Restricting Web Site Access with
the Web Access Controller (WAC)

Revised: December 11, 2007

Contents

• Overview
• Using the WAC to Restrict Access
• Default Restrictions
• Creating Access Tables
• Removing Access Tables
• Adding a Username to a Table
• Deleting a Username from a Table
• Modifying a Password
• Reports

Many kinetic customers require that areas of their web sites be restricted by username and password to prevent public viewing of content. For example, some customers create an area of the site that is only viewable by staff. In addition, some kinetic customers use the MOREnet-provided web applications on their web sites, and the administrative portions of these web applications are restricted by username and password so that only approved staff can use them. For example, customers specify that only certain staff members maintain entries displayed by the Calendar web application. The Web Access Controller (WAC) allows the webmaster to manage these restrictions.

There is a WAC for every kinetic customer web site. During the initial setup of the kinetic service for a customer, a username and password are specified for access to the WAC and these are given to the webmaster. The webmaster may use this username and password to visit the WAC with a web browser and manage web site access restrictions.

The WAC restricts access by associating a table of usernames and passwords with each protected area of your web site and the MOREnet-provided web applications. The webmaster may use the WAC to modify the usernames and passwords for an existing table as well as add new tables for restricting additional areas of the web site. When a restriction is no longer needed for an area, the webmaster can remove the table.

A special file named .htaccess is associated with each table in the WAC. The contents of this file are automatically generated when the webmaster creates the table of usernames and passwords in the WAC. The webmaster FTPs this special file to the directory on the web site where access restriction is desired. This special file instructs the web server to prompt for a username and password (using HTTP Basic Authentication) when somemone attempts to visit a web page in that directory and its subdirectories, and specifies which WAC table the web server should use for authenticating usernames and passwords.

By default, a kinetic web site does not have any access restrictions to directories within the site. The entire web site is open for public viewing except for the administrative areas of the MOREnet-provided web applications.

The Calendar web application contains administrative tasks that are restricted with the WAC by default. During the initial setup of the kinetic service, tables are created in the WAC for both web applications, and a username and password are specified in each table. The username and password are given to the webmaster for accessing the administrative portions of the web applications. The calendar table is for the Calendar web application.

The webmaster may add additional usernames and passwords to the tables to allow other administrators access to the administrative portions of these web applications. The webmaster may also delete usernames or reset passwords in the tables when access is no longer desired.

Note: You do not need to make tables for the MOREnet-provided web applications since the tables are created during the initial setup of your web site. However, if you accidentally delete the tables, recreate them with the names listed above.

Creating an access table allows you to restrict an area of your web site by requiring a web site visitor to authenticate by username and password. To create a table, perform the following steps:

1. Use your web browser to visit the WAC for your web site. Substitute your domain name in the URL shown below:
   
   http://your-web-site-domain/cgi/admin/wac/
   
   
2. Type in your username and password if requested. This is the username and password provided to you, the webmaster, by MOREnet.
3. Select Create table and click Next.
   The WAC displays a list of existing tables.
   
   
4. Type a table name that does not currently exist and click Create.
   The WAC displays a success message or indicates any errors that occurred.
   
   
5. An area of the success message indicates CUT HERE at the top and STOP CUTTING at the bottom. Select and copy the text between these indictors. Do not copy the CUT HERE and STOP CUTTING lines of text.
6. Use a text editor, such as Notepad or Wordpad, to create a new text file and paste the copied text into the file.
7. Save the file by an easy to remember name and exit the text editor.
8. Use your FTP client to connect to the web server.
9. In the FTP client, navigate to the area (directory) of the web site you want to restrict.
   
   Note: The directory and all subdirectories will be protected.
   
   
10. Upload the text file you created.
11. In your FTP client, select the file you uploaded to the web server in the area of your client that displays the files on the remote system.
12. Use your FTP client's 'rename' tool to rename the file to .htaccess on the web server.
    
    Important: Many FTP clients by default will not display files that only have a filename extension because files of this type are usually hidden. You can usually configure your client to display these files by modifying the client's preferences. For example, in WS_FTP you can specify -la as a file mask in the Startup tab for your session, and this instructs the WS_FTP client to show all files.
    
    
13. The directory and its subdirectories are now protected. Continue to the Adding Users to a Table section to add usernames and passwords so that people can access the area of your web site.

You may find that an access table has fulfilled its purpose and can be removed. To remove a table from the WAC, perform the following steps:

1. Use your web browser to visit the WAC for your web site. Substitute your domain name in the URL shown below:
   
   http://your-web-site-domain/cgi/admin/wac/
   
   
2. Type in your username and password if requested. This is the username and password provided to you (the webmaster) by MOREnet.
3. Select Delete table and click Next.
4. Select the table you wish to delete and then click Delete.
   The WAC displays a success message or indicates any errors that occurred. If successful, the table is removed from the WAC. However, the corresponding .htaccess file still exists on the web server and must be removed.
5. Use your FTP client to connect to the web server.
6. In the FTP client, navigate to the area (directory) of the web site that was protected by the WAC table.
7. Select and delete the .htaccess file from the directory.
   
   Important: Many FTP clients by default will not display files that only have a filename extension because files of this type are usually hidden. You can usually configure your client to display these files by modifying the client's preferences. For example, in WS_FTP you can specify -la as a file mask in the Startup tab for your session, and this instructs the WS_FTP client to show all files.
   
   

To allow access to the protected tasks in MOREnet-provided web applications or access to a restricted area of a web site, you must add usernames and passwords to the appropriate table. Follow these steps:

1. Use your web browser to visit the WAC for your web site. Substitute your domain name in the URL shown below:
   
   http://your-web-site-domain/cgi/admin/wac/
   
   
2. Type in your username and password if requested. This is the username and password provided to you, the webmaster, by MOREnet.
3. Select Modify a table and click Next.
4. Select the table where you would like to add a username and click Next.
5. Enter the username (userid) and password, and then retype the password.
6. Click Add User.
   The WAC displays a success message or any errors occurred.

To remove access privileges for a username, you must delete it from the appropriate table. Follow these steps:

1. Use your web browser to visit the WAC for your web site. Substitute your domain name in the URL shown below:
   
   http://your-web-site-domain/cgi/admin/wac/
   
   
2. Type in your username and password if requested. This is the username and password provided to you, the webmaster, by MOREnet.
3. Select Modify table
4. Select the appropriate table and click Next.
5. Select the username you would like to delete.
6. Click the Delete User button.
   The WAC displays a success message or any errors that occurred.

The WAC allows you to modify the password associated with a username. Follow these steps:

1. Use your web browser to visit the WAC for your web site. Substitute your domain name in the URL shown below:
   
   http://your-web-site-domain/cgi/admin/wac/
   
   
2. Type in your username and password if requested. This is the username and password provided to you, the webmaster, by MOREnet.
3. Select Modify table.
4. Select the appropriate table and click Next.
5. Select the username whose password you would like to modify.
6. Type the current password, or check the box next to the old password field if you do not know the current password.
7. Type the new password and then retype the new password.
8. Click Modify Password.
   The WAC displays a success message or any errors that occurred.

When someone fails to enter the correct username or password for a protected area of your web site, the web server logs this failed attempt. The web server logs are reviewed every night and a report of failed attempts to access a WAC protected directory in your web site is sent by e-mail to the webmaster of your site. The report looks like the following:

Subject: test.kinetic.more.net HTTP Basic Authentication Login Failure Report
Date: Wed, 27 Mar 2002 03:30:02 -0600 (CST)
From: kinetic@kinetic.more.net
To: webmaster@test.kinetic.more.net


Web Server Statistics for test.kinetic.more.net
===============================================

Program started at Thu, Mar 28 2002 03:35.
Analyzed requests from Wed, Mar 27 2002 14:44 to Wed, Mar 27 2002 17:07
  (0.10 days).
----------------------------------------------------------------------------

General Summary
---------------
Successful requests: 12
Average successful requests per day: 110
Successful requests for pages: 12
Average successful requests for pages per day: 110
Failed requests: 5
Redirected requests: 2
Distinct files requested: 5
Unwanted logfile entries: 20
Data transferred: 14.480 kbytes
Average data transferred per day: 145.817 kbytes
----------------------------------------------------------------------------

User Failure Report
-------------------
Listing users with at least 1 failed request, sorted by the number of failed
  requests.

#reqs: user
-----: ----
    1: testhttpbasic
----------------------------------------------------------------------------


This analysis was produced by analog 4.13.
Running time: Less than 1 second.

In the sample report shown above, the username 'testhttpbasic' had one failed attempt when trying to access a password protected directory in the test.kinetic.more.net web site. If you see a lot of random usernames or a lot of failed requests for a single username, this could indicate that someone is attempting to guess a username and password for a restricted area of your web site. If you see this, consider forwarding the report to the administrator of your organization and change the passwords for the usernames in the WAC.

Note that Internet search engines will also generate these types of errors when they attempt to index your web site if you link to the restricted areas from the public areas of your web site.