Server Plugin for .htaccess Access Control

1. Module Description

This module is a Netscape server plugin to support the access control functionality of Apache/NCSA-style .htaccess files in the server content tree. This release supports only the .htaccess directives listed in Appendix A, silently ignoring all others. It supports only flat text user and group files at this time.

2. Activating .htaccess Checking

Modify the server's obj.conf file to load, initialize, and activate the plugin module, located in the directory: At the top of obj.conf, after other Init directives, add the lines: to cause the module to be loaded and initialized when the server is started. Replace <server root> with the path to your server root.  Note that the file extension of the shared library will follow the convention of the native operating system, e.g. .so, .dll, or .sl.

The optional argument, groups-with-users=yes, specifies that any file referenced by an AuthUserFile directive will contain both users and groups, in the form:

This format is also assumed if both AuthUserFile and AuthGroupFile directives are used, and both specify the same filename.  This format is much more efficient for checking group membership of users than separating user and group information into different files.

To activate .htaccess file processing for all directories managed by the server. Add the PathCheck directive:

to the default server object, which is delimited by: Generally it should be placed as the last PathCheck directive in the object. To activate .htaccess file processing for particular server directories, place the PathCheck directive similarly in the corresponding object definition in obj.conf. New server directories are generally created using the "Content Mgmt" functions provided by the Administration Server.

Finally, stop and then start your server. Subsequent accesses to the server will be subject to .htaccess access control in the specified directories.

3. Notes

4. Security Considerations

By default, server support for HTTP PUT is disabled. It is activated via the "Content Mgmt|Remote File Manipulation" function in the Administration Server. Great care should be taken in allowing PUT access to directories containing .htaccess files, since it will allow them to be replaced. PUT access can be prevented on all files in a directory via the "Access Control|Restrict Access" function. Set the default access for "Write" to "Deny" via the radio buttons, then click the associated "Permissions" button if you want to allow write access to particular users.

The best way to restrict write access for only .htaccess files is to create a configuration style for them, and then apply standard server access control to that configuration style. The steps to do this are:

Appendix A - Supported .htaccess Directives

The following .htaccess directives are supported in this release:

allow

AuthGroupFile AuthUserFile AuthName AuthType deny <Limit> order require