Apache HTTP Server Version 2.0
Apache HTTP Server Version 2.0
| Description: | User authentication using text files |
|---|---|
| Status: | Base |
| Module Identifier: | authn_file_module |
| Source File: | mod_authn_file.c |
| Compatibility: | Available in Apache 2.0.42 and later |
This module provides authentication front-ends such as
mod_auth_digest and mod_auth_basic
to authenticate users by looking up users in plain text password files.
Similar functionality is provided by mod_authn_dbm.
When using mod_auth_basic or
mod_auth_digest, this module is invoked via the
AuthBasicProvider or
AuthDigestProvider
with the 'file' value.
| Description: | Sets the name of a text file containing the list of users and passwords for authentication |
|---|---|
| Syntax: | AuthUserFile file-path |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Base |
| Module: | mod_authn_file |
The AuthUserFile directive sets the name
of a textual file containing the list of users and passwords for
user authentication. File-path is the path to the user
file. If it is not absolute (i.e., if it doesn't begin
with a slash), it is treated as relative to the ServerRoot.
Each line of the user file contains a username followed by
a colon, followed by the crypt() encrypted
password. The behavior of multiple occurrences of the same user is
undefined.
The utility htpasswd
which is installed as part of the binary distribution, or which
can be found in src/support, is used to maintain
this password file. See the man page for more
details. In short:
Create a password file 'Filename' with 'username' as the initial ID. It will prompt for the password:
htpasswd -c Filename username
Add or modify 'username2' in the password file 'Filename':
htpasswd Filename username2
Note that searching large text files is very
inefficient; AuthDBMUserFile should be used
instead.
Make sure that the AuthUserFile is
stored outside the document tree of the web-server; do not
put it in the directory that it protects. Otherwise, clients will
be able to download the AuthUserFile.
| Description: | Sets whether authorization and authentication are passed to lower level modules |
|---|---|
| Syntax: | AuthUserFileAuthoritative on|off |
| Default: | AuthUserFileAuthoritative on |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Base |
| Module: | mod_authn_file |
Setting the AuthAuthoritative directive
explicitly to 'off' allows for both
authentication and authorization to be passed on to lower level
modules (as defined in the Configuration and
modules.c files) if there is no
userID or rule matching the supplied
userID. If there is a userID and/or rule specified; the usual
password and access checks will be applied and a failure will give
an Authorization Required reply.
So if a userID appears in the database of more than one module;
or if a valid Require
directive applies to more than one module; then the first module
will verify the credentials; and no access is passed on;
regardless of the AuthAuthoritative setting.
By default; control is not passed on; and an unknown userID or rule will result in an Authorization Required reply. Not setting it thus keeps the system secure; and forces an NCSA compliant behaviour.
AuthUserFile and the AuthGroupFile are stored outside
the document tree of the web-server; do not put them in the
directory that they protect. Otherwise, clients will be able to
download the AuthUserFile
and the AuthGroupFile.