Skip to content Skip to site navigation

WebAuth with a Macintosh

WebAuth is being deprecated and will be retired soon.

To get help transitioning from WebAuth to SAML, visit SAML (Authentication) or the WebAuth Announcement page.


To WebAuth your web pages with a Macintosh you must first mount your WWW folder using Stanford OpenAFS and then set the appropriate permissions in your WWW folder. You then create a .htaccess file using TextEdit and place this .htaccess file into your WWW directory using a file transfer program such as Fetch.. It's actually quite simple. TextEdit comes as part of Mac OS X and Stanford OpenAFS is available free from the OpenAFS at Stanford web site. If you don't have Fetch, you can get it from the Essential Stanford Software site.

Most people use WebAuth on pages contained in subfolders inside their WWW directory. This is because WebAuth actually works on the folder, not the page, so creating a subfolder is almost necessary (unless you want to protect your entire home page.) In the example below we assume you want to protect web pages inside a folder called "classproject" which is located inside your personal WWW directory.

Note: The Workgroup Manager is a web application that allows you to define groups of Stanford community members for use in various online applications (not just a web page or group of pages) that also utilizes web authentication (WebAuth). See the overview for Workgroups and the Workgroup Manager if this is the type of authentication you need.

Setting WebAuth permissions

Put your AFS home folder onto your desktop

  1. Click and hold the Stanford Desktop Tools icon Stanford Desktop Tools icon to display a popup menu. Click Mount AFS Volume.
    (Alternatively, from your Applications folder click Stanford, click AFS, and double-click AFS Controller.)
  2. When the Mount AFS Volume window opens, under "Mount volume belonging to," click My Home and then click Mount. If you need help doing this, see Using Stanford OpenAFS for Macintosh.
  3. A window will open on your desktop. Inside this window are your WWW files and folders: you are now in AFS. Double-click the WWW folder to open it.

Set the appropriate permissions

  1. Hold down the CONTROL key and click-hold the "classproject" folder. A contextual menu for that folder will pop up.
  2. Slide your cursor down to AFS submenu. Move the cursor to the right to open this submenu:

    AFS submenu
  3. Select Access Control List .... An Access Control List window will appear.

    access control list window

    This window shows what permissions are currently controlling the "classproject" folder. Basically, you need to change "system:anyuser l" to "system:anyuser none" (which will cause it to disappear), and add or edit a permission that says "system:www-servers rl" so the web server can protect the files inside this folder.

To get rid of "system:anyuser"

  1. Click on and highlight "system:anyuser" in the Access Control List window.
  2. Click the Delete button.
  3. A Delete Permission box will appear, asking if you're sure about this. Click the Delete button.
  4. The Access Control List window will refresh to indicate the ACL you deleted is gone.

To add "system:www-servers"

  1. Click the Add... button. A nameless dialog box will appear.

    edit permissions
  2. In the Name: field, type:
    (Don't forget the colon (":"), without any spaces, between the word "system" and the word "www-servers".)
  3. Click on the Read (r) and Lookup (l) buttons.
  4. Click the Save button.

To edit "system:www-servers"

If "system:www-servers" is already present in the Access Control List window, it may have ACLs different than the "rl" permissions you need. You'll have to edit them:

  1. Click on and highlight "system:www-servers" in the Access Control List window.
  2. Click the Edit... button. A nameless dialog box will appear.

    edit permissions
  3. Click on the Read (r) and Lookup (l) buttons.
  4. Click the Save button.

When you're done making these changes close the Access Control List window.

Creating a .htaccess file

Open TextEdit

  1. Double click the TextEdit icon. (It's in the Applications folder.)
  2. Close the window called "Untitled.txt".
  3. Go to the TextEdit menu and select Preferences ... .
  4. Click the Plain text button in the New Document panel of the Preferences dialog box.
  5. Close the Preferences dialog box.
  6. Go to the File menu and click New.

Type the WebAuth instructions you want to use

  1. In the new TextEdit window upon your screen you can type your two lines of WebAuth instructions. We recommend, however, that you simply cut and paste the WebAuth code you want from our list of common ready-made WebAuth directives. This list tells you which WebAuth instructions to use for which WebAuth purpose.

    If you do cut and paste from the list, your next step would be to edit the file. For example, if you copied and pasted this code from the WebAuth list:
    • AuthType WebAuth
    • require user sunetid1
    You'd want to replace the word "sunetid1" with the actual SUNet ID of the person you wanted to see your web page. If, for example, that person's SUNet ID were gsmith, you would edit the code so it looked like this:
    • AuthType WebAuth
    • require user gsmith
  2. Press RETURN once. The WebAuth instructions in your .htaccess file won't work unless they are followed by at least one carriage return.

Save the TextEdit document

  1. Go to the File menu.
  2. Click Save.
  3. In the Save as field, type htaccess.
  4. In the Where drop down menu, select Desktop.
  5. Make sure the Plain Text Encoding field says Western (Mac OS Roman).
  6. Click Save.
  7. Close the TextEdit document (which is now titled htaccess).

Putting the .htaccess file into AFS

Note: File names that begin with a dot are reserved for the system and are hidden. You need to use an file transer application, such as Fetch, that will allow your .htaccess file to remain visible.

  1. Open Fetch by double-clicking its icon..
    • It's in the Applications folder (or the Dock if you placed it there).
    • If you don't have Fetch, you can get it from the Essential Stanford Software site.
    • When the Fetch connection box appears,enter in the Host name field. and Connect using: SFTP. If you need help doing this, see the instructions for using Fetch.
    • Use your SUNet ID in the Username: field and SUNet ID password in the Password: field.
    • Click Connect.
  2. Navigate to the web folder you want to protect. (In this case, you'd double click on the WWW folder, then double click on the "classproject" folder.)
  3. Drag your htaccess file into that folder.

Change the name htaccess to .htaccess

  1. Still in the Fetch window, select (so it's highlighted) the htaccess file you just placed. Its name may have changed to htaccess.txt, but that's okay: it's still the same file.
  2. Click on the name of the file again so that it highlights.
  3. Change the name of the file to .htaccess. Don't forget to add the dot (".") in front of the word htaccess!
  4. Press RETURN.
  5. Terminate your connection to AFS by clicking the "close" button on the Fetch window.
  6. Close the application by selecting Quit Fetch under the Fetch menu.
Last modified February 3, 2022