retroactively adding password protection to a webapp

User avatar
Posts: 421
Joined: Sun Jan 11, 2009 9:26 am

retroactively adding password protection to a webapp

Postby rgmhtt » Tue Dec 07, 2010 2:02 pm


It talks about the new password protection. But this is only good for when you select this on installing an app.

How do I add this to an existing app?

Posts: 6
Joined: Sat Feb 26, 2011 11:57 am

Re: retroactively adding password protection to a webapp

Postby dr2chase » Thu Mar 03, 2011 6:26 am

I second this request; I find the documentation for using webmin to set up password protection to be not entirely intuitive (that's diplomatic-speak for WTF-confusing).

In particular:
In “Directory path” browse to/or enter the path to the ‘html’ web directory you wish to protect
I am guessing, from the text above, that I want to protect "/var/hda/web-apps/". If I am right, please say so in the doc. If I am NOT right, then the doc is busted.

Webmin's UI no longer corresponds to the interface; there is no button listed that says "Associated users and groups". AHA! I get there after PUSHING A BUTTON. You need to say that.

Next, I try to add a user. It asks for "Digest realm". I leave it empty, that fails. I use the authentication realm I tried previously, that fails too. (AHA, it's because I used "Digest" authentication. But isn't Digest authentication better? So what am I supposed to say for a "Realm", then? And why would each user be in a different one, when I already specified one?)

And why would I want to unprotect a user/group when I am done? This doesn't quite make sense.
I tried hitting that button, and poof!, the directory I had just specified, disappeared.

For reference (just so you know that I am not completely new to this) I set up and run a Trac server, complete with digest authentication and shared passwords between Trac and Svn. I am nowhere near confident messing with this stuff, but it is entirely the fault of the atrocious documentation that comes with Apache. I think it should be pretty easy to do better than Apache. Think about what most people want to do, and then make it happen (most people, want the passwords to match, and to be handled through a single interface). Write the instructions in the form "if this ONE THING is what you want, THEN do just this." No course corrections or options mid-way, "maybe you changed your mind", or "of course everyone knows about crypt, MD5, and digest authentication, so of course they want to make that decision". No. Just tell them the answer that will make most people happy.

So, right now, I have ZERO confidence in anything I do using this, and I am a little worried that I will bork all my webapps by banning all users, or some such. I think I need recovery instructions in that case (which I think involves, simply going to the directory as root in a terminal, and removing the relevant files, RIGHT?)

Who is online

Users browsing this forum: No registered users and 1 guest