mod_authz_core Core Authorization Base mod_authz_core.c authz_core_module Available in Apache 2.3 and later

This module provides core authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site. mod_authz_core provides the functionality to register various authorization providers. It is usually used in conjunction with an authentication provider module such as mod_authn_file and an authorization module such as mod_authz_user. It also allows for "AND" and "OR" logic to be applied to the authorization processing.

Require Selects which authenticated users can access a resource Require entity-name [entity-name] ... directory.htaccess AuthConfig

This directive selects which authenticated users can access a resource. The restrictions are processed by authorization modules. Some of the allowed syntaxes provided by mod_authz_user and mod_authz_groupfile are:

Require user userid [userid] ...: Only the named users can access the resource.
Require group group-name [group-name] ...: Only users in the named groups can access the resource.
Require valid-user: All valid users can access the resource.

Other authorization modules that implement require options include mod_authnz_ldap, mod_authz_dbm, mod_authz_dbd, mod_authz_host, and mod_authz_owner.

For a complete authentication and authorization configuration, Require must be accompanied by AuthName, AuthType and AuthBasicProvider directives, and directives such as AuthUserFile and AuthGroupFile (to define users and groups) in order to work correctly. Example:

AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider file
AuthUserFile /web/users
AuthGroupFile /web/groups
Require group admin

Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a Limit section.

Authentication, Authorization, and Access Control mod_authz_host Reject Rejects authenticated users or host based requests from accessing a resource Reject entity-name [entity-name] ... directory.htaccess AuthConfig

This directive is similar to the Require directive however it rejects which authenticated users or host based requests from accessing a resource. The restrictions are processed by authorization modules. See the Require directive for details about usage.

Authentication, Authorization, and Access Control mod_authz_host SatisfyAll Enclose a group of authorization directives that must all be satisfied in order to grant access to a resource. This block allows for 'AND' logic to be applied to various authorization providers. <SatisfyAll> ... </SatisfyAll> directory.htaccess AuthConfig

SatisfyAll and </SatisfyAll> are used to enclose a group of authorization directives that must all be satisfied in order to grant access to a resource.

The <SatisfyAll> block as well as the <SatisfyOne> block allow you to apply "AND" and "OR" logic to the authorization processing. For example the following authorization block would apply the logic:

# if ((user == "John") ||
# ((Group == "admin")
# && (ldap-group <ldap-object> contains auth'ed_user)
# && ((ldap-attribute dept == "sales")
# || (file-group contains auth'ed_user))))
# then
# auth_granted
# else
# auth_denied
#
<Directory /www/mydocs>
Authname ...
AuthBasicProvider ...
...
Require user John
<SatisfyAll>
Require Group admins
Require ldap-group cn=mygroup,o=foo
<SatisfyOne>
Require ldap-attribute dept="sales"
Require file-group
</SatisfyOne>
</SatisfyAll>
</Directory> Authentication, Authorization, and Access Control SatisfyOne Enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource. This block allows for 'OR' logic to be applied to various authorization providers. <SatisfyOne> ... </SatisfyOne> directory.htaccess AuthConfig

SatisfyOne and </SatisfyOne> are used to enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource.

See the <SatisfyAll> directive for a usage example.

Authentication, Authorization, and Access Control AuthzMergeRules Set to 'on' to allow the parent's <Directory> or <Location> authz rules to be merged into the current <Directory> or <Location>. Set to 'off' to disable merging. If set to 'off', only the authz rules defined in the current <Directory> or <Location> block will apply. AuthMergeRules on | off AuthMergeRules on directory.htaccess AuthConfig

By default all of the authorization rules within a <Directory> <Location> hierarchy are merged together to form a single logical authorization operation. If AuthzMergeRules is set to 'off', then only the authorization rules that are contained with the current <Directory> or <Location> block are considered. This allows the configuration to determine exactly how authorization will be determine without having to take into consideration the authorization rules that may exist above it.