Creating Authorization Provider Aliases

mod_authz_core Core Authorization Base mod_authz_core.c authz_core_module Available in Apache 2.3 and later

This module provides core authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site. mod_authz_core provides the functionality to register various authorization providers. It is usually used in conjunction with an authentication provider module such as mod_authn_file and an authorization module such as mod_authz_user. It also allows for "AND" and "OR" logic to be applied to the authorization processing.

Creating Authorization Provider Aliases

Extended authorization providers can be created within the configuration file and assigned an alias name. The alias providers can then be referenced through the Require directive in the same way as a base authorization provider. Besides the ability to create and alias an extended provider, it also allows the same extended authorization provider to be reference by multiple locations.

Example

The example below creates two different ldap authorization provider aliases based on the ldap-group authorization provider. This example allows a single authorization location to check group membership within multiple ldap hosts:

Example <RequireAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx
</RequireAlias>

<AuthnProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
AuthLDAPBindDN cn=yourotheruser,o=dev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=dev?cn
</RequireAlias>

Alias /secure /webpages/secure
<Directory /webpages/secure>
Order deny,allow
Allow from all

AuthBasicProvider file

AuthType Basic
AuthName LDAP_Protected_Place

#implied OR operation
Require alias1-ldap-group
Require alias2-ldap-group
</Directory>

Require Selects which authenticated users can access a resource Require entity-name [entity-name] ... directory.htaccess AuthConfig

This directive selects which authenticated users can access a resource. The restrictions are processed by authorization modules. Some of the allowed syntaxes provided by mod_authz_user and mod_authz_groupfile are:

Require user userid [userid] ...: Only the named users can access the resource.
Require group group-name [group-name] ...: Only users in the named groups can access the resource.
Require valid-user: All valid users can access the resource.

Other authorization modules that implement require options include mod_authnz_ldap, mod_authz_dbm, mod_authz_dbd, mod_authz_host, and mod_authz_owner.

For a complete authentication and authorization configuration, Require must be accompanied by AuthName, AuthType and AuthBasicProvider directives, and directives such as AuthUserFile and AuthGroupFile (to define users and groups) in order to work correctly. Example:

AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider file
AuthUserFile /web/users
AuthGroupFile /web/groups
Require group admin

Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a Limit section.

Authentication, Authorization, and Access Control mod_authz_host Reject Rejects authenticated users or host based requests from accessing a resource Reject entity-name [entity-name] ... directory.htaccess AuthConfig

This directive is similar to the Require directive however it rejects which authenticated users or host based requests from accessing a resource. The restrictions are processed by authorization modules. See the Require directive for details about usage.

Authentication, Authorization, and Access Control mod_authz_host SatisfyAll Enclose a group of authorization directives that must all be satisfied in order to grant access to a resource. This block allows for 'AND' logic to be applied to various authorization providers. <SatisfyAll> ... </SatisfyAll> directory.htaccess AuthConfig

SatisfyAll and </SatisfyAll> are used to enclose a group of authorization directives that must all be satisfied in order to grant access to a resource.

The <SatisfyAll> block as well as the <SatisfyOne> block allow you to apply "AND" and "OR" logic to the authorization processing. For example the following authorization block would apply the logic:

# if ((user == "John") ||
# ((Group == "admin")
# && (ldap-group <ldap-object> contains auth'ed_user)
# && ((ldap-attribute dept == "sales")
# || (file-group contains auth'ed_user))))
# then
# auth_granted
# else
# auth_denied
#
<Directory /www/mydocs>
Authname ...
AuthBasicProvider ...
...
Require user John
<SatisfyAll>
Require Group admins
Require ldap-group cn=mygroup,o=foo
<SatisfyOne>
Require ldap-attribute dept="sales"
Require file-group
</SatisfyOne>
</SatisfyAll>
</Directory> Authentication, Authorization, and Access Control SatisfyOne Enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource. This block allows for 'OR' logic to be applied to various authorization providers. <SatisfyOne> ... </SatisfyOne> directory.htaccess AuthConfig

SatisfyOne and </SatisfyOne> are used to enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource.

See the <SatisfyAll> directive for a usage example.

Authentication, Authorization, and Access Control AuthzMergeRules Set to 'on' to allow the parent's <Directory> or <Location> authz rules to be merged into the current <Directory> or <Location>. Set to 'off' to disable merging. If set to 'off', only the authz rules defined in the current <Directory> or <Location> block will apply. AuthzMergeRules on | off AuthzMergeRules on directory.htaccess AuthConfig

By default all of the authorization rules within a <Directory> <Location> hierarchy are merged together to form a single logical authorization operation. If AuthzMergeRules is set to 'off', then only the authorization rules that are contained with the current <Directory> or <Location> block are considered. This allows the configuration to determine exactly how authorization will be determined without having to take into consideration the authorization rules that may exist above it.

RequireAlias Enclose a group of directives that represent an extension of a base authorization provider and referenced by the specified alias <RequireAlias baseProvider Alias Require-Parameters> ... </RequireAlias> server config

RequireAlias and </RequireAlias> are used to enclose a group of authorization directives that can be referenced by the alias name using the directive Require.