Password Protecting HTML Files
In order for you to be able to password protect a set of files in a directory, you MUST have access to the binary file htpasswd. This binary program encrypts the password that can only be deciphered with a WWW browser. You can probably find this in /usr/local/etc/httpd/support, unless your webmaster has moved it elsewhere. Without this program, password protection is not possible. If you are running a Macintosh, Window's or other HTTP daemon program, consult the README's to find out the location of the "htpasswd" program.

What I will be describing here is how to password protect on a UNIX-based system, okay? Let's get started!

Creating The Password

After you have located the htpasswd program, use it in the following manner. 

htpasswd -c /home/tomcat/.htpass tomcat
          | |__________________| |____|
Specifies a             |           |___This is the user name that is allowed
new password		|               access to this directory.
file.			|
			|__________This tells the program where to put the
				   password file.  Here, I have called the
				   file ".htpass".  However, you can specify
				   the name of the file to anything you wish.
If you noticed, I put "/home/tomcat/" just before the name of the password file that I wish to have created. If you are running the htpasswd program from "/usr/local/etc/httpd/support", you have to specify this because you probably do not have privilages to write to that directory. To make it easier, you should run it from your home directory by typing in:
/usr/local/etc/httpd/support/htpasswd -c .htpass tomcat
This eliminates the need to specify the location of the password file.

After you have entered in that command line, it will ask you for the password for this user. You will have to enter it in twice, so make sure you spell it correctly, and use any upper/lowercase letters where you desire them. The password IS case sensitive.

Do not use numbers in your password. For some reason,it becomes transparent when comparing your entry to the password on file.

The .htaccess

The .htaccess file is needed to tell the web browser that the directory is password protected, and what user(s) to expect login's from. In the directory you want to have password protection, create the .htaccess file with the following contents:
AuthUserFile /home/tomcat/lock/.htpass*
AuthGroupFile /dev/null
AuthName Secured Files
AuthType Basic

<Limit GET>
require user tomcat
require user johndoe
require user janedoe
</Limit>
*AuthUserFile is the location of the PASSWORD file. Do not store it in the same directory that you are protecting.

In this example, I have 3 users that have access to this directory. When the user enters his/her username with the correct password, they are granted access.

The AuthGroupFile

If you know anything about a UNIX system, you are aware of the file /etc/group (if you don't know what I'm talking about, don't worry, I'll get to it). The web side can have a similar setup. If you plan on having a large number of users access to a password protected directory, the AuthGroupFile option may be for you.

You still need to create the users and their passwords, though. In addition to that, you'll also need to create a group file (ie .htgroup). That file will look like this: 

WebGroup:  janedoe johndoe
HtmlGroup: webmaster tomcat

Your .htaccess file will change as well. It will look like this:
AuthUserFile /home/tomcat/lock/.htpass
AuthGroupFile /home/tomcat/lock/.htgroup
AuthName Secured Files
AuthType Basic

<Limit GET>
require user tomcat
require group WebGroup
</Limit>
Now, anyone in the group WebGroup has access to this directory. If you add more users, you'll only have to add them to the .htgroup file (in their appropriate group, of course), and not even have to touch the .htaccess file again! Also, as you can see, you can have user and group access in the .htaccess file.
Common Mistakes
 Some of the more common errors made during the creation of a password-protected directory are the file attributes. As with any HTML document, the file must be world-readable. Make sure you chmod 604 all files (including the password file you use). Directories are usually chmod'ed to 705. For more information about setting up your HTML directories, look here!
Back to Index