Skip to content Skip to site navigation

WebAuth with UNIX

WebAuth is being deprecated and will be retired soon.

To get help transitioning from WebAuth to SAML, visit SAML (Authentication) or the WebAuth Announcement page.

Overview

The easiest way to protect your pages with WebAuth is from the Unix command line. You can do everything you need with one interface (no switching from one program to another) and have more power and flexibility when handling exceptions. The Logging in to UNIX document tells you how to get to the Unix command line. If you're a little Unix-phobic, relax ... these instructions presume no advanced knowledge of Unix, and you can always refer to the UNIX Command Summary if you have questions.

Note: The Workgroup Manager is a web application that allows you to define groups of Stanford community members for use in various online applications (not just a web page or group of pages) that also utilizes web authentication (WebAuth). See the overview for Workgroups and the Workgroup Manager if this is the type of authentication you need.

Go to the WWW directory you want to WebAuth

  • Log in to Stanford UNIX. You can WebAuth any web directory for which you have admin perms but, for the sake of example, we're going to presume you want to WebAuth your own WWW directory.
  • You're automatically placed into your home directory by default each time you log in, so you're right where you need to be.
  • If you wanted to WebAuth a WWW directory outside your home directory you'd use the "cd" command to move to the directory you want. See Navigating AFS if you are not familiar with the "cd" command or don't know how to move around AFS to find the directory you want.

Set new permissions in the WWW directory

Affirm your administrative permissions If you're in your own WWW directory you have all the admin privileges you need. If you're in a different WWW directory you need to make sure you actually have the ability to set permissions inside. The Are you allowed to set permissions? document tells you how to find out.

  1. Enter your WWW directory To get inside your WWW directory, type:

    cd WWW

  2. See what permissions are there now Subdirectories inherit the permissions of their parent directory. Check this by typing:

    fs la

    You might see something like the following:

    Access list for . is
    Normal rights:
    system:administrators rlidwka
    system:anyuser l
    yoursunetid rlidwka

  3. Set new permissions for WebAuth

    Your WWW directory needs new permissions so that the web server can protect your web files. Basically, you need to change "system:anyuser l" to "system:anyuser none" (which will cause it to disappear), and add or change a permission that says "system:www-servers rl". Here's how.

    While still within your WWW directory, type:

    fs sa . system:www-servers read

    Hit Return. Then type:

    fs sa . system:anyuser none

    Hit Return. Check your work by typing:

    fs la

    The permissions of your WWW directory should now be:

    Access list for . is
    Normal rights:
    system:administrators rlidwka
    system:www-servers rl
    yoursunetid rlidwka

    If you have problems setting file permissions, or want to learn more about them, see Setting Permissions. Otherwise, your WWW directory is ready for the .htaccess file that will describe who can see your pages.

Create a .htaccess file in the WWW directory

Now you need to tell the WebAuth system how to ensure that only the people you want to see your web pages can see them.

  1. From within your WWW directory, type:

    pico

    This invokes an online text editor.

  2. In the screen that comes up you can type in the two lines of WebAuth instructions you need. We recommend, however, that you simply cut and paste the WebAuth code you want from our list of popular, ready-made WebAuth directives.

    If you do cut and paste from the list, your next step is to edit the file. For example, if you copied and pasted this code from the WebAuth list:

    AuthType WebAuth
    require user sunetid1
    You'd want to replace the word "sunetid1" with the actual SUNet ID of the person who you wanted to see your web page. If, for example, that person's SUNet ID were gsmith, you would edit the code so it looked like this:
    AuthType WebAuth
    require user gsmith
  3. Hit Return once. The WebAuth instructions in your .htaccess file won't work unless they are followed by at least one carriage return.
     
  4. Save your work: hold down the control key and type the letter "o" (lower case, without the quotes). Because this is the first time you've saved your work, the cursor will jump down to the bottom of the page so that you can name your file.
     
  5. Name your file: type ".htaccess" (lower case, without spaces, and without the quotes) as the name of this file. Don't forget the dot (".") in front. Then press the Return key.

  6. Now get out of Pico: hold down the control key and press the letter "x" (lower case, without the quotes). This takes you out of Pico and puts you back into your WWW directory.

  7. If you're finished working in your account, type "exit" to end your Unix session.
     
  8. Check your page to make sure it's protected the way you want. Depending on what restrictions you've set, you may need to ask somone who's not allowed to see your page to attempt to do so.

Remember that when you place a .htaccess file into your WWW directory (or place any kind of "dot" file into any AFS directory) it won't show up when you type "ls" at the command prompt. You must type "ls -a".

If your web pages don't seem to be working right, please review these instructions (of course) or submit a Help request.

Last modified April 12, 2023