Authentication
Authentication is the process of ensuring that visitors really are who they
claim to be. You can configure Apache to allow access to specific areas of
web content only to clients who can authenticate their identity. There are
several methods of authentication in Apache; Basic Authentication is the most
common (and the method discussed in this chapter).
Under Basic Authentication, Apache requires a user to supply a username and
a password to access the protected resources. Apache then verifies that the
user is allowed to access the resource in question. If the username is
acceptable, Apache verifies the password. If the password also checks out, the
user is authorized, and Apache serves the request.
HTTP is a stateless protocol; each request sent to the server and each response
is handled individually—and not in an intelligent fashion. Therefore, the
authentication information must be included with each request. This means
each request to a password-protected area is larger and therefore somewhat
slower. To avoid unnecessary system use and delays, protect only those areas
of your website that absolutely need protection.
To use Basic Authentication, you need a file that lists the users who are
allowed to access the resources. This file is composed of a plain-text list
containing name and password pairs. It looks very much like the
/etc/passwd user file of your Linux system.
CAUTION
Do not use /etc/passwd as a user list for authentication. When you’re
using Basic Authentication, passwords and usernames are sent as Base64-
encoded text (which is just as readable as plain text) from the client to the
server. The username and password are included in each request that is sent
to the server. So, anyone who might be snooping on your traffic would be
able to get this information!To create a user file for Apache, use the htpasswd command that is
included with the Apache package. Running htpasswd without any options
produces the following output:
Click here to view code image
Usage:
htpasswd [-cmdps] passwordfile username
htpasswd -b[cmdps] passwordfile username password
htpasswd -n[mdps] username
htpasswd -nb[mdps] username password
-c Create a new file.