Database Login

mod_authz_dbd Group Authorization and Login using SQL Extension mod_authz_dbd.c authz_dbd_module Available in Apache 2.2 and later

This module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site by group membership. It also provides database/backend login/logout in conjunction with mod_authn_dbd.

Require DBDriver DBDParams

Database Login

In addition to the standard authz function of checking group membership, this module provides database Login/Logout capability. Specifically, we can maintain a logged in/logged out status in the database, and control the status via designated URLs (subject of course to users supplying the necessary credentials).

This works by defining two special Require types: Require dbd-login and Require dbd-logout. For usage details, see the configuration example below.

Client Login

In conjunction with server login/logout, we may wish to implement clientside login/out, for example by setting and unsetting a cookie or other such token. Although this is not the business of an authz module, client session management software should be able to tie its operation in to database login/logout. To support this, mod_authz_dbd exports an optional hook that will be run whenever a user successfully logs into or out of the database. Session management modules can use the hook to implement functions to start and end a client session.

Configuration Example


# DBD Configuration
DBDriver oracle
DBDParams "dbname=apacheauth user=apache pass=xxxxxx"

DBDMin  4
DBDKeep 8
DBDMax  20
DBDExptime 300

<Directory /usr/www/my.site/team-private/>
   # authn with mod_authn_dbd
   AuthType Basic
   AuthName Team
   AuthBasicProvider dbd
   AuthDBDUserPWQuery "SELECT pass FROM authn WHERE user = %s AND login = true"

   # Require dbd-group and authz_dbd implementation
   Require dbd-group team
   AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"

   # When a user fails to authn/authz, invite them to login
   ErrorDocument 401 /team-private/login-form.html

   <Files login.html>
      # Don't require that we're already logged in!
      AuthDBDUserPWQuery "SELECT pass FROM authn WHERE user = %s"

      # dbd-login action executes a query to set our own state
      Require dbd-login
      AuthzDBDQuery "UPDATE authn SET login = true WHERE user = %s"

      # Return user to referring page (if any) on successful login
      AuthzDBDLoginToReferer On
   </Files>

   <Files logout.html>
      # dbd-logout action executes a query to set our own state
      Require dbd-logout
      AuthzDBDQuery "UPDATE authn SET login = false WHERE user = %s"
   </Files>
</Directory>

AuthzDBDQuery Specify the SQL Query for the required operation AuthzDBDQuery SQL-Query directory

The AuthzDBDQuery specifies an SQL query to run. The purpose of the query depends on the Require directive in effect.

With Require dbd-group, it specifies a query to look up groups for the current user. This is the standard functionality of other authz modules such as mod_authz_file and mod_authz_dbm. In this case it will typically take the form
AuthzDBDQuery "SELECT group FROM groups WHERE user= %s"
With Require dbd-login or Require dbd-logout, it will never deny access, but will instead execute an SQL Query designed to log the user (who must already be authenticated with mod_authn_dbd) in or out. Such a query will typically take the form
AuthzDBDQuery "UPDATE authn SET login = true WHERE user = %s"

AuthzDBDRedirectQuery Specify a query to look up a login page for the user AuthzDBDRedirectQuery SQL-Query directory

Specifies an optional query to use after successful login (or logout) to redirect the user to a page, which may be specific to the user. Such a query will take the form
AuthzDBDRedirectQuery "SELECT userpage FROM userpages WHERE user = %s"

Note that AuthzDBDLoginToReferer takes precedence if both are set.

AuthzDBDLoginToReferer Determines whether to redirect the Client to the Referring page on successful login or logout if a Referer request header is present AuthzDBDLoginToReferer On|Off AuthzDBDLoginToReferer Off directory

In conjunction with Require dbd-login or Require dbd-logout, this provides the option to redirect the client back to the Referring page (the URL in the Referer HTTP request header, if present. When there is no Referer header, AuthzDBDLoginToReferer On will be ignored.