page

Once the user is logged in you can show their username by using the following command in your HTML page:

Note that this command will only work in an HTML page (i.e. file extension must be .htm or .html). Also, this HTML file must be placed in an .htaccess protected web directory in order to determine the username (i.e. there won't be a username if the user is not required to login to see your page).
If you're using active content (i.e. php, perl, etc.) then you will need to consult the documentation for the corresponding way to read the server variable "REMOTE_USER" (without the quotes).


Configuration Directives

"Configuration directives," with the exception of those related to logging, are specified in the .htaccess file.

PYorkAppID

Short Application name used for logging. 48 characters or less.


PYorkCookieTimeout

Specifies how long before a Passport York cookie times out and the user has to login again for this web resource. The maximum timeout is set at 720 minutes. If you specify a larger timeout it will be ignored and 720 minutes will be used.

Note: If a user accesses a different web resource, then that resource's Passport York cookie timeout applies.

Updated on October 11th, 2012.