In this excerpt from Chapter 20 of Web Security Privacy and Commerce, Second Edition, authors Simson Garfinkel and Eugene Spafford introduce a common way to implement access control with an Apache Web server.
One of the most common ways to restrict access to Web-based information is to protect
it using usernames and passwords. Although different servers support many different
ways of password-protecting web information, one of the most common
techniques is with the <Limit> server configuration directive present in the Apache
Web server.
Using <Limit>, you can control which files on your Web server can be accessed and
by whom. The Apache server gives you two locations where you can place your
access control information:
- You can place the restrictions for any given directory (and all of its subdirectories)
in a special file located in that directory. Traditionally the name of this file
is .htaccess, although you can change the name in the server's configuration file.
- Alternatively, you can place all of the access control restrictions in a single configuration
file. The Apache server allows you to place access control information
in the server's single httpd.conf file.
Whether you choose to use many access files or a single file is up to you. It is certainly
more convenient to have a file in each directory. It also makes it easier to move
directories within your Web server, as you do not need to update the master access
control file. Furthermore, you do not need to restart your server whenever you make
a change to the access control list — the server will notice that there is a new .htaccess
file and behave appropriately.
On the other hand, having an access file in each directory means there are more files
that you need to check to see whether the directories are protected. There is also the
possibility that an attacker will be able to convince your Web server (or another
server running on the same computer) to fetch this file directly. Although the
attacker's possession of the .htaccess file doesn't ruin your system's security, it gives
an attacker additional information that might be used to find other holes.
Read the rest of Chapter 20 and learn how to enforce access control with the .htaccess file and configuration file.
From Web Security, Privacy & Commerce, 2nd Edition
by Simson Garfinkel with Gene Spafford
ISBN: 0-596-00045-6
Copyright 2002 O'Reilly Media, 800-998-9938
Reprinted with permission
