Apache HTTP Server Version 2.3
Apache HTTP Server Version 2.3
Available Languages: en
| Description: | Group Authorization and Login using SQL |
|---|---|
| Status: | Extension |
| Module Identifier: | authz_dbd_module |
| Source File: | mod_authz_dbd.c |
| Compatibility: | Available in Apache 2.2 and later |
This module provides authorization capabilities so that
authenticated users can be allowed or denied access to portions
of the web site by group membership. It also provides
database/backend login/logout in conjunction with
mod_authn_dbd.
In addition to the standard authz function of checking group membership, this module provides database Login/Logout capability. Specifically, we can maintain a logged in/logged out status in the database, and control the status via designated URLs (subject of course to users supplying the necessary credentials).
This works by defining two special
Require types:
Require dbd-login and Require dbd-logout.
For usage details, see the configuration example below.
In conjunction with server login/logout, we may wish to implement
clientside login/out, for example by setting and unsetting a cookie
or other such token. Although this is not the business of an authz
module, client session management software should be able to tie its
operation in to database login/logout. To support this,
mod_authz_dbd exports an optional hook that will
be run whenever a user successfully logs into or out of the database.
Session management modules can use the hook to implement functions
to start and end a client session.
# mod_dbd configuration
DBDriver pgsql
DBDParams "dbname=apacheauth user=apache pass=xxxxxx"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
<Directory /usr/www/my.site/team-private/>
# mod_authn_core and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Basic
AuthName Team
AuthBasicProvider dbd
# mod_authn_dbd SQL query to authenticate a logged-in user
AuthDBDUserPWQuery \
"SELECT password FROM authn WHERE user = %s AND login = true"
# mod_authz_core configuration for mod_authz_dbd
Require dbd-group team
# mod_authz_dbd configuration
AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"
# when a user fails to be authenticated or authorized,
# invite them to login
ErrorDocument 401 /team-private/login-form.html
<Files login.html>
# don't require user to already be logged in!
AuthDBDUserPWQuery \
"SELECT password FROM authn WHERE user = %s"
# dbd-login action executes a statement to log user in
Require dbd-login
AuthzDBDQuery \
"UPDATE authn SET login = true WHERE user = %s"
# return user to referring page (if any) after
# successful login
AuthzDBDLoginToReferer On
</Files>
<Files logout.html>
# dbd-logout action executes a statement to log user out
Require dbd-logout
AuthzDBDQuery \
"UPDATE authn SET login = false WHERE user = %s"
</Files>
</Directory>
| Description: | Determines whether to redirect the Client to the Referring
page on successful login or logout if a Referer request
header is present |
|---|---|
| Syntax: | AuthzDBDLoginToReferer On|Off |
| Default: | AuthzDBDLoginToReferer Off |
| Context: | directory |
| Status: | Extension |
| Module: | mod_authz_dbd |
In conjunction with Require dbd-login or
Require dbd-logout, this provides the option to
redirect the client back to the Referring page (the URL in
the Referer HTTP request header, if present.
When there is no Referer header,
AuthzDBDLoginToReferer On will be ignored.
| Description: | Specify the SQL Query for the required operation |
|---|---|
| Syntax: | AuthzDBDQuery query |
| Context: | directory |
| Status: | Extension |
| Module: | mod_authz_dbd |
The AuthzDBDQuery specifies an SQL
query to run. The purpose of the query depends on the
Require directive in
effect.
Require dbd-group directive,
it specifies a query to look up groups for the current user. This is
the standard functionality of other authorization modules such as
mod_authz_file and mod_authz_dbm.
The first column value of each row returned by the query statement
should be a string containing a group name. Zero, one, or more rows
may be returned.
Require dbd-group AuthzDBDQuery \ "SELECT group FROM groups WHERE user = %s"
Require dbd-login or
Require dbd-logout directive, it will never deny access,
but will instead execute a SQL statement designed to log the user
in or out. The user must already be authenticated with
mod_authn_dbd.
Require dbd-login AuthzDBDQuery \ "UPDATE authn SET login = true WHERE user = %s"
In all cases, the user's ID will be passed as a single string
parameter when the SQL query is executed. It may be referenced within
the query statement using a %s format specifier.
| Description: | Specify a query to look up a login page for the user |
|---|---|
| Syntax: | AuthzDBDRedirectQuery query |
| Context: | directory |
| Status: | Extension |
| Module: | mod_authz_dbd |
Specifies an optional SQL query to use after successful login
(or logout) to redirect the user to a URL, which may be
specific to the user. The user's ID will be passed as a single string
parameter when the SQL query is executed. It may be referenced within
the query statement using a %s format specifier.
AuthzDBDRedirectQuery \ "SELECT userpage FROM userpages WHERE user = %s"
The first column value of the first row returned by the query statement should be a string containing a URL to which to redirect the client. Subsequent rows will be ignored. If no rows are returned, the client will not be redirected.
Note that AuthzDBDLoginToReferer takes
precedence if both are set.
Available Languages: en