Currently, MIT's main web server (web.mit.edu) does not offer password protection for web pages. If you need guidance in determining whether or not your content should be restricted, see IS&T's guide on Protecting Data .
web.mit.edu offers securing web pages with the use of MIT certificates. With MIT certificates you can restrict access to specific MIT users or groups of MIT users.
If you want to distribute one username and password to your users, try scripts.mit.edu . It also supports users accessing password-protected files using HTTPS (and optionally certificates) for authorization. This method allows you to grant non-MIT users access to password protected information.
Restricting access to a list of users or a group has several steps.
Step 1. Create an empty .htaccess.mit file.
You must make sure the file is created in a unix friendly text editor, like vi. Vi is part of almost every Unix system from AIX to Mac OS X or any modern BSD. These files are case-sensitive in both name and content, so be sure to name the file using lowercase letters. If there are subdirectories within your restricted directory, you need not maintain a separate .htaccess.mit file within each subdirectory. As long as you set the access permissions correctly within each subdirectory (see next step), they will all use the parent .htaccess.mit file.
Step 2. Put one of the following lines in your .htaccess.mit file:
- All MIT certificate holders:
- A list of users:
Require user <Kerberos username>
Example: Require user user1 user2 user3
- A group:
Require group <groupname>
Example: Require group network web-team
|Users and groups cannot be combined|
When there are multiple Require lines in a file, the webserver joins them in a Boolean AND operation. Therefore, you can restrict a directory to one or more groups, or one or more users, but not a combination of the two. For example, if you have the following content:
Require user joeuser janeuser
that will be interpreted by the web server as "The username must be either joeuser or janeuser AND the user must be in either the group myfriends or myotherfriends." The outcome of this, therefore, is that access is basically restricted to the users listed, and not to other members of the group.
If you find yourself needing to grant access to one or more groups as well as one or more individual users, create a new Moira group that includes the groups and users, and restrict access to just this new Moira group.
Step 3. Remove, if it exists, access control list permission in the directory and subdirectories for system:anyuser
|You can find out more about permissions at How do permissions work in AFS?.|
Step 4. Add access control list permissions in the directory and subdirectories for system:htaccess.mit
Step 5. Review settings for your permissions
Step 6. Redirect the link to the restricted space via https://web.mit.edu/.
Once you have linked to the protected directory, make all other links on the restricted pages relative rather than absolute. This is especially important for images, since images served from http cannot be served on a https page.
Step 7. Test you work
Try having a user on the .htaccess.mit file and a user not on the .htaccess.mit file go to your secured web page.