Apache: working with basic authentication and multiple accounts

2

I'm developing a simple website with two levels of authentication: viewer and admin. Everything accessible to viewer should be accessible to admin but not the other way around. I'm using apache basic authentication.

Folder structure is basically:

/var/www/html/ <-- viewable to world
/var/www/html/viewer
/var/www/html/admin

When I visit content inside /admin, browser asks for credentials as expected. However, if I visit /viewer right after, browser again asks for credentials. I already provided admin credentials, so it's inconvenient.

Relevant portion of site config file, and group file, is below. How can I rework this, or the site folder structure, to remove this annoyance?

.htgroup file:

Viewers: viewer admin
Administrators:  admin

Site file:

<Directory "/var/www/html/viewer">
           AuthType Basic
           AuthName "Please enter Viewer username and password:"
           AuthBasicProvider file
           AuthUserFile /etc/apache2/.htpasswd
           AuthGroupFile /etc/apache2/.htgroup
           Require group Viewers Administrators
</Directory>

<Directory "/var/www/html/admin">
           AuthType Basic
           AuthName "Please enter Admin username and password:"
           AuthBasicProvider file
           AuthUserFile /etc/apache2/.htpasswd
           AuthGroupFile /etc/apache2/.htgroup
           Require group Administrators
</Directory>

Henry

Posted 2019-08-02T13:57:24.160

Reputation: 21

Answers

0

You can do it with groups. Use AuthGroupFile to specify a file which contains a group name and users belonging to that group. Example:

GroupName: rbowen dpitts sungo rshersey

Then you can for example add 'admin' to two groups and 'viewer' to only one (or however you like). Then 'admin' has more rights than 'viewer'.

Example .htaccess:

AuthType Basic
AuthName "By Invitation Only"
# Optional line:
AuthBasicProvider file
AuthUserFile "/usr/local/apache/passwd/passwords"
AuthGroupFile "/usr/local/apache/passwd/groups"
Require group GroupName

Set the AuthGroupFile to point to your group files you made and it should work. These directives work also in <Directory> section.

Examples are from: https://httpd.apache.org/docs/2.4/howto/auth.html#lettingmorethanonepersonin

You need to modify the examples to suit your needs, though.

Aulis Ronkainen

Posted 2019-08-02T13:57:24.160

Reputation: 1 283

Aulis, thanks for the response. I reconfigured the security as such. But I have the same problem. When I visit something inside /admin, I supply admin credentials as expected. But when I then visit something inside /viewer, browser prompts again for credentials. My expectation and desire is that it should not. (I did set up my administrators group to include viewer and admin). – Henry – 2019-08-08T18:15:12.907

Hmmm... Unexpected. Could you please edit your question to include the changes you have made? So I can see what problem is. Thank you. – Aulis Ronkainen – 2019-08-08T18:16:33.327

I've done so, see above. Appreciate the help.
Would it make a difference if I nest /admin directory inside /viewer? – Henry – 2019-08-09T14:13:18.833

I thought it wouldn't make a difference, but you should try that. If that doesn't work either, you probably need to implement user access control to your application. – Aulis Ronkainen – 2019-08-24T05:38:33.377

Asked: 2019-08-02T13:57:24.160

Viewed: 267 times

Active: 2019-08-09T14:10:38.590