SCS Computing
 Services and Solutions
  links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 » How to… 
 » Accounts & passwords 
 » AFS 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Support lifecycle 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

How to use WebISO to control access to web pages

The SCS web servers support Kerberos authenticated access to Web pages using WebISO (Web Initial Sign-On). Using WebISO, one can restrict access to web pages to specific authenticated users, or specify that pages are only accessible to any authenticated user in the CS.CMU.EDU, ANDREW.CMU.EDU, or ECE.CMU.EDU Kerberos realms.

You should not rely on WebISO or any other .htaccess-based protection mechanism to restrict web access to especially sensitive information (SSNs, credit card numbers, etc), and we advise not making such information accessible in any way via the SCS web servers.

Note: WebISO only restricts HTTP access via our main web servers. See our documentation on restricting access to web pages for information on how to protect web pages from regular AFS access. You will need to restrict both types of access (HTTP, & AFS) in order to fully protect your pages.

WebISO does not require any specific plug-in to work. However, to use WebISO with your browser, you will need to enable cookies.

How to configure a .htaccess file to use WebISO

WebISO directives are placed in .htaccess files. The following examples of .htaccess files illustrate how to use WebISO directives for some simple cases. Note that the realm (e.g. CS.CMU.EDU) part of the directive must be in upper case.

To only allow acccess to authenticated users

To only allow people to access your web pages who have authenticated to the CS.CMU.EDU, ANDREW.CMU.EDU, or ECE.CMU.EDU Kerberos realms, use a .htaccess file with the following lines:

AuthType WebISO
Require valid-user

To only allow access to specific authenticated users

To only allow particular authenticated users to access your web pages, list the userid and associated the Kerberos Realm for each user in the .htaccess file. For example, the following .htaccess file would allow access for the user "bovik" in the CS.CMU.EDU realm, and the user "av29" in the ANDREW.CMU.EDU realm:

AuthType WebISO
Require user bovik@CS.CMU.EDU
Require user av29@ANDREW.CMU.EDU

Additional information

The following off-site links will open in a new browser window:

CMU Computing Services WebISO documentation
CMU Computing Services information about using and troubleshooting WebISO. Some of this information may not apply to using WebISO in SCS.
Pubcookie is the web authentication method used by WebISO at CMU. It makes use of our existing Kerberos infrastructure.