Lighttpd

Hello, I am completely n00b to lighttpd and trying to install the service on a device (Beaglebone Black) running on Angstrom. The server runs fine excepting I can't configure such that the web site served is password protected. I have the following modules installed.

/# opkg list-installed | grep light
lighttpd - 1.4.31-r2.3
lighttpd-module-access - 1.4.31-r2.3
lighttpd-module-accesslog - 1.4.31-r2.3
lighttpd-module-auth - 1.4.31-r2.3
lighttpd-module-cgi - 1.4.31-r2.3
lighttpd-module-dirlisting - 1.4.31-r2.3
lighttpd-module-expire - 1.4.31-r2.3
lighttpd-module-fastcgi - 1.4.31-r2.3
lighttpd-module-indexfile - 1.4.31-r2.3
lighttpd-module-rewrite - 1.4.31-r2.3
lighttpd-module-staticfile - 1.4.31-r2.3
lighttpd-module-webdav - 1.4.31-r2.3

and have attached my lighttpd.conf file.

My initial question; when I browse to the web host it serves up my pages without so much as a hint of a password. Can an entire site be password protected?

Now, I'm guessing this is completely my fault in configuring it but I can seem to find any information on what I might be doing wrong. One question immediately springs to mind, several sites I've browsed for information make mention of setting "lighttpd" as the owner of the user/password file (mine is plain text while I figure this out). I'm working with a stock beaglebone device while I'm setting this up so the only user is 'root' although I get the gravity of keeping that the case long term. If the problem as simple as username/ownership?

Here's a snippet of the lighttpd.conf section for auth ...

auth.debug = 2
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd.user"
#auth.backend.plain.groupfile = "lighttpd.group"

#auth.backend.ldap.hostname = "localhost"
#auth.backend.ldap.base-dn = "dc=my-domain,dc=com"
#auth.backend.ldap.filter = "(uid=$)"

auth.require = ( "^/$" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=sst"
)
)

my lighttpd.user file is;

me:somespecialpassword