Setting Up a MySQL Based Website - Part II

Tuesday Jan 25th 2000 by DatabaseJournal.com Staff

In the first article covering MySQL and Web servers, I talked about creating a guestbook that would allow Website visitors to leave a message for everyone to see. There is much more that can be done with a Web site using mySQL and Apache, and in this article covering the creation of a mySQL-based Web site, we'll be talking about using mySQL as a user-authentication database.

by Andrew Chen

Performing User Authentication via MySQL

In my last article covering MySQL and Web servers, I talked about creating a guest book that would allow our visitors to leave a message for everyone to see. This was all fine and dandy; however, there is more that we can do with a Web site using mySQL and Apache. In this article covering the creation of a mySQL-based Web site, we'll be talking about using mySQL as a user-authentication database.

One of the many popular features of a Web site is to create a "Members Only" section--a section that can be only accessed by authenticated users. Apache includes facilities to do this without the help of an external module, but only with a flat file or a basic database file.

A flat file can be useful when you'll only have a handful of people, and want an easy way to administer the user list. Since the password database will be text (similar to /etc/passwd), opening it in any text editor will allow you to edit user names and passwords. The drawbacks to flat-file databases? With a large number of entries, authentication becomes slower and administration becomes much harder. When using a database file, access times are somewhat quicker, but administration is harder since the file is not text-based.

For large Web sites, a separate database program is necessary to keep track and authenticate users. This is where mySQL comes in. By creating a mySQL table for authenticating users, or using an existing table, you can administer user list with the mySQL database tool and have fast authentication. For this example, we will be using an existing table of users, which we can assume is the list of "members" for this Web site. Our sample table will look something like this:

username  passwd  groups 
bob  h4oBGB89Z0wZo  user 
josephkoo  hn8HdBZegkRfe  admin 
steve  9AzT4j2RRb8sd  user 
dingo  Cj2y9SjERpTRH  user 

We created this table in the apache database under the table name of members. We have also created a special mySQL username of apache with a password of authenticate. This account will be used to read in the authentication table when a user accesses a "Members Only" page.

Page 2: Setting up Mod_auth_mysql

by Andrew Chen

Setting up Mod_auth_mysql

For the purpose of this tutorial, we'll be working with a source distribution of Apache, under Slackware Linux 4.0. For RedHat users, there are RPMs with mod_auth_mysql already compiled in. (Newer versions of Slackware Linux have Apache with mod_auth_mysql already compiled in as well.)

In order to setup mySQL-based authentication under Apache, we need to recompile Apache, along with the mod_auth_mysql module. You can grab your own copy of Apache from http://www.apache.org/dist/. (You can also download a copy of mod_auth_mysql from the author's Web page at http://bourbon.netvision.net.il/mod_auth_mysql/).

After unpacking both archives, change to the unpacked mod_auth_mysql directory and run ./configure --with-apache=../apache_1.3.11. If this continues without incident, you should be all set to run make. This make should be quick, with instructions following. Change to your Apache directory and run ./configure --activate-module=src/modules/auth_mysql/libauth_mysql.a, followed by a make all install. After some puttering, if all went without incident, you should have your very own copy of Apache installed in /usr/local/Apache.

The next step is to configure Apache to query the mySQL database every time we request mySQL-based authentication. Inside /usr/local/Apache/conf, we'll create a file named mysql.conf. We'll keep our global configuration parameters inside here.

## mysql.conf - Configuration file for mod_auth_mysql 2.20 for
## Apache 1.3.x
## Andrew Chen - aznthinker@iname.com - http://www.linuxplanet.com/

# Configure the target authentication host with the mySQL server
# Syntax: Auth_MySQL_Info host user password
Auth_MySQL_Info localhost apache authenticate

# Specify which database to find the users table
# Syntax: Auth_MySQL_General_DB database
Auth_MySQL_General_DB apache

# Specify the tables for passwords and groups
# Syntax: Auth_MySQL_Password_Table table
Auth_MySQL_Password_Table members
Auth_MySQL_Group_Table members

# Specify the fields for username, password, and group
# Syntax: Auth_MySQL_Username_Field field
Auth_MySQL_Username_Field username
Auth_MySQL_Password_Field passwd
Auth_MySQL_Group_Field groups

# See more options at http://bourbon.netvision.net.il/mod_auth_mysql/

We need to tell Apache to load this extra configuration file at startup time by adding the following line to the end of httpd.conf:

Include mysql.conf .

At this point, feel free to start up Apache the way you typically do. For most source installations, the proper command is /usr/local/apache/bin/apachectl restart.

Page 3: Protecting a Directory

by Andrew Chen

Protecting a Directory

In the directory you wish to protect, create a .htaccess file with the following lines:

AuthName Administrators Only
AuthType Basic
require group admin

This will cause most browsers to prompt for a user name and password. In this scenario, Apache will query mySQL for authentication information. First, it will verify the user name and password match. If they do, it will check if the user is in the group "admin". If so, the user will be granted access; else, access will be denied with "Authentication Failed." Other configurations are possible with mod_auth_mysql:

AuthName Members and Administrators Only
AuthType Basic
require group user admin

In this scenario, any user in the group "user" or "admin" will be allowed in. You can define as many groups as you want within mySQL by changing the "groups" field:

AuthName Paid Members Only
AuthType Basic
require user bob steve dingo

Here we are limiting it to a list of specific users. This probably won't be used often, since you'll have people like this in a group of their own for easier management.

A Quick Conclusion

The concept of "Members Only" authentication has been around for some time. Even though the examples shown here are very small scale, mySQL is capable of serving Web sites from the smallest to some of the largest around. Possible applications could be allowing employees access to Web mail by authenticating on a company-wide mySQL server, thereby eliminating the need to create a separate user list for Apache. The possibilities are endless.