Home > Controlling Web access with Apache
Book Chapter:
EMAIL THIS

Controlling Web access with Apache

05 Oct 2005 | O'Reilly

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Web Security Privacy and Commerce, Second Edition

By Simson Garfinkel and Eugene Spafford
800 pages; $44.95
O'Reilly

In this excerpt from Chapter 20 of Web Security Privacy and Commerce, Second Edition, authors Simson Garfinkel and Eugene Spafford introduce a common way to implement access control with an Apache Web server.

One of the most common ways to restrict access to Web-based information is to protect it using usernames and passwords. Although different servers support many different ways of password-protecting web information, one of the most common techniques is with the <Limit> server configuration directive present in the Apache Web server.

Using <Limit>, you can control which files on your Web server can be accessed and by whom. The Apache server gives you two locations where you can place your access control information:

  • You can place the restrictions for any given directory (and all of its subdirectories) in a special file located in that directory. Traditionally the name of this file is .htaccess, although you can change the name in the server's configuration file.

  • Alternatively, you can place all of the access control restrictions in a single configuration file. The Apache server allows you to place access control information in the server's single httpd.conf file.

Whether you choose to use many access files or a single file is up to you. It is certainly
More information

Download Chapter 20, Controlling access to your Web content

Learn more about Web security in Web Security School

Visit our resource center for more tips and advice on Web access control
more convenient to have a file in each directory. It also makes it easier to move directories within your Web server, as you do not need to update the master access control file. Furthermore, you do not need to restart your server whenever you make a change to the access control list — the server will notice that there is a new .htaccess file and behave appropriately.

On the other hand, having an access file in each directory means there are more files that you need to check to see whether the directories are protected. There is also the possibility that an attacker will be able to convince your Web server (or another server running on the same computer) to fetch this file directly. Although the attacker's possession of the .htaccess file doesn't ruin your system's security, it gives an attacker additional information that might be used to find other holes.

Read the rest of Chapter 20 and learn how to enforce access control with the .htaccess file and configuration file.

From Web Security, Privacy & Commerce, 2nd Edition
by Simson Garfinkel with Gene Spafford
ISBN: 0-596-00045-6
Copyright 2002 O'Reilly Media, 800-998-9938
Reprinted with permission

BROWSE BY TAG
Application and Platform Security,   Web Security Tools and Best Practices,   Web Application Security,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   Web Server Threats and Countermeasures,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Web Application Security
nCircle statistics show rising Web application vulnerabilities
Twitter bugs, DNSSEC and broswer security
Month of Twitter Bugs project to document Twitter flaws
Are Web application penetration tests still important?
IT pros can detect, prevent website vulnerabilities, thwart attacks
PCI compliance requirement 6: Systems and applications
Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert
US-CERT warns of Gumblar, Martuz drive-by exploits
XSS bugs, information leakage top list of website vulnerabilities
How to find and stop automated SQL injection attacks

Web Authentication and Access Control
Changing times for identity management
How to use single sign-on for Web access control to prevent malware
IBM USB banking device stops keyloggers, malware
Can mutual authentication beat phishing or man-in-the-middle attacks?
Could someone place a rootkit on an internal network through a router?
Sun launches open source OpenSSO for identity management
Should a new user have to confirm an email address to gain access?
Shared Identity Providers Could Soothe Password Chaos
Users can no longer reach any Microsoft login site. Any ideas?
Vista WIL: How to take control of data integrity levels

Web Server Threats and Countermeasures
Stolen FTP credentials likely in massive website attacks
Microsoft warns of IIS zero-day vulnerability
How to find and stop automated SQL injection attacks
How to spot attacks through Apache Web server log analysis
Symantec acquires Mi5 Networks, bolsters Web security
How to harden Linux operating systems
How to clear out anonymous Web proxy servers in the workplace
Information security book excerpts and reviews
Is it more secure to have a mainframe or a collection of servers?
How does a Web server model differ from an application server model?

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
anonymous Web surfing  (SearchSecurity.com)
buffer overflow  (SearchSecurity.com)
cache cramming  (SearchSecurity.com)
cookie poisoning  (SearchSecurity.com)
dictionary attack  (SearchSecurity.com)
distributed denial-of-service attack  (SearchSecurity.com)
JavaScript hijacking  (SearchSecurity.com)
National Computer Security Center  (SearchSecurity.com)
threat modeling  (SearchSecurity.com)
trigraph  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary




Search Additional Security Research and Solutions
Find Security Channel Research for Resellers and Partners
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts