Password protect Shiny Apps

[This article was first published on R – ipub, and kindly contributed to R-bloggers]. (You can report issue about the content on this page here)
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

In this post, we explain how you can password protect apps hosted on Shiny Open Source server.

This tutorial is the fourth in our Shiny AWS series. It builds on the previous tutorials, namely:

  1. Setting up an AWS instance for R
  2. Installing Shiny Server on AWS
  3. Shiny https

As with the other tutorials in the series, this builds on Amazon AWS. But it is easy to adopt it to other cloud services or a local machine. Specifically, in this last part, there is nothing that is AWS-specific.

How can I password-protect my Shiny Open Source server?

You have various options, and here we only cover the simplest one. The ones that come to my mind from the top of my head are:

  1. License Shiny Professional: this is indeed a very valid option if you are using Shiny for a company, or even for academics. Remember that RStudio, the company behind Shiny, offers academic pricing.
  2. Use Apache web server as a gate-keeper, and use Apache’s basic authentication to manage users: This is what we will do in this post. The advantage is that it will take you roughly 5 minutes to do so. However, this simplicity comes at the price of lacking flexibility and usability. For example, users won’t be able to register themselves.
  3. Again, use Apache web server as a gate-keeper, but use any other authentication method. See for example this blog post explaining how to use authO. That’s kind of cool, as you inherit the user-management process from a third-party service.
  4. You could, of course, also use any other web-server to do this. A natural fit would be Node.js.
  5. You could also write a simple web application that handles the authentication part. Depending on your language, you could host it on Apache, Tomcat, Node.js, IIS. For example, you could write a simple php application. Or, you could even write such an application in … R/Shiny.
  6. You could host your application inside a CMS. For example, you could host a WordPress site, where each shiny application is hosted in an iframe of a wordpress page. For example, the ahp application on this very page is integrated into WordPress. Imagine I restricted access to that app to a specific wordpress user group … done!

Password Protection with Apache Basic Authentication

Step 1: Tell Apache to use basic authentication

If you have followed the previous tutorials, protecting you Apache web server is easy. All you need to do is to turn on basic authentication in your apache config file. In nano (or any other text editor), add the following to your apache config file. For instance:

nano /etc/apache2/sites-enabled/000-default.conf


<Location />
  AuthType Basic
  AuthName "Restricted Access - Authenticate"
  AuthUserFile /etc/httpd/htpasswd.users
  Require valid-user

This tells Apache that we require users to be authenticated, and that user/password pairs are stored in a file in /etc/httpd/htpasswd.users .

Specifically, the tells apache that all content is protected like this.

Step 2: Install htpasswd

In order to be able to add users and hashed passwords to the password file, you need to install htpasswd, a utility provided by apache.

sudo apt-get install apache2-utils

Step 3: Add users to your password file

However, you cannot add users directly to the file. Instead, you use the htpasswd utility to do that. For example, to create a new user file and add the username “jack” with the password “daniels” to the file /etc/httpd/htpasswd.users:

mkdir /etc/httpd   
htpasswd -bc /etc/httpd/htpasswd.users jack daniels

The first command will create a folder httpd, where we’ll put the password file. The second command creates a new file, and adds users jack with password daniels.

The -c argument tells htpasswd to create new users file. Other users can be added to the existing file in the same way, except that the -c argument is not needed. The same command can also be used to modify the password of an existing user.

Our password file now looks like this:


Note that the password is hashed.

Step 4: Restart apache and test

Restart your apache server like so:

/etc/init.d/apache2 restart

If all goes well, you’re all set to test your new configuration. Log on to your Shiny server by typing  in your browser (replace the IP with your own, of course). If you do this, you should see a logon pop up:

logon screen

The password box might look different, depending on your browser.

And that’s it! Again, this is a very basic form of password-protecting your shiny apps. User-created accounts, log-out, changing passwords, etc. are not possible out of the box. However, if you don’t have many users, and usability and aesthetics are not your main concern, this might do the trick. And there’s lots of room for improvements. For instance, a natural extension would be to use different password files per shiny app. This is possible, of course, using different Location tags.

I hope you liked this tutorial!

The post Password protect Shiny Apps appeared first on ipub.

To leave a comment for the author, please follow the link and comment on their blog: R – ipub. offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.

Never miss an update!
Subscribe to R-bloggers to receive
e-mails with the latest R posts.
(You will not see this message again.)

Click here to close (This popup will not appear again)