www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-11-03 17:53:20 +03:00
Code Activity
Files
b2cf8f26e7af9de3e1cd5a089f21f3be0fb614c9
apache/docs/manual/mod/mod_authz_core.html.en
Vincent Bray 5df524c3c8 Build products 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@620771 13f79535-47bb-0310-9956-ffa450edef68
2008-02-12 11:54:40 +00:00

348 lines
20 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>mod_authz_core - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.3</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.3</a> &gt; <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_authz_core</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English">&nbsp;en&nbsp;</a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Core Authorization</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module<EFBFBD>Identifier:</a></th><td>authz_core_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">Source<EFBFBD>File:</a></th><td>mod_authz_core.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
<h3>Summary</h3>
<p>This module provides core authorization capabilities so that
authenticated users can be allowed or denied access to portions
of the web site. <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides the
functionality to register various authorization providers. It is
usually used in conjunction with an authentication
provider module such as <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> and an
authorization module such as <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>. It
also allows for "AND" and "OR" logic to be applied to the
authorization processing.</p>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#authzmergerules">AuthzMergeRules</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#reject">Reject</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#require">Require</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requirealias">&lt;RequireAlias&gt;</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#satisfyall">&lt;SatisfyAll&gt;</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#satisfyone">&lt;SatisfyOne&gt;</a></li>
</ul>
<h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li>
</ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2>
<p>Extended authorization providers can be created within the configuration
file and assigned an alias name. The alias providers can then be referenced
through the <code class="directive"><a href="#require">Require</a></code> directive
in the same way as a base authorization provider. Besides the ability to
create and alias an extended provider, it also allows the same extended
authorization provider to be reference by multiple locations.
</p>
<h3><a name="example" id="example">Example</a></h3>
<p>The example below creates two different ldap authorization provider
aliases based on the ldap-group authorization provider. This example
allows a single authorization location to check group membership within
multiple ldap hosts:
</p>
<div class="example"><h3>Example</h3><p><code>
&lt;RequireAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx&gt;<br />
<span class="indent">
AuthLDAPBindDN cn=youruser,o=ctx<br />
AuthLDAPBindPassword yourpassword<br />
AuthLDAPURL ldap://ldap.host/o=ctx<br />
</span>
&lt;/RequireAlias&gt;<br /><br />
&lt;AuthnProviderAlias ldap-group ldap-group-alias2
cn=my-other-group,o=dev&gt;<br />
<span class="indent">
AuthLDAPBindDN cn=yourotheruser,o=dev<br />
AuthLDAPBindPassword yourotherpassword<br />
AuthLDAPURL ldap://other.ldap.host/o=dev?cn<br />
</span>
&lt;/RequireAlias&gt;<br /><br />
Alias /secure /webpages/secure<br />
&lt;Directory /webpages/secure&gt;<br />
<span class="indent">
Order deny,allow<br />
Allow from all<br /><br />
AuthBasicProvider file<br /><br />
AuthType Basic<br />
AuthName LDAP_Protected_Place<br /><br />
#implied OR operation<br />
require alias1-ldap-group<br />
require alias2-ldap-group<br />
</span> &lt;/Directory&gt;<br />
</code></p></div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthzMergeRules" id="AuthzMergeRules">AuthzMergeRules</a> <a name="authzmergerules" id="authzmergerules">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set to 'on' to allow the parent's &lt;Directory&gt; or &lt;Location&gt;
authz rules to be merged into the current &lt;Directory&gt; or &lt;Location&gt;.
Set to 'off' to disable merging. If set to 'off', only the authz rules defined in
the current &lt;Directory&gt; or &lt;Location&gt; block will apply.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthMergeRules on | off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthMergeRules on</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p>By default all of the authorization rules within a &lt;Directory&gt;
&lt;Location&gt; hierarchy are merged together to form a single
logical authorization operation. If AuthzMergeRules is set to 'off', then
only the authorization rules that are contained with the current
&lt;Directory&gt; or &lt;Location&gt; block are considered. This
allows the configuration to determine exactly how authorization will
be determine without having to take into consideration the
authorization rules that may exist above it.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="Reject" id="Reject">Reject</a> <a name="reject" id="reject">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Rejects authenticated users or host based
requests from accessing a resource</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Reject <var>entity-name</var> [<var>entity-name</var>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p>This directive is similar to the
<code class="directive"><a href="#require">Require</a></code> directive however
it rejects which authenticated users or host based requests from accessing a resource. The
restrictions are processed by authorization modules. See the
<code class="directive"><a href="#require">Require</a></code> directive for details
about usage.</p>
<h3>See also</h3>
<ul>
<li><a href="../howto/auth.html">Authentication, Authorization,
and Access Control</a></li>
<li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="Require" id="Require">Require</a> <a name="require" id="require">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Selects which authenticated users can access
a resource</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Require <var>entity-name</var> [<var>entity-name</var>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p>This directive selects which authenticated users can access a
resource. The restrictions are processed by authorization
modules. Some of the allowed syntaxes provided by
<code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code> and
<code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> are:</p>
<dl>
<dt><code>Require user <var>userid</var> [<var>userid</var>]
...</code></dt>
<dd>Only the named users can access the resource.</dd>
<dt><code>Require group <var>group-name</var> [<var>group-name</var>]
...</code></dt>
<dd>Only users in the named groups can access the resource.</dd>
<dt><code>Require valid-user</code></dt>
<dd>All valid users can access the resource.</dd>
</dl>
<p>Other authorization modules that implement require options
include <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>,
<code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, <code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code>,
<code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>, and
<code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code>.</p>
<p>For a complete authentication and authorization configuration,
<code class="directive">Require</code> must be accompanied by
<code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code>, <code class="directive"><a href="../mod/mod_authn_core.html#authtype">AuthType</a></code> and
<code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>
directives, and directives such as
<code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code>
and <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> (to
define users and groups) in order to work correctly. Example:</p>
<div class="example"><p><code>
AuthType Basic<br />
AuthName "Restricted Resource"<br />
AuthBasicProvider file<br />
AuthUserFile /web/users<br />
AuthGroupFile /web/groups<br />
Require group admin
</code></p></div>
<p>Access controls which are applied in this way are effective for
<strong>all</strong> methods. <strong>This is what is normally
desired.</strong> If you wish to apply access controls only to
specific methods, while leaving other methods unprotected, then
place the <code class="directive">Require</code> statement into a
<code class="directive"><a href="../mod/core.html#limit">&lt;Limit&gt;</a></code>
section.</p>
<h3>See also</h3>
<ul>
<li><a href="../howto/auth.html">Authentication, Authorization,
and Access Control</a></li>
<li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="RequireAlias" id="RequireAlias">&lt;RequireAlias&gt;</a> <a name="requirealias" id="requirealias">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of directives that represent an
extension of a base authorization provider and referenced by the specified
alias</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>&lt;RequireAlias <var>baseProvider Alias Require-Parameters</var>&gt;
... &lt;/RequireAlias&gt;
</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p><code class="directive">&lt;RequireAlias&gt;</code> and
<code>&lt;/RequireAlias&gt;</code> are used to enclose a group of
authorization directives that can be referenced by the alias name using the
directive <code class="directive"><a href="# require"> Require</a></code>.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SatisfyAll" id="SatisfyAll">&lt;SatisfyAll&gt;</a> <a name="satisfyall" id="satisfyall">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives that must all
be satisfied in order to grant access to a resource. This block allows
for 'AND' logic to be applied to various authorization providers.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>&lt;SatisfyAll&gt;
... &lt;/SatisfyAll&gt;</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p><code class="directive">&lt;SatisfyAll&gt;</code> and
<code>&lt;/SatisfyAll&gt;</code> are used to enclose a group of
authorization directives that must all be satisfied in order to
grant access to a resource.</p>
<p>The <code class="directive"><a href="#&#10; &lt;satisfyall&gt;">
&lt;SatisfyAll&gt;</a></code> block as well as the
<code class="directive"><a href="#&lt;satisfyone&gt;">&lt;SatisfyOne&gt;</a></code> block
allow you to apply "AND" and "OR" logic to the authorization processing.
For example the following authorization block would apply the logic:</p>
<div class="example"><p><code>
# if ((user == "John") ||<br />
# &nbsp;&nbsp; ((Group == "admin")<br />
# &nbsp; &nbsp; &amp;&amp; (ldap-group &lt;ldap-object&gt; contains auth'ed_user)<br />
# &nbsp; &nbsp; &amp;&amp; ((ldap-attribute dept == "sales")<br />
# &nbsp; &nbsp; &nbsp; &nbsp; || (file-group contains auth'ed_user))))<br />
# then<br />
# &nbsp; auth_granted<br />
# else<br />
# &nbsp; auth_denied<br />
#<br />
&lt;Directory /www/mydocs&gt;<br />
<span class="indent">
Authname ...<br />
AuthBasicProvider ...<br />
...<br />
Require user John<br />
&lt;SatisfyAll&gt;<br />
<span class="indent">
Require Group admins<br />
Require ldap-group cn=mygroup,o=foo<br />
&lt;SatisfyOne&gt;<br />
<span class="indent">
Require ldap-attribute dept="sales"<br />
Require file-group<br />
</span>
&lt;/SatisfyOne&gt;<br />
</span>
&lt;/SatisfyAll&gt;<br />
</span>
&lt;/Directory&gt;
</code></p></div>
<h3>See also</h3>
<ul>
<li><a href="../howto/auth.html">Authentication, Authorization,
and Access Control</a></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SatisfyOne" id="SatisfyOne">&lt;SatisfyOne&gt;</a> <a name="satisfyone" id="satisfyone">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives that must
satisfy at least one in order to grant access to a resource. This
block allows for 'OR' logic to be applied to various authorization
providers.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>&lt;SatisfyOne&gt;
... &lt;/SatisfyOne&gt;</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p><code class="directive">&lt;SatisfyOne&gt;</code> and
<code>&lt;/SatisfyOne&gt;</code> are used to enclose a group of
authorization directives that must satisfy at least one in order to
grant access to a resource.</p>
<p>See the <code class="directive"><a href="#&#10; &lt;satisfyall&gt;">
&lt;SatisfyAll&gt;</a></code> directive for a usage example.</p>
<h3>See also</h3>
<ul>
<li><a href="../howto/auth.html">Authentication, Authorization,
and Access Control</a></li>
</ul>
</div>
</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English">&nbsp;en&nbsp;</a></p>
</div><div id="footer">
<p class="apache">Copyright 2008 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
</body></html>
View Git Blame Copy Permalink