School of Medicine Home » Dean's Office » IRT » Web & New Media Services

Before adding or requesting password protection for your Web content, make sure you have read and understood the difference between access security and transaction security in our introduction to Password Protection for Your Site.

IRT supports Stanford University Web Authentication (WebAuth), which provides a way of restricting access web pages to users in the Stanford community, by requiring SUNet IDs. Web materials can be restricted to all Stanford users, or to specific users (named by SUNet ID). You can request installation of WebAuth via the Web Help form, or install WebAuth yourself.

Installing WebAuth | Using WebAuth

Instructions for installing WebAuth on SoM Web Sites

Access to files is controlled at the directory level. This means that all the files in a given directory will be restricted. It's a good idea to provide an unsecured "landing page" where users are instructed on who is permitted, and how to request access.

To protect a given directory with WebAuth, you will need to include a file in that directory named ".htaccess". The .htaccess file tells the Web server how to authenticate users. You must use Dreamweaver to place the file. If you are a Contribute user, contact Web Help.

1. Within your local site files as defined in Dreamweaver, create a new file within the directory to be protected and name or re-name the file ".htaccess"
2. Replace all the text in the file code with the appropriate directives, depending on who you wish to allow (see links below to jump to a specific approach).
3. Upload the file to your site, and test the protection through your Web browser.

Any SUNet ID | Specific IDs | Workgroups | Broad Classes of Users

Restricting access to any valid SUNet ID

The content of the file should be the following text only. Be sure to have a blank line after last line of text.

AuthType WebAuth
require valid-user



Restricting access to specific individuals

You can limit access to a single SUNet ID or list of multiple IDs, typically as listed in Stanford.Who. All of the SUNet IDs must be on one line (no paragraphs or carriage returns; word-wrap in the Dreamweaver code window is OK). Be sure to have a blank line after last line of text.

AuthType WebAuth
require user bjones jsmith lmccoy

Restricting access to a workgroup

Using the previous method can be tedious when users come and go. It's more convenient to manage lists of users' SUNet IDs using workgroups. Once a workgroup is established, owners of the workgroup manage membership using the Workgroup Manager site (SUNet ID required...there is also an unsecured page explaining workgroups).

Workgroups must first be established with a request to ITSS through the HelpSU form. If you're intent is to set up an official workgroup for your department, division or other unit make sure to specify that you want an organizational prefix rather than a personal prefix. This will ensure that the workgroup is not dependent on your ID.

Here's the .htaccess document syntax for personal prefix workgroups. Be sure to have a blank line after last line of text.

AuthType WebAuth
require privgroup ~yoursunetid:groupname



Here's the .htaccess document syntax for organizational prefixes. Be sure to have a blank line after last line of text.

AuthType WebAuth
require privgroup organization:groupname

Restricting access to a system-maintained privgroup

Access can also be restricted to broad classes of users, such as faculty, students, staff or combinations of these classes. See System-maintained groups on the ITSS site for a detailed list of these groups and who is and isn't included in them.

Here's the .htaccess document syntax to allow any Stanford faculty. Be sure to have a blank line after last line of text.

AuthType WebAuth
require privgroup stanford:faculty

You can also combine groups.

AuthType WebAuth
require privgroup stanford:faculty
require privgroup stanford:staff

To ensure that only users with full SUNet IDs (that is, excluding sponsored IDs held by folks like contractors and visitors) use the privgroup for stanford:stanford:

AuthType WebAuth
require privgroup stanford:stanford

Using WebAuth protected pages

To protect the full transaction between the user's browser and the server, one should always use "https://" rather than "http://" to access a WebAuth-protected page or directory, and an absolute URL using the long med.stanford.edu domain name. So, even if you're protecting a directory in a site with the custom domain URL "yoursite.stanford.edu" you must still link to the protected files using a full https URL, i.e.

"https://med.stanford.edu/yoursite/protected/securepage.html"

When a user clicks on a link to a WebAuth-protected page they are redirected to a central Stanford WebAuth login page; upon authenticating, the user is directed back to the original page requested. Users who are not "valid-user"s or specifically listed after "require user" will not be allowed to view the page or directory.

Secure and unsecured

Another common source of problems occurs when the user encounters both secure and unsecured pages within the same browser window, typically in a frames context. School of Medicine sites in the standard format no longer use frames. If your site uses frames, or iFrames, all frames links should use the https:// method to avoid the alert.

More information about WebAuth is available from ITSS.

You might also be interested in how to restrict pages with basic authentication (i.e. an arbitrary, non-SUNet ID, username and password) or by machine IP address, which can also be combined with WebAuth.

Questions? Need help? Contact Web Help.

© 2008 Stanford University School of Medicine     |     Terms of Use