HTTP authentication

A directory within a website root can be protected by means of a password. Hiawatha offers two methods for authentication: basic HTTP authentication and digest HTTP authentication.

Basic HTTP authentication

Basic HTTP authentication is an authentication method in which passwords are sent unprotected. They are encoded via Base64, but decoding it can be done by anyone who captures the communication. Therefor, only use basic HTTP authentication when the connection is protected via HTTPS.

Use the wigwam tool with the -b option to create a new entry for in the password file:

# wigwam -b <username>
Enter password: <enter the password>

The output of this step is a line containing the specified username and the hashed password. Copy & paste this line into your password file. Wigwam prints the output of the password generation to stderr. So, in bash you can use 2>> <password file> to add the result to your password file. Use the PasswordFile option to tell Hiawatha where it can find the password file. Use the full path to the password file! Using this option enables HTTP authentication for the virtual host or directory.

PasswordFile = basic:/full/path/to/the/password_file

Place your password file outside the website root or make its filename start with a dot. Make sure Hiawatha is able to read the password file! So, check the access rights and/or ownership of the password file itself and the directories where it is stored.

Digest HTTP authentication

To protect the password while it is being send to the web server, digest HTTP authentication was invented. Its downside is that it always require the client to make a first request to obtain information required to generate the hashed password, while basic HTTP authentication can be done within the actual request for the file. To set up digest HTTP authentication, you need to use the LoginMessage option. This option makes you set a message for the login dialog in the browser.

PasswordFile = digest:/path/to/the/password_file
LoginMessage = My Protected Files

The login dialog message is also used to hash the password, so you need to specify it when using wigwam to create the password file.

# wigwam -d <username> 'My Protected Files'
Enter password: <enter the password>

The default value for LoginMessage is 'Private page'. So, if you choose to not set the LoginMessage, use that with the wigwam tool.


(still working on this chapter)

PasswordFile = digest:/path/to/the/password_file, /path/to/the/group_file
mygroup:<username 1>[, <username 2>, ...]
RequiredGroup = mygroup