Access Keys:
Skip to content (Access Key - 0)

Web Publishing - Access privileges on web.mit.edu

Currently, MIT's main web server (web.mit.edu) does not offer password protection for web pages. If you need guidance in determining whether or not your content should be restricted, see IS&T's guide on Protecting Data .

Restricting access to MIT users

web.mit.edu offers securing web pages with the use of MIT certificates. With MIT certificates you can restrict access to specific MIT users or groups of MIT users.

Option A: publish your website on scripts.mit.edu

If you want to distribute one username and password to your users, try scripts.mit.edu . It also supports users accessing password-protected files using HTTPS (and optionally certificates) for authorization. This method allows you to grant non-MIT users access to password protected information.

Option B: restrict access via https

Restricting access to a list of users or a group has several steps.

Step 1. Create an empty .htaccess.mit file.

You must make sure the file is created in a unix friendly text editor, like vi. Vi is part of almost every Unix system from AIX to Mac OS X or any modern BSD. These files are case-sensitive in both name and content, so be sure to name the file using lowercase letters. If there are subdirectories within your restricted directory, you need not maintain a separate .htaccess.mit file within each subdirectory. As long as you set the access permissions correctly within each subdirectory (see next step), they will all use the parent .htaccess.mit file.

Step 2. Put one of the following lines in your .htaccess.mit file:

  1. All MIT certificate holders:
    Require valid-user
  2. A list of users:
    Require user <Kerberos username>
    Example: Require user user1 user2 user3
  3. A group:
    Require group <groupname>
    Example: Require group network web-team
Users and groups cannot be combined
When there are multiple Require lines in a file, the webserver joins them in a Boolean AND operation. Therefore, you can restrict a directory to one or more groups, or one or more users, but not a combination of the two. For example, if you have the following content:

Require user joeuser janeuser
Require group myfriends myotherfriends

that will be interpreted by the web server as "The username must be either joeuser or janeuser AND the user must be in either the group myfriends or myotherfriends." The outcome of this, therefore, is that access is basically restricted to the users listed, and not to other members of the group.

If you find yourself needing to grant access to one or more groups as well as one or more individual users, create a new Moira group that includes the groups and users, and restrict access to just this new Moira group.

Step 3. Remove, if it exists, access control list permission in the directory and subdirectories for system:anyuser

fs sa . system:anyuser none

You can find out more about permissions at How do permissions work in AFS?.

Step 4. Add access control list permissions in the directory and subdirectories for system:htaccess.mit

fs sa . system:htaccess.mit read

Step 5. Review settings for your permissions

fs la 
cat .htaccess.mit

Step 6. Redirect the link to the restricted space via https://web.mit.edu/.

Once you have linked to the protected directory, make all other links on the restricted pages relative rather than absolute. This is especially important for images, since images served from http cannot be served on a https page.

Step 7. Test you work

Try having a user on the .htaccess.mit file and a user not on the .htaccess.mit file go to your secured web page.

Option C: password prompting

There are numerous free javascripts available on the web which will allow you to present the user with a prompt for a password in order to get access to web pages. However, the password needs to be included in the code of the page so anyone determined to read through the code will be able to find it and access the pages. This option provides a deterrent but no real security!

See also

Protecting a Web Directory via Certificates - more technical background

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

August 21, 2014

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-web-publishing c-web-publishing Delete
web web Delete
publishing publishing Delete
access access Delete
privilege privilege Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki