CUWebAuth - directives

AuthName Directive

Description:	Name of a security context
Syntax:	`Authname security-context`
Context:	location, directory, .htaccess
Platform:	Apache, IIS

Required. Typically a CUWebAuth configuration uses a single security context called CORNELL. In some rare cases you may want to define a different context for a specific directory block. The reason to do this is to have CUWebAuth create a separate site cookie for the directory. The separate cookie will have different properties such as cookie timeout values and force options.

This directive is typically defined as follows:

<Directory "students"> AuthName CORNELL AuthType all Require valid-user </Directory>

AuthType Directive

Description:	Type of authentication to use.
Syntax:	`AuthType all \| all-force \| all-forceonce \| cuweblogin \| cuweblogin-force \| cuweblogin-forceonce \| inline`
Context:	location, directory, .htaccess
Platform:	Apache, IIS

Required. The AuthType directive is used to control the method or methods of authentication will be used to protect a resource.

For example, assume the location /test/ points to a directory that contains only the single file here.html. Then requests for /test/here.html/more and /test/nothere.html/more both collect /more as PATH_INFO.

The following table explains the different authentication methods supported by CUWebAuth...

Method	Description
all	Try SideCar authentication first, then CUWebLogin.
all-force	Look for inline credentials first. If none are available, try SideCar authentication next. If SideCar isn't present then CUWebLogin is used. If credentials are established at the time of the request, destroy them first and force the user to re-enter their NetID and password. Note that the "force" doesn't apply to inline.
all-forceonce	Same as all-force, except user is only forced to log in the first time they access the restricted page. As long as a session is established with your web site, the user can access the restricted page without logging in again. Note that the "forceonce" doesn't apply to inline.
cuweblogin	Authenticate via CUWebLogin only
cuweblogin-force	Authenticate via CUWebLogin only. If credentials are established at the time of the CUWebLogin request, destroy them first and force the user to re-enter their NetID and password.
cuweblogin-forceonce	Same as cuweblogin-force, except user is only forced to log in the first time they access the restricted page. As long as a session is established with your web site, the user can access the restricted page without logging in again.
inline	Authenticate inline only. CUWebAuth will only authenticate using the inline and inline proxy mechanism. This might be used in a situation where only mid-tier servers would have access to the resource.
sidecar	Deprecated - Do Not Use!
sidecar-force	Deprecated - Do Not Use!
sidecar-forceonce	Deprecated - Do Not Use!

The following example shows the most common use of the AuthType directive with CUWebAuth:

<Directory "students"> AuthName CORNELL AuthType all Require valid-user </Directory>

CUWAadminID Directive

Description:	Obsolete

CUWAaltUrl Directive

Description:	Set the location associated with the CUWebLogin cancel button.
Syntax:	`CUWAaltUrl uri`
Context:	directory, location, .htaccess
Platform:	Apache, IIS

Optional . Specifies which URL the users would be redirected to if they click cancel on CUWebLogin screen.

CUWAaltUrl http://welcome.cit.cornell.edu/

CUWAautheFailHTTPCode Directive

Description:	Set the error code associated with an authentication failure.
Syntax:	`CUWAautheFailHTTPCode error-code`
Context:	server, virtual host, directory, location, .htaccess
Platform:	Apache only !!

Optional . Takes one integer argument which represents the HTTP error code to return if an authentication failure occurs. An example of this when a resource that is configured for SideCar only authentication, but SideCar is not running on the user's machine. If this directive is not present, CUWebAuth will return code 403 on authentication failures:

CUWAautheFailHTTPCode 401

CUWAauthzFailHTTPCode Directive

Description:	Set the error code associated with an authorization failure.
Syntax:	`CUWAauthzFailHTTPCode error-code`
Context:	server, virtual host, directory, location, .htaccess
Platform:	Apache only !!

Optional . Takes one integer argument which represents the HTTP error code to return if an authorization failure occurs. An example of this is that authentication succeeds, but the user fails to satisfy the restrictions you laid out with the require directive. If this directive is not present, CUWebAuth will return code 407 on authorization failures.

CUWAauthzFailHTTPCode 401

CUWAbufOverflowLog Directive

Description:	Obsolete

CUWAcaseSensitive Directive

Description:	Obsolete

CUWAcookieDomain Directive

Description:	Set the root domain shared by your web site and CUWebLogin.
Syntax:	`CUWAcookieDomain domain`
Context:	server, virtual host
Platform:	Apache, IIS

Required for IIS, Optional for Apache. This directive is used to tell CUWebAuth what domain to assign in the outbound cookies that are used to communicate with the users’ web browsers. This must match the root domain of the DNS identity for your server, otherwise the cookie will usually be rejected by web browsers.

NOTE: CUWebLogin does not support authentication domains other than cornell.edu.

NOTE: in Apache by default, the domain value is "cornell.edu", which is the only correct value for the Cornell campus. IIS users should include the following line in their configuration file:

CUWAcookieDomain cornell.edu

CUWAcookieTimeout Directive

Description:	Set the lifetime for a session on your site
Syntax:	`CUWAcookieTimeout minutes`
Context:	directory, location, .htaccess
Platform:	Apache, IIS

Optional , not recommended . Set the timeout value for session cookies issued by your web site, up to a maximum of 8 hours (480).

For non-SSL web sites, CUWebAuth session cookies are only valid for 5 minutes. This can cause problems on IIS based web sites that have large forms that might take more that 5 minutes to complete. Form data issues are less of a problem with Apache.

By increasing the timeout you will decrease the odds that a user will be redirected to CUWebLogin after filling out a form. This will decrease the possibility that the form data will be lost. Note that CUWebAuth for Apache and the POST version of CUWebAuth for IIS both preserve form data by carrying the data in hidden fields on the CUWebLogin pages. This directive is more commonly used on IIS with non-POST CUWebAuth.

Instead of increasing the cookie timeout, it is strongly recommended that you implement using SSL. SSL enabled sites have a default cookie timeout of 8 hours. Not using SSL will increases the risk of cookies being ‘sniffed’ over the network and replayed elsewhere. The more that you increase the cookie timeout the greater is your exposure to cookie replay.

CUWAcookieTimeout 480

CUWAcuglServerSRL Directive

Description:	Obsolete

CUWAcusspDebug Directive

Description:	Control the amount of debugging output produced
Syntax:	`CUWAcusspDebug level`
Context:	server, virtual host
Platform:	Apache, IIS

CUWAcusspDebug takes a CUSSP “level” to debug at. The levels go from 1 to 6 with one being the least amount of information and 6 being the greatest. It may be best to start with a low number unless you really need the extensive information provided by a level 6 debug. To specify CUSSP level debugging, simply use this directive followed by the level (making sure CUWAdebugLevel is set to cussp as well). If you wanted to start at level 1, you’d do the following:

CUWAcusspDebug 1

CUWAcusspDebugDir Directive

Description:	Set location for CUSSP debug log
Syntax:	`CUWAcusspDebugDir path`
Context:	server, virtual host
Platform:	Apache Only !! For IIS see CUWAcussplogFile

Optional . Takes an absolute path to a directory in which CUSSP level debugging files should be placed. Assumes the CUWAcusspDebug directive has been used as well, but there are no detrimental side effects of using this directive without having used CUWAcusspDebug. If both directives are used, all CUSSP level debug files are placed in the specified directory. Remember that these files are deleted if the CUWebAuth code successfully processes the web request (regardless of whether or not access is granted), so under normal operation the files in this directory will be deleted before you get a chance to see them. If this directive is not present and CUSSP level debugging has been turned on, all such debugging files will be placed in /tmp.

CUWAcusspDebugDir /tmp/cussp

CUWAcussplogFile Directive

Description:	Set location and name for CUSSP debug log
Syntax:	`CUWAcussplogFile path-and-file-name`
Context:	server, virtual host
Platform:	IIS Only !! For Apache see CUWAcusspDebugDir

Optional . By default, the cussp activity will log to C:\CUSSP.DEBUG. If you’d like them to go somewhere else (say C:\WINNT\CUWebAuth\CUSSPLog.txt), you must use the CUWAcusspLogFile directive, like this:

CUWAcussplogFile C:\WINNT\CUWebAuth\CUSSPLog.txt

CUWAcusspTimeout Directive

Description:	Set the timeout for back-end communications
Syntax:	`CUWAcusspTimeout seconds`
Context:	server, virtual host
Platform:	Apache, IIS

Optional . This directive controls the amount of time to wait for a response from the CUWebLogin server and SideCar. The default value is 30 seconds which is too high for most applications. The following line should be added to your configuration...

CUWAcusspTimeout 5

CUWAcustMsg Directive

Description:	Display a custom message on the login page
Syntax:	`CUWAcustMsg message`
Context:	location, directory, .htaccess
Platform:	Apache, IIS

Optional . Use this directive to display a custom message on the CUWebLogin page.

The default message is : “ The Web site you are visiting requires you to authenticate with your NetID and Password ."

CUWAcustMsg "In order to view your course schedule you must first login with your NetID and Password."

CUWAcuwlServerSRL Directive

Description:	Specify location of CUWebLogin servers
Syntax:	`CUWAcuwlServerSRL service-resource-location`
Context:	server, virtual host
Platform:	Apache, IIS

Required . This directive is used to specify the location of the CUWebLogin servers. The format is slightly different for IIS and Apache because they use different versions of a Kerberized RPC library (called CUSSP).

# Apache version

CUWAcuwlServerSRL "ipHost=cuweblogin.cit.cornell.edu ipPort=1010 a.netid=erpcd.webster a.protocol=k4" CUWAcuwlServerSRL "ipHost=cuweblogin2.cit.cornell.edu ipPort=1010 a.netid=erpcd.webster2 a.protocol=k4"

# IIS version

CUWAcuwlServerSRL ipHost=cuweblogin.cit.cornell.edu ipPort=1010 netid=erpcd.webster authent=k4 CUWAcuwlServerSRL ipHost=cuweblogin2.cit.cornell.edu ipPort=1010 netid=erpcd.webster2 authent=k4

CUWAdebugDir Directive

Description:	Set the directory to store the debug log
Syntax:	`CUWAdebugDir directory-path`
Context:	server, virtual host
Platform:	Apache Only !!

Optional . Takes an absolute path to a directory in which CUWebAuth debug information (not CUSSP debug information) can be logged on a one file per process basis. This is the same information that can be obtained by setting the global Apache LogLevel directive to debug, but each connection will have its own file. Similar to CUWAcusspDebug, if the transaction completes without a crash, this file will be deleted. Therefore this debugging option is useful when you suspect that CUWebAuth is crashing and you’d like to find out where! If this directive is not specified, no debug files will be generated.

CUWAdebugDir /tmp/logs

CUWAdebugLevel Directive

Description:	Control the amount of diagnostic output
Syntax:	`CUWAdebugLevel off \| normal \| debug \| prolific \| cussp`
Context:	server, virtual host
Platform:	IIS Only !! For Apache see LogLevel

This directive tells CUWebAuth how much information per transaction to put in the CUWebAuth.log file. The default is normal, which will produce minimal logging. In order from least to most output the options are off, normal, debug, prolific, and cussp.

CUWAdebugLevel cussp

CUWAdomain Directive

Description:	Obsolete, see CUWAcookieDomain

CUWAErrorDoc Directive

Description:	Specify an error page
Syntax:	`CUWAErrorDoc NoSideCar \| SideCarError \| CUWebLoginError \| NoAuth error-document-path`
Context:	location, directory, .htaccess
Platform:	IIS Only !!

Required. This directive should be used to specify the error page that should be displayed for a corresponding error. CUWebAuth installation script provides sample error pages that are installed in the installation directory.

CUWAErrorDoc NoSideCar C:\WINNT\CUWebAuth\nosidecar.html

CUWAforcePort Directive

Description:	Set the correct port number for redirects
Syntax:	`CUWAforcePort port_number`
Context:	location, directory, .htaccess
Platform:	Apache Only !!

Optional . If you are using the CUWAforceSSL directive with Apache you will also need to tell CUWebAuth what port number to use in the redirect used to return to this web site from CUWebLogin.

The CUWAforceSSL and CUWAforcePort directives are needed in some situations when a load balancer is being used because CUWebAuth will receive incorrect port information from Apache.

By default, CUWebAuth will use information provided by Apache in order to determine the inbound port number.

CUWAforcePort 443

CUWAforceSSL Directive

Description:	Insure that redirects use https instead of http
Syntax:	`CUWAforceSSL on \| off`
Context:	location, directory, .htaccess
Platform:	Apache, IIS

Optional . If set to "on", all redirects from CUWebLogin to happen over SSL (https). This could result in unwanted warning dialogs for users if they originally requested a protected resource over an http connection.

The CUWAforceSSL directive is needed in some situations when a load balancer is being used because CUWebAuth will receive incorrect SSL information from Apache or IIS.

By default, CUWAforceSSL is set to "off", meaning that CUWebAuth will use information provided by Apache or IIS in order to determine whether to use HTTP or HTTPS in the redirect URL.

CUWAforceSSL on

CUWAinactivityTimeout Directive

Description:	Set maximum idle time for site cookie
Syntax:	`CUWAinactivityTimeout minutes`
Context:	location, directory, .htaccess
Platform:	Apache, IIS

Optional , not recommended . Before CUWebLogin supported single sign on this directive provided the functionality of an inactivity timer. If the user did not access a restricted page at your site in the timeout period, their session would expire and the user would have to log in again.

With single sign on this functions differently. Now, when the user's session expires, the will be redirected to CUWebLogin, but they won't have to log in again because the session with CUWebLogin is still active.

CUWebLogin does not have an equivalent activity timer for it's session, which lasts 8 hours from when the user logs in. Now that session duration is controlled by the CUWebLogin server, the only way to force a login on a resource is by using "-force" and "-forceonce" modifiers in the AuthType directive.

CUWAinactivityTimeout 5

CUWAkerberosPrincipal Directive

Description:	Set the name of your ServiceID
Syntax:	`CUWAkerberosPrincipal name`
Context:	server, virtual host
Platform:	Apache, IIS

Required. Use this directive to specify your ServiceID (srvtab name). This directive must be present. If it is not, web authentication via CUWebAuth will not work properly. If you don't already have a ServiceID you can obtain one at http://aads.cit.cornell.edu/servicerequest/srvtabrequest/srvtabrequest.php

CUWAkerberosPrincipal mandarin-agent.test

CUWAkerberosRealm Directive

Description:	obsolete

CUWAlogFile Directive

Description:	Set the name and path of the log file
Syntax:	`CUWAlogFile log-file-path`
Context:	server, virtual host
Platform:	IIS Only !!

Optional . Takes an absolute path to a file in which CUWebAuth debug information (not CUSSP debug information) can be logged. If not specified, the default is CUWebAuth.log in the CUWebAuth folder. NOTE: The CUWAlogFile, CUWAcusspLogFile, and CUWAbufOverflowLog directives can all point to the same file, and CUWebAuth will log everything automatically there.

CUWAlogFile c:\logs\cuwa.log

CUWAnoSideCarHTTPCode Directive

Description:	Set the error code for SideCar unavailable condition
Syntax:	`CUWAnoSideCarHTTPCode error-code`
Context:	server, virtual host, location, directory, .htaccess
Platform:	Apache Only !!

Optional. Takes one integer argument which represents the HTTP error code to return if SideCar is not running (and you’ve chosen not to fall back to CUWebLogin in this case). If this directive is not present, CUWebAuth will return code 403 in this situation.

CUWAnoSideCarHTTPCode 401

CUWApermitServerSRL Directive

Description:	Specify location of permit server
Syntax:	`CUWApermitServerSRL service-resource-location`
Context:	server, virtual host
Platform:	Apache, IIS

Required . This directive is used to specify the location of the permit server. The format is slightly different for IIS and Apache because they use different versions of a Kerberized RPC library (called CUSSP).

# Apache version

CUWApermitServerSRL ipHost=permit1.cit.cornell.edu ipPort=756 a.netid=permitd.permit1 a.protocol=k4

# IIS version

CUWApermitServerSRL ipHost=permit1.cit.cornell.edu ipPort=756 netid=permitd.permit1 authent=k4

CUWAPostDataLimit Directive

Description:	Control the amount of POST data that can be sent.
Syntax:	`CUWAPostDataLimit number-of-bytes`
Context:	server
Platform:	IIS, POST data aware version only !!

Optional . This directive allows the web administrator to control the amount of POST data being sent to IIS server. It helps prevent overloading of the IIS server due to excessive POST data. If this directive is omitted, CUWebAuth assumes the POST data limit to be 128KB. This value controls the performance of IIS server, the greater the value, more impact on IIS server’s performance.

The argument is an integer which represents the maximum number of bytes of POST data to accept.

CUWAPostDataLimit 10000

CUWApriorityLevel Directive

Description:	Name of a security context
Syntax:	`CUWApriorityLevel high \| medium \| low`
Context:	server
Platform:	IIS Only !!

By default, CUWebAuth will load itself as “medium” priority based on ISAPI filter rules. If you need to change this behavior, you can use this directive. Acceptable values are high, medium, and low. Because CUWebAuth provides initial authentication, it is a good idea to run it at a higher priority than application or content drivers like JRun, PERL, etc. Also note that among filters with a similar priority level, you can still move them up and down relative to each other in the “ISAPI Filters” tab of the “Master WWW Properties” dialog as described here.

CUWApriorityLevel high

CUWAproxyAllow Directive

Description:	Enable proxy and inline authentication
Syntax:	`CUWAproxyAllow [direct] [ServiceID ...]`
Context:	location, directory, .htaccess
Override:	AuthConfig
Platform:	Apache, IIS

Optional . Enables CUWebAuth to use the inline and/or proxy mechanism for authentication. Currently there are two uses for this mechanism, uPortal and KProxyservices.

With uPortal, the portal is acting as a proxy for the user. The portal channel lists the uPortal server as a trusted host by listing it's ServiceID.

One or more ServiceID's may be listed as trusted by your server. What that means is that the trusted site will authenticate using it's ServiceID and then tell your site that it is acting on the behalf of a specific person (NetID). Your site will handle the request as if the person was logged into your site.

CUWAproxyAllow web-agent.trusted

...or...

CUWAproxyAllow web-agent.trusted web-agent.trusted2

This directive also controls inline authentication. That is, a fat client or mid-tier server may provide kerberos credentials inline in the HTTP header. Currently this mechanism is being used by the KProxy service to support WebDav.

CUWAproxyAllow direct

By default, proxy and inline authentication is not enabled.

CUWAsideCarErrHTTPCode Directive

Description:	Set the error code associated with a SideCar error
Syntax:	`CUWAsideCarErrHTTPCode error-code`
Context:	server, virtual host, location, directory, .htaccess
Platform:	Apache Only !!

Optional. Takes one integer argument which represents the HTTP error code to return if a SideCar error occurs and you’ve chosen not to fall back to CUWebLogin in this case. If this directive is not present, CUWebAuth will return code 403 in this situation.

CUWAnoSideCarHTTPCode 401

CUWAsideCarRetryCount Directive

Description:	Set the number of time to try to connect to SideCar
Syntax:	`CUWAsideCarRetryCount count`
Context:	server, virtual host
Platform:	Apache, IIS

Optional . This directive is used to limit the number of times CUWebAuth will try a CUSSP based connection to SideCar. The default behavior is to try it three times. This makes sure that a connection didn’t fail due to an odd network event or other anomaly.

CUWAsideCarRetryCount 2

CUWAsrvtabPath Directive

Description:	Set the path and filename for the srvtab file
Syntax:	`CUWAsrvtabPath file-path`
Context:	server, virtual host
Platform:	Apache, IIS

Required . Takes an absolute path to your srvtab file. This is the file issued to you when you obtained a ServiceID for your server. This directive must be present. If it is not, web authentication via CUWebAuth will not work properly.

CUWAsrvtabPath /etc/mandarin-agent.srvtab

CUWAsslCookieTimeout Directive

Description:	Set the session lifetime
Syntax:	`CUWAsslCookieTimeout minutes`
Context:	location, directory, .htaccess
Platform:	Apache, IIS

Optional, not recommended . This will override the default timeout for SSL CUWebAuth session cookies of 8 hours (480 minutes). Note that the maximum is still the default of 8 hours for SSL CUWebAuth session cookies.

This directive made sense before single sign on was implemented in CUWebLogin. It was used in cases where higher security requirements demanded that the session had a shorter lifetime. Now that session duration is controlled by the CUWebLogin server, the only way to force a login on a resource is by using "-force " and "-forceonce" modifiers in the AuthType directive.

CUWAsslCookieTimeout 30

CUWAstatSize Directive

Description:	Name of a security context
Syntax:	`CUWAstatSize` solaris_sparc \| solaris_intel \| aix \| size
Context:	server
Platform:	Apache Only !!

Optional . Takes either a string containing an operating system name or an integer argument representing the size (in bytes) of the UNIX struct stat structure according to Apache. It is only necessary to use this directive if you have compiled Apache with support for large files or you have, for some reason, modified the size of the struct stat structure (defined in <sys/stat.h>). mod_perl is one Apache module which may do this—thus necessitating the use of this directive.

If you have modified the size of this structure and/or if you have compiled Apache with support for large files, you must use this directive. If you do not you will likely experience a crash when web authentication is attempted. If this is happening or if you suspect it will, AND you are running on either Solaris or AIX you can use this directive in one of the following ways:

CUWAstatSize solaris_sparc CUWAstatSize aix CUWAstatSize solaris_intel

If this doesn’t work, you can manually calculate the size of the struct stat structure and apply it as well. This can be done with the following C program:

   #include <stdio.h>
   #include <sys/stat.h>

   int main()
   {
        printf(“sizeof(struct stat) is: %d\n”,
        sizeof(struct stat));
   }

It will be important to compile this program with the same C compiler switches that were used to build Apache.    If you did not build Apache yourself, consult with the individual who did!   Suppose you do all of this and run the program and see the following output:

   sizeof(struct stat) is: 152

You would then use the following directive in your httpd.conf file:

   CUWAstatSize   152

If this directive is not present, CUWebAuth will use the default size of the struct stat structure, without large file support.

CUWAshowError Directive

Description:	Show CUWebAuth error page
Syntax:	`CUWAshowError on`
Context:	location, directory, .htaccess
Platform:	Apache only !!

Optional. By default, authentication and authorization errors are handled by Apache and a default (and not terribly informative) Apache error page is displayed. With this directive enabled, the default page is replaced with a CUWebAuth error page which displays more meaningful diagnostics..

CUWAshowError on

CUWAwebloginRetryCount Directive

Description:	Set the retry count for connecting to CUWebLogin
Syntax:	`CUWAwebloginRetryCount count`
Context:	server, virtual host
Platform:	Apache, IIS

Optional. This directive can be used to limit the number of times CUWebAuth will try a CUSSP based connection to CUWebLogin server. The default behavior is to try it three times. This makes sure that a connection didn’t fail due to an odd network event or other anomaly. It's recommended that you do not change the default behavior.

CUWAwebloginRetryCount 4

CUWAwebSSLPorts Directive

Description:	List the ports that are SSL enabled
Syntax:	`CUWAwebSSLPorts port-number [port-number port-number...]`
Context:	server, virtual host
Platform:	Apache Only !!

Optional . Only use this directive with Apache 1.3, when mod_ssl isn't installed or with older versions of CUWebAuth. As of CUWebAuth 1.4 with Apache 2.x, SSL status of inbound request is detected correctly.

This directive takes a space-separated list of ports which it will be assumed the web server is listening to with SSL (https). For these ports, redirects to and from the CUWebLogin server go directly via https to avoid any annoying dialogs. If this directive is not present it will be assumed that you are not using SSL; and redirects to and from the CUWebLogin server will use http (and not https).

CUWAwebSSLPorts 443 444

LogLevel Directive

Description:	Set the amount of error logging that occurs
Syntax:	`LogLevel logging-level`
Context:	server, virtual host
Platform:	Apache Only !!

This directive is used by Apache to set overall logging level for the entire server or virtual host. For CUWebAuth, the only value that will produce meaningful diagnostic output is the following...

LogLevel debug

Under normal operation you won't want to set LogLevel to debug because it produces a large error_log file. When diagnosing a CUWebAuth related problem though, set LogLevel to debug. If you are requesting assistance from aadssupport@cornell.edu, you will need to collect a diagnostic log and send it to us.

For a more detailed description of LogLevel see the official Apache description here.

Require Directive

Description:	Define the authorization rules for the resource
Syntax:	`Require valid-user \| Permit permit-name [...] \| Netid NetID [...]`
Context:	location, directory, .htaccess
Platform:	Apache, IIS

Required. Specifies what authorization rule applies to the current Directory, File or Location block. Valid authorization specifications appear below:

Specification	Description
valid-user	Access is granted when the user authenticates. You should avoid using this because it grants access to everyone who has a NetID. This includes students, staff, faculty, alumni, contractors, and others with loose affiliation to the university.
Permit	Followed by a space-separated list of permit names, access is granted if the user holds any one of the specified permits.
Netid	Followed by a space-separated list of NetIDs, access is granted if the user’s NetID matches one of the NetIDs on the list.

If this directive is not present, authorization will not occur and the user will be granted access. Here are some examples...

Require valid-user

Require Permit cu.staff cu.student

Require Netid pb10 se10 hy93 ss488

CUWebAuth Directives Reference