Indiana University Bloomington

School of Informatics and Computing

CSG FAQ

Q: How do I combine different access methods with my web pages?

Please Note: This FAQ entry describes a mechanism to limit access to web pages via the web server. If you also want to prevent access by people with local CS accounts, you MUST take extra steps to prevent access via the local filesystem. Please see the corresponding FAQ entry for more information.

The various web-based access control mechanisms (by hostname/domain, with a password, and via network ID) can be combined using the satisfy directive. For example, if you wanted to allow unrestricted access from any cs.indiana.edu address (by hostname/domain) and also allow access by users joed and janed when accessing the page from a non-CS machine (via network ID), you could use the following .htaccess files:

.htaccess_nonssl
Redirect permanent / https://www.cs.indiana.edu/

.htaccess
AuthType KerberosV5
AuthName "UITS Network ID"
KrbAuthRealm IU.EDU
<LIMIT GET POST PUT>
deny from all
allow from .cs.indiana.edu
require user janed joed
satisfy any
</LIMIT>

If you wanted to require that both conditions be met (ie. only users janed and joed can access the page and only when coming from a CS machine) you could replace 'satisfy any' with 'satisfy all'.

A common thing people want to do is combine two different auth methods. For example, allow some users via kerberos/Network ID authentication and others via a local password file. Unfortunately, I don't know any way to do this directly in a .htaccess file (if you know how, please let me know!). I have found sources that lead me to believe it may not be possible with apache currently. However, there is a bit of a hack you can use to do this that goes like this:

  1. Create two directories. For this example, I'll use directories named netid and password.
  2. Put all your html/cgi/php/etc files in a subdirectory of the netid directory and call it something like data.
  3. Create the .htaccess files in the netid directory according to the FAQ on setting up access via network ID.
  4. Create the .htaccess files in the password directory according to the FAQ on setting up access with a password.
  5. In the password directory, create a symbolic link pointing to the netid/data directory by running 'ln -s ../netid/data' while in the password directory.

This will give you two different urls that use the two different access methods:

Network ID:http://www.cs.indiana.edu/some/path/netid/data/
Password:http://www.cs.indiana.edu/some/path/password/data/



See an error in this FAQ entry? Please report it.

[Return to the FAQ index]