mirror of
https://github.com/apache/httpd.git
synced 2025-05-17 15:21:13 +03:00
b8861ba216
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89603 13f79535-47bb-0310-9956-ffa450edef68
247 lines
8.1 KiB
HTML
247 lines
8.1 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>Apache module mod_auth</TITLE>
|
|
</HEAD>
|
|
|
|
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
|
|
<BODY
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#000080"
|
|
ALINK="#FF0000"
|
|
>
|
|
<!--#include virtual="header.html" -->
|
|
|
|
<H1 ALIGN="CENTER">Module mod_auth</H1>
|
|
|
|
<P>This module provides for user authentication using text files.
|
|
|
|
<P><A
|
|
HREF="module-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base
|
|
<BR>
|
|
<A
|
|
HREF="module-dict.html#SourceFile"
|
|
REL="Help"
|
|
><STRONG>Source File:</STRONG></A> mod_auth.c
|
|
<BR>
|
|
<A
|
|
HREF="module-dict.html#ModuleIdentifier"
|
|
REL="Help"
|
|
><STRONG>Module Identifier:</STRONG></A> auth_module
|
|
</P>
|
|
|
|
<H2>Summary</H2>
|
|
|
|
<P>This module allows the use of HTTP Basic Authentication to restrict
|
|
access by looking up users in plain text password and group files.
|
|
Similar functionality and greater scalability is provided by <A
|
|
HREF="mod_auth_dbm.html">mod_auth_dbm</A> and <A
|
|
HREF="mod_auth_db.html">mod_auth_db</A>. HTTP Digest Authentication
|
|
is provided by <A HREF="mod_auth_digest.html">mod_auth_digest</A>.
|
|
|
|
|
|
<H2>Directives</H2>
|
|
|
|
<UL>
|
|
<LI><A HREF="#authgroupfile">AuthGroupFile</A>
|
|
<LI><A HREF="#authuserfile">AuthUserFile</A>
|
|
<LI><A HREF="#authauthoritative">AuthAuthoritative</A>
|
|
</UL>
|
|
|
|
<P>See also: <A HREF="core.html#require">require</A>
|
|
and <A HREF="core.html#satisfy">satisfy</A>.</P>
|
|
|
|
<HR>
|
|
|
|
|
|
<H2><A NAME="authgroupfile">AuthGroupFile</A> directive</H2>
|
|
<!--%plaintext <?INDEX {\tt AuthGroupFile} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthGroupFile <EM>file-path</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth<P>
|
|
|
|
The AuthGroupFile directive sets the name of a textual file containing the list
|
|
of user groups for user authentication. <EM>File-path</EM> is the path
|
|
to the group file. If it is not absolute (<EM>i.e.</EM>, if it
|
|
doesn't begin with a slash), it is treated as relative to the ServerRoot.
|
|
<P>
|
|
Each line of the group file contains a groupname followed by a colon, followed
|
|
by the member usernames separated by spaces. Example:
|
|
<BLOCKQUOTE><CODE>mygroup: bob joe anne</CODE></BLOCKQUOTE>
|
|
Note that searching large text files is <EM>very</EM> inefficient;
|
|
<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
|
|
be used instead.<P>
|
|
|
|
Security: make sure that the AuthGroupFile is stored outside the
|
|
document tree of the web-server; do <EM>not</EM> put it in the directory that
|
|
it protects. Otherwise, clients will be able to download the AuthGroupFile.<P>
|
|
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authuserfile">AuthUserFile</A>.<P><HR>
|
|
|
|
<H2><A NAME="authuserfile">AuthUserFile</A> directive</H2>
|
|
<!--%plaintext <?INDEX {\tt AuthUserFile} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthUserFile <EM>file-path</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth<P>
|
|
|
|
The AuthUserFile directive sets the name of a textual file containing
|
|
the list of users and passwords for user
|
|
authentication. <EM>File-path</EM> is the path to the user
|
|
file. If it is not absolute (<EM>i.e.</EM>, if it doesn't begin with a
|
|
slash), it is treated as relative to the ServerRoot.
|
|
<P> Each line of the user file file contains a username followed
|
|
by a colon, followed by the crypt() encrypted password. The behavior
|
|
of multiple occurrences of the same user is undefined.
|
|
<P>
|
|
The utility <a href="../programs/htpasswd.html">htpasswd</a> which is
|
|
installed as part of the binary distribution, or which can be found in
|
|
<code>src/support</code>, is used to maintain this password file. See
|
|
the <code>man</code> page for more details. In short
|
|
<p>
|
|
<blockquote>
|
|
<code>htpasswd -c Filename username</code><br>
|
|
Create a password file 'Filename' with 'username'
|
|
as the initial ID. It will prompt for the password.
|
|
<code>htpasswd Filename username2</code><br>
|
|
Adds or modifies in password file 'Filename' the 'username'.
|
|
</blockquote>
|
|
<P> Note that
|
|
searching large text files is <EM>very</EM> inefficient;
|
|
<A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
|
|
used instead.
|
|
<P>
|
|
|
|
Security: make sure that the AuthUserFile is stored outside the
|
|
document tree of the web-server; do <EM>not</EM> put it in the directory that
|
|
it protects. Otherwise, clients will be able to download the AuthUserFile.<P>
|
|
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authgroupfile">AuthGroupFile</A>.<P>
|
|
<HR>
|
|
<H2><A NAME="authauthoritative">AuthAuthoritative</A> directive</H2>
|
|
<!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthAuthoritative on|off<BR>
|
|
<A
|
|
HREF="directive-dict.html#Default"
|
|
REL="Help"
|
|
><STRONG>Default:</STRONG></A> <CODE>AuthAuthoritative on</CODE><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth<P>
|
|
|
|
Setting the AuthAuthoritative directive explicitly to <STRONG>'off'</STRONG>
|
|
allows for both authentication and authorization to be passed on to
|
|
lower level modules (as defined in the <CODE>Configuration</CODE> and
|
|
<CODE>modules.c</CODE> files) if there is <STRONG>no userID</STRONG> or
|
|
<STRONG>rule</STRONG> matching the supplied userID. If there is a userID and/or
|
|
rule specified; the usual password and access checks will be applied
|
|
and a failure will give an Authorization Required reply.
|
|
|
|
<P>
|
|
|
|
So if a userID appears in the database of more than one module; or if
|
|
a valid <CODE>Require</CODE> directive applies to more than one module; then the
|
|
first module will verify the credentials; and no access is passed on;
|
|
regardless of the AuthAuthoritative setting.
|
|
|
|
<P>
|
|
|
|
A common use for this is in conjunction with one of the database
|
|
modules; such as <A
|
|
HREF="mod_auth_db.html"><CODE>mod_auth_db.c</CODE></A>, <A
|
|
HREF="mod_auth_dbm.html"><CODE>mod_auth_dbm.c</CODE></A>,
|
|
<CODE>mod_auth_msql.c</CODE>, and <A
|
|
HREF="mod_auth_anon.html"><CODE>mod_auth_anon.c</CODE></A>. These modules
|
|
supply the bulk of the user credential checking; but a few
|
|
(administrator) related accesses fall through to a lower level with a
|
|
well protected AuthUserFile.
|
|
|
|
<P>
|
|
|
|
<A
|
|
HREF="directive-dict.html#Default"
|
|
REL="Help"
|
|
><STRONG>Default:</STRONG></A> By default; control is not passed on; and an
|
|
unknown
|
|
userID or rule will result in an Authorization Required reply. Not
|
|
setting it thus keeps the system secure; and forces an NCSA compliant
|
|
behaviour.
|
|
|
|
<P>
|
|
|
|
Security: Do consider the implications of allowing a user to allow
|
|
fall-through in his .htaccess file; and verify that this is really
|
|
what you want; Generally it is easier to just secure a single
|
|
.htpasswd file, than it is to secure a database such as mSQL. Make
|
|
sure that the AuthUserFile is stored outside the document tree of the
|
|
web-server; do <EM>not</EM> put it in the directory that it
|
|
protects. Otherwise, clients will be able to download the
|
|
AuthUserFile.
|
|
|
|
<P>
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authgroupfile">AuthGroupFile</A>.<P>
|
|
|
|
<!--#include virtual="footer.html" -->
|
|
</BODY>
|
|
</HTML>
|
|
|