Friday, August 27, 2010

Apache Basic Authentication Authname Realm IE prompt

SkyHi @ Friday, August 27, 2010
You website is, in general, available to the public.  That's how you want it, you want the world to be able to reach your site, and see what you, your company, your group, your services are all about.  But you may have a desire to have a seperate area that is NOT available to the public.  That's where the Protected URL comes in.  It allows you to make a certain directory of your site not available to the public, and instead, prompt the visitor for a username and password.  The following instructions will lead you through the process:
  1. let's say my domain name is mydomain.com, and I want to create make a place called mydomain.com/secured that is only accessible via login, thus protected from the general public.  In general, the steps we will follow will be:
    • first create the folder called "secured"
    • apply the "URL protection" to it (the layer that asks for the login)
    • create a login username/password combo to access it
    • Detailed instructions follow.  
  2. Log into the control panel
  3. click on your domain, in our example, we'd click on mydomain.com
  4. click on the File Manager icon
    • In File Manager, click on httpdocs (remember, httpdocs is the "root" of your website... i.e., http://www.mydomain.com points to this httpdocs folder).
    • Once in the httpdocs folder, click on Add New Directory, add the name of the directory you want, in our example, I'd enter "secured", and click OK.
    • Once that folder is created, navigate back out of the File Manager tool, back to the top level.  For most versions of Plesk, you can click on the domain name at the topof the control panel as a shortcut to do this.
  5. Now you're done with creating the folder in File Manager, let's apply the protection.... remember, you should be back at the top level for the domain in the control panel, back where the FileManager Icon was.  Find and click on the Protected URLs icon.
    • In Protected URLs, click on Add New Protection
    • In the URL field, leave the "/"and enter the name of the folder you just created... in our example, this would be how the field would look: /secured
    • For the Realm Access Text field, whatever value you enter here will be displayed to the user in the login prompt, preceeded by "Welcome to ".  So if you enter "my secured area", the login prompt will read "Welcome to my secured area".  If you enter "welcome to my secured area", the login prompt will read "Welcome to welcome to my secured area", so just remember it appends the "Welcome to"
    • Click OK
    • You should now be back at the Protected URLs menu, and the Protected URL you just added will be listed.  Click on the Protected URL you just added; this will takeyou to the Protected URL Users page for this Protected URL.  Use the Add New User icon to create a username and password combination to access this Protected URL. Some notes about Protected URL Users:
      • Note, you can create multiple Protected URLs, each will have it's own unique list of users. 
      • You can create 1 user for a protected URL, and give that to however many people you wish.  Or you can create a unique user for each person you want to access a given Protected URL.
  6. Setup of the Protected URL is complete, to test:
    • first we'd actually need to put a file in the secured folder, so follow your normal process for FTPing a file into the httpdocs/secured folder.
    • To test the URL... for our example, we'd point our browser to http://www.mydomain.com/secured and should be prompted with "Welcome to my secured area"
    • Please note, there is a known issue with some versions of the Plesk Control Panel that cause the directory to NOT prompt for user/pw immediately after being set up.  This can be fixed by our support team after you've set it up.  Please see KB Article #9.

A note about the ProtectedURL prompting and Internet Explorer 7:
The prompt was designed around Firefox and IE 6, and designed to exercise a password prompt function within the browser, passing to it the text "Welcome to 'realm'" where "realm" is the text you can specify when you set up the password protection, and provides a name for the area protected (the password protected "realm").

So with Firefox and IE 6, if you set the "realm" up to be "my secured area" you would see:
Internet Explorer 6: Welcome to realm.
for example: Welcome to my secured area.
Firefox:  A username and password are being requested by http://domain.com.  The site says: "Welcome to realm
A username and password are being requested by http://www.domain.com. The site says: "Welcome to my secured area."
As you can see from the examples above, this function works fine with IE6 and Firefox.  The problem is changes made by Microsoft in changes they made to this password prompting function within the IE7 browser. IE7 has changed the nature of the prompt exercised by the password protection function to the following::
The server domain.com at "Welcome to 'realm'" requires a username and password.

Which would yield:
The server domain.com at "Welcome to my secured area" requires a username and password.

Which obviously is less than ideal.  The feature is, unfortunately, hard-coded within Plesk and we cannot change it.  The issue has been submitted to Parallels (the maker of Plesk), but we do not currently have a fix from them to modify the feature to more properly align with IE7's new prompting convention.

Our suggestion is to examine your usage of the text for "realm" to make it fit as best as possible for all 3 browsers: firefox, IE6 and IE7.

REFERENCES
http://knowledge.3essentials.com/web-hosting/article/215/Protected-URLs-what-are-they-and-how-to-use.html