In this hint, we will set up a directory on a web server so that it will ask a web user for a username and password, and then take them to their own folder within that directory. There are a lot of variations that can be made off of this hint, but those are up to the reader.
This variation will prompt a user for a password and if properly given, will take that user to their own folder. It will display that folder as if it were the top-level folder in that directory (that makes sense once you play with it). This tip requires nothing that does not come with MacOS X out-of-the-box, and should be fairly secure. I am going to assume that the reader:
The first thing to do is to change a couple of the default settings in the apache configuration file to allow us to control the security of the directory we are going to work on. So we need to open /etc -> httpd -> httpd.conf for writing and find this section:
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
AllowOverride None
Change the last line to:
AllowOverride All
We don't actually need All, but lets be simple here. You also need to restart apache, so that it picks up the changes. Next we need to make the directory that is going to be the home base for all of this. For this tip, I am going to use the directory name passwordtest, and I am going to put it right in /Library -> WebServer -> Documents. We will also create the directory that will hold all of the user folders. So the commands for this are:
$ cd /Library/WebServer/Documents
$ mkdir passwordtest
$ cd passwordtest
$ mkdir users
Now we need to setup our first user. To do this, we are going to create a .htpasswd file and put the user into it, and then create a directory with the same name in the users folder. For the purposes of this tip, we are going to put the .htpasswd file (the one that stores all of the user names and passwords) in the same directory that we are securing. This is generally a bad idea from a security standpoint, and I would encourage you to put it somewhere else in a production environment.
$ htpasswd -c .htpasswd USER_NAME
Of course, you need to replace USER_NAME with the name you want. This will then ask you for a password twice. If you want to add more users, you just need to use the same command without the -c (which means create-file). Now for every user, you need to remember to create a folder in the users folder with the same name as you just used (USER_NAME).
$ mkdir users/USER_NAME
And now the magic part... create a file named .htaccess in the passwordtest folder, and copy this text into it:
AuthUserFile /Library/WebServer/Documents/passwordtest/.htpasswd
AuthName "password test"
AuthType Basic
require valid-user
RewriteEngine on
RewriteBase /passwordtest/
RewriteCond %{REQUEST_URI} !^/passwordtest/users/
RewriteRule ^(.*) users/%{REMOTE_USER}/$1
RewriteCond %{REQUEST_URI} ^/passwordtest/users/$
RewriteRule (.*) .
The first line tells apache where to look for the password file for this direcory. The second line is the message that the users will get when their web browser asks them for the password, and the next two lines tell apache that the user has to be properly authenticated in order to use this directory. You could also put in the location of a file to send people to who do not enter in proper username/password combinations, but that is the stuff of another hint.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20040928003911771