www/apache
www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-05-17 15:21:13 +03:00
Code
apache/docs/manual/mod/mod_auth.html
Randy Terbush 0b7d74f228 Update docs to reflect addition of Authoritative directive. 
Submitted by:	Dirk vanGulik


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@77319 13f79535-47bb-0310-9956-ffa450edef68
1996-12-24 19:08:24 +00:00

107 lines
5.4 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>Apache module mod_auth</TITLE>
</HEAD>
<BODY>
<!--#include virtual="header.html" -->
<H1>Module mod_auth</h1>
This module is contained in the <code>mod_auth.c</code> file, and
is compiled in by default. It provides for user authentication using
textual files.
<menu>
<li><A HREF="#authgroupfile">AuthGroupFile</A>
<li><A HREF="#authuserfile">AuthUserFile</A>
<li><A HREF="#authauthoritative">AuthAuthoritative</A>
</menu>
<hr>
<A name="authgroupfile"><h2>AuthGroupFile</h2></A>
<!--%plaintext &lt;?INDEX {\tt AuthGroupFile} directive&gt; -->
<strong>Syntax:</strong> AuthGroupFile <em>filename</em><br>
<Strong>Context:</strong> directory, .htaccess<br>
<Strong>Override:</strong> AuthConfig<br>
<strong>Status:</strong> Base<br>
<strong>Module:</strong> mod_auth<p>
The AuthGroupFile directive sets the name of a textual file containing the list
of user groups for user authentication. <em>Filename</em> is the absolute path
to the group file.<p>
Each line of the group file contains a groupname followed by a colon, followed
by the member usernames separated by spaces. Example:
<blockquote><code>mygroup: bob joe anne</code></blockquote>
Note that searching large groups files is <em>very</em> inefficient;
<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
be used instead.<p>
Security: make sure that the AuthGroupFile is stored outside the
document tree of the web-server; do <em>not</em> put it in the directory that
it protects. Otherwise, clients will be able to download the AuthGroupFile.<p>
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authuserfile">AuthUserFile</A>.<p><hr>
<A name="authuserfile"><h2>AuthUserFile</h2></A>
<!--%plaintext &lt;?INDEX {\tt AuthUserFile} directive&gt; -->
<strong>Syntax:</strong> AuthUserFile <em>filename</em><br>
<Strong>Context:</strong> directory, .htaccess<br>
<Strong>Override:</strong> AuthConfig<br>
<strong>Status:</strong> Base<br>
<strong>Module:</strong> mod_auth<p>
The AuthUserFile directive sets the name of a textual file containing the list
of users and passwords for user authentication. <em>Filename</em> is the
absolute path to the user file.<p>
Each line of the user file file contains a username followed by a colon,
followed by the crypt() encrypted password. The behavior of multiple
occurrences of the same user is undefined.<p>
Note that searching user groups files is inefficient;
<A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should
be used instead.<p>
Security: make sure that the AuthUserFile is stored outside the
document tree of the web-server; do <em>not</em> put it in the directory that
it protects. Otherwise, clients will be able to download the AuthUserFile.<p>
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authgroupfile">AuthGroupFile</A>.<p>
<hr>
<A name="authauthoritative"><h2>AuthAuthoritative</h2></A>
<!--%plaintext &lt;?INDEX {\tt AuthAuthoritative} directive&gt; -->
<strong>Syntax:</strong> AuthAuthoritative &lt; <strong> on</strong>(default) | off &gt; <br>
<Strong>Context:</strong> directory, .htaccess<br>
<Strong>Override:</strong> AuthConfig<br>
<strong>Status:</strong> Base<br>
<strong>Module:</strong> mod_auth<p>
Setting the AuthAuthoritative directive explicitly to <b>'off'</b> allows for both authentification and authorization to be passed on to lower level modules (as defined in the <code>Configuration</code> and <code>modules.c</code> file if there is <b>no userID</b> or <b>rule</b> matching the supplied userID. If there is a userID and/or rule specified; the usual password and access checks will be applied and a failure will give an Authorization Required reply.
<p>
So if a userID appears in the database of more than one module; or if a valid require directive applies to more than one module; then the first module will verify the credentials; and no access is passed on; regardless of the AuthAuthoritative setting.
<p>
A common use for this is in conjection with one of the database modules; such
as <a href="mod_auth_anon.c"><code>mod_auth_db.c</code></a>, <a href="mod_auth_anon.c"><code>mod_auth_dbm.c</code></a>,
<a href="mod_auth_anon.c"><code>mod_auth_msql.c</code></a> and <a href="mod_auth_anon.c"><code>mod_auth_anon.c</code></a>. These modules supply the bulk of the user credential checking; but a few (administrator) related accesses fall through to a lower level with a well protected AuthUserFile.
<p>
<b>Default:</b> By default; control is not passed on; and an unkown userID or rule will result in an Authorization Required reply. Not setting it thus keeps the system secure; and forces an NSCA compliant behaviour.
<p>
Security: Do consider the implications of allowing a user to allow fall-through in his .htaccess file; and verify that this is really what you want; Generally it is easier to just secure a single .htpasswd file, than it is to secure a database such as mSQL. Make sure that the AuthUserFile is stored outside the
document tree of the web-server; do <em>not</em> put it in the directory that
it protects. Otherwise, clients will be able to download the AuthUserFile.
<p>
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authgroupfile">AuthGroupFile</A>.<p>
<!--#include virtual="footer.html" -->
</BODY>
</HTML>
View Git Blame Copy Permalink