U-M ITS Web Hosting

Kerberos Access to Web Pages

home / how-to / private webspace

Restrict Access to Web Pages Using umich uniqnames and Kerberos Passwords

Private Webspace at the University is available to group accounts and individual accounts. It's a method of limiting access to web pages to only individuals or groups at the University of Michigan. It relies on uniqnames and Kerberos passwords, and SSL encryption for access to these web pages. There are several steps to protecting a web page here at the University. This document will attempt to walk you through all of them.

Setting up Private Web Space for Individual or Group Pages

We have a number of tools to simplify the setup of private webspace. The easiest-to-use is a web-based program to configure directories for you:

https://mfile.umich.edu/make-webspace/

An older, command-line tool remains available on the ITCS login machines (login.itcs.umich.edu):

~umweb/bin/make-private

Once you've run either of these tools, and have added content to your ~/Private/html directory, you'll have an SSL site, available only to users with uniqnames and kerberos passwords.

Restricting Access to Specific Users and/or Groups

If you wish to restrict access further, you do it with .htaccess files. Standard .htaccess files are explained on Setting up Access Control for your HTML documents. All the methods mentioned there are also possible in this environment. However, this is a much more secure environment for those methods.

Restricting access based on a username/password pair is not necessary, however, as, in order to get to this page, the individual already had to type in their uniqname and password. You can still restrict to specific individuals, however.

  1. Create a file named .htaccess within your ~/Private/html directory (note the leading period). This file is consulted by the Web server to determine whether or not to allow access. As an example, here is a .htaccess file which allows only the webmasters at the University of Michigan access to a web page:
    # Web space restriction description
    Require ldap-group cn=webmaster,ou=User Groups,ou=Groups,dc=umich,dc=edu
  2. To restrict access to more than one LDAP group, you may list more than one on the Require ldap-group line, like so:
    Require ldap-group cn=webmaster,ou=User Groups,ou=Groups,dc=umich,dc=edu
    Require ldap-group cn=umweb discuss,ou=User Groups,ou=Groups,dc=umich,dc=edu
  3. To create and manage your own LDAP groups, read Managing Groups that You Own in the MCommunity Directory.
  4. You may also list uniqnames on the Require line, if you don't wish to manage LDAP groups, or if there are only a few individuals who should have access:
    Require user bjensen
  5. If you would like to restrict access to anyone with a uniqname/kerberos password (but not a "friend" account), use this in your .htaccess file:
    CosignRequireFactor UMICH.EDU

Restrictions are enforced on a directory-by-directory basis, so you can make a subdirectory that is more narrowly restricted than Private/html. A good example of this is for a class. You could not restrict Private/html at all, restrict Private/html/assignment1 to just the students and TAs of a class, and restrict Private/html/assignment1/grades to only the TAs of the class. Note that restrictions can be narrowed in subdirectories, but you cannot have a subdirectory that is more widely available than its parent directory. Further note that an .htaccess file must be stored in a location that umweb:servers have read/lookup privileges (eg, ~/Private/html/ or below) in order to function.

Accessing your Secure Pages

Web pages in private webspace are available with the URL:

Group Pages:
https://www.umich.edu/~<group uniqname>

Personal Pages:
https://www-personal.umich.edu/~<uniqname>

Please take note of the https at the beginning. The s stands for a secure http connection, and is required.

Providing a Logout Link:

Because private webspace pages are protected by the Cosign software, which allows a single signon to access multiple protected resources, it is important to encourage users to log out when they have finished accessing protected sites. A simple logout link can be used on private webspace pages to allow users to end a cosign session:

<a href="/cgi-bin/logout">Logout</a>

Known Issues

  • You must use the primary name of the directory group, not one it's aliases ("Also Known As")
  • You cannot use groups that contain other groups as member. The membership must be "flat" - all users that you're limiting access to must be listed as members of the group being used as the authorization list.
  • The authorization software (mod_authnz_ldap) doesn't understand the "Non-University Members" section of UMOD group entries, so you cannot add a list of email address to "Non-University Member" to enable "friend" access. You can allow access to friend accounts using Require user:
    Require user mom@gmail.com
    Require user auntdonna@yahoo.com

Further information

For a more complete overview of .htaccess files, check out the document Setting up Access Control for your HTML documents.

Comments and questions should be directed to webmaster@umich.edu