I have a (Bootstrap) site with top-level htaccess/htpasswd protection. This works fine, but I'd now like to add a new menu item, which requires a different (administrator) password.
My plan A is to have the new administrator menu show a single 'login' item. When you click on the login item, a page from the admin directory is loaded. The admin directory contains a second .htaccess, which currently contains
<Limit GET>
require user admin
</Limit>
However, this doesn't work, for at least 2 reasons:
(1) If the user originally logged in as foo, for example, and then clicks the login menu item, Apache doesn't offer to let the user log in again as admin - the error log simply says
access to /foo/admin/admin.html failed, reason: user 'foo' does not meet 'require'ments for user/valid-user to be allowed access
Is there some way to force the password dialog to appear?
(2) My top-level index.html currently does a virtual include of the admin page:
<div id="siteAdminDiv" class="container" style="display:none">
<!--#include virtual="admin/admin.html" -->
</div>
this doesn't work (unsurprisingly), since Apache tries to load the page on the initial site load, and the load fails because the user has just entered a user-level rather than an admin password. Any idea how I load this page only when it's required, in such a way that it doesn't redirect, for example, and fits into the existing Bootstrap structure?
Thanks.
Related
description
here is my problem :
I've used to add basic auth in my docker container successfully ,and I open my website page ,and input the basic auth's name and password correctly,so the next time when I open my site ,for a long time I don't need to reinput them again .that's cool ,cause I konw the browser will remember sth for me.
now i removed the basic auth in my Nginx configure file ,and restart the server ,and I want to check if the change effects ,but when I open my site this time ,still no need to input name and password , but I am not sure if it's the configure change effects well or the browser has already remember the authorization for ,so I want to remove or delete the already exist authorization in my browser .
of course I can find other device that has never been sign in before to check ,but I am curious about how the browser remember or store the name and password or authorization that has already been inputed,and if I can delete this things manually .
I am building my personal website using Jekyll and hosting it at github-pages. I would like to have a password protected area (just password protected directory, not the whole website). I have tried a few options and tricks to get htaccess to work but failed.
I would like to know if someone managed to use htaccess, or any other method, to protect a directory on github-pages.
Listing solutions which did not work for me (or I failed to get them to work):
*Flohei.
*Jeremy Ricketts.
GitHubPages (like Bitbucket Pages and GitLab Pages) only serve static pages, so the only solution is something client side (Javascript).
A solution could be, instead of using real authentication, just to share only a secret (password) with all the authorized persons and implement one of the following scheme:
put all the private files in a (not listed) subdirectory and name that with the hash of the chosen password. The index page asks you (with Javascript) for the password and build the correct start link calculating the hash.
See for example: https://github.com/matteobrusa/Password-protection-for-static-pages
PRO:
Very simple approach protecting a whole subdirectory tree
CONS:
possible attack: sniffing the following requests to obtain the name of the subdirectory
the admins on the hosting site have access to the full contents
crypt the page with password and decrypt on the fly with javascript
see for example: https://github.com/robinmoisson/staticrypt
PRO: no plaintext page code around (decrypting happens on the client side)
CONS:
just a single page, and need to reinsert the password on every refresh
an admin could change your Javascript code to obtain the password when you insert it
One option is to use Cloudflare Access to control access at the DNS level.
After setting up a custom domain for your Git pages using Cloudflare for DNS, you can use their Access rules policy to require authentication at the specified url path.
This could still be bypassed if someone is familiar with bypassing DNS blocks.
https://www.cloudflare.com/products/cloudflare-access/
You can give a try to Jekyll Auth and if you run into troubles, this issue can be useful.
You can use Render to deploy your static Web app. It has a npm package that encrypted your html files and user can not see it in browser. So you can use frontend password validation.
I already read this question and this question.
I was planning to make this
I am working on static html(s) with lots of HTML and files like this:
In order to create an "enter the site, write down the given password", I need to create a different .html.
If the user entered the password correctly, they will be redirected to the main site (on this case, they will be redirected to here.html) and if the password is wrong, the user will stay on the same page until they write a correct password.
How to make that function/password page?
I want the user unable to dig out by the source to find out the password.
It will be just simple password.
If you want to keep the password secret, then you cannot give it to the browser (since anything you give to the browser, you give to the user).
This means that you must check the password using server side code.
The closest you could come without using server side code would be to make the password part of the URL. If the wrong password was entered, the user would go to the wrong URL and get a 404 error.
In Liferay when a page is added to the Site it by default gives VIEW permission to the Guest role.
Is there any way (either through configuration or through hook or other) to disable this so that by default VIEW permission is disabled for Guest role when a new page is added to the Site?
Well, while page [Layout-in Liferay low level context] is added as Public page, Liferay assigns default permissions to GUEST role defined in sites.xml for Layout model.
Basically there are two ways to avoid it through ext development:
remove guest default permissions from sites.xml
change code in LayoutLocalServiceImpl in ext by over-riding addLayout method by having addGroupPermissions boolean value as false.
There are ways (through liferay Configuration and Ext) with which you can restrict VIEW of Site public pages for those Users who don't explicitly have that permission.
1st Approach
So this can be achieved by setting this property to false in portal-ext.properties:
permissions.check.guest.enabled=false
But by setting this property what will happen is that Guest role would make sense only for Users who have not logged-in, once the User logs-in even if there is a VIEW permission on Guest for a page or asset the User won't be able to view it unless the User has that permission.
So Guest role would be rendered completely useless even if you give all the permissions to Guest role.
For users who have not logged-in, you can send them to login page with some logic.
2nd approach
1) Updating site.xml in EXT-plugin to disable default VIEW permissions for guest while adding Site pages.
By doing so when site page is added, by default Guest role's view permission is unchecked.
I have a WordPress site installed in the root folder. Beneath the root is a /docs folder with a bunch of older HTML files. I'd like to allow only logged in WordPress users to be able to have access to those /docs HTML pages (not to be confused with WordPress 'pages').
I created a WordPress 'portal' page which displays links to the /docs pages if the visitor is logged in. I would also like to put in a textual search function (which I know how to do) so logged in visitors can get a list of relevant /docs HTML pages
What I -don't- know how to do is prevent -not- logged in visitors from direct access to the /docs pages for both links and searches?
I know I could do these if I converted the HTML pages to PHP and checked an referrer. But I don't want to have to redo all the old HTML if possible (if I have to do -that- I'll just import them into a WordPress taxonomy---but I hope to avoid that!)
I looked at .htaccess and I was hoping to perhaps set an ENV variable or use REFERRER, but I keep reading that such things are not reliable.
Ideas?