mirror of
https://github.com/apache/httpd.git
synced 2025-05-17 15:21:13 +03:00
c3dcbcbfd9
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93731 13f79535-47bb-0310-9956-ffa450edef68
116 lines
11 KiB
HTML
116 lines
11 KiB
HTML
<html xmlns="http://www.w3.org/TR/xhtml1/strict"><head><!--
|
|
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
This file is generated from xml source: DO NOT EDIT
|
|
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
--><title>mod_auth - Apache HTTP Server</title><link href="../style/manual.css" type="text/css" rel="stylesheet"/></head><body><blockquote><div align="center"><img alt="[APACHE DOCUMENTATION]" src="../images/sub.gif"/><h3>Apache HTTP Server Version 2.0</h3></div><h1 align="center">Apache Module mod_auth</h1><table cellspacing="1" cellpadding="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td valign="top"><span class="help">Description:</span></td><td><description>User authentication using text files</description></td></tr><tr><td><a href="module-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="module-dict.html#ModuleIdentifier" class="help">Module Identifier:</a></td><td>auth_module</td></tr></table></td></tr></table><h2>Summary</h2><summary>
|
|
|
|
<p>This module allows the use of HTTP Basic Authentication to
|
|
restrict access by looking up users in plain text password and
|
|
group files. Similar functionality and greater scalability is
|
|
provided by <code><a href="mod_auth_dbm.html">mod_auth_dbm</a></code>. HTTP Digest
|
|
Authentication is provided by
|
|
<code><a href="mod_auth_digest.html">mod_auth_digest</a></code>.</p>
|
|
|
|
</summary><p><strong>See also </strong></p><ul><li><a href="core.html#require" class="directive"><code class="directive">Require</code></a></li><li><a href="core.html#satisfy" class="directive"><code class="directive">Satisfy</code></a></li><li><a href="core.html#authname" class="directive"><code class="directive">AuthName</code></a></li><li><a href="core.html#authtype" class="directive"><code class="directive">AuthType</code></a></li></ul><h2>Directives</h2><ul><li><a href="#authauthoritative">AuthAuthoritative</a></li><li><a href="#authgroupfile">AuthGroupFile</a></li><li><a href="#authuserfile">AuthUserFile</a></li></ul><hr/><h2><a name="AuthAuthoritative">AuthAuthoritative</a> <a name="authauthoritative">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Sets whether authorization and authentication are
|
|
passed to lower level modules</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td><syntax>AuthAuthoritative on|off</syntax></td></tr><tr><td><a href="directive-dict.html#Default" class="help">Default:</a></td><td><code>AuthAuthoritative on</code></td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>AuthConfig</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_auth</td></tr></table></td></tr></table><usage>
|
|
|
|
<blockquote><table><tr><td bgcolor="#e0e5f5">This information has not been updated for Apache 2.0, which
|
|
uses a different system for module ordering.</td></tr></table></blockquote>
|
|
|
|
<p>Setting the <code class="directive">AuthAuthoritative</code> directive
|
|
explicitly to <strong>'off'</strong> allows for both
|
|
authentication and authorization to be passed on to lower level
|
|
modules (as defined in the <code>Configuration</code> and
|
|
<code>modules.c</code> files) if there is <strong>no
|
|
userID</strong> or <strong>rule</strong> matching the supplied
|
|
userID. If there is a userID and/or rule specified; the usual
|
|
password and access checks will be applied and a failure will give
|
|
an Authorization Required reply.</p>
|
|
|
|
<p>So if a userID appears in the database of more than one module;
|
|
or if a valid <a href="core.html#require" class="directive"><code class="directive">Require</code></a>
|
|
directive applies to more than one module; then the first module
|
|
will verify the credentials; and no access is passed on;
|
|
regardless of the AuthAuthoritative setting.</p>
|
|
|
|
<p>A common use for this is in conjunction with one of the
|
|
database modules; such as <code><a href="auth_dbm.html">auth_dbm</a></code>,
|
|
<code>mod_auth_msql</code>, and <code><a href="mod_auth_anon.html">mod_auth_anon</a></code>.
|
|
These modules supply the bulk of the user credential checking; but
|
|
a few (administrator) related accesses fall through to a lower
|
|
level with a well protected <a href="#authuserfile" class="directive"><code class="directive">AuthUserFile</code></a>.</p>
|
|
|
|
<p>By default; control is not passed on; and an unknown userID or
|
|
rule will result in an Authorization Required reply. Not setting
|
|
it thus keeps the system secure; and forces an NCSA compliant
|
|
behaviour.</p>
|
|
|
|
<blockquote><table><tr><td bgcolor="#e0e5f5"><p align="center"><strong>Security</strong></p> Do consider the implications of
|
|
allowing a user to allow fall-through in his .htaccess file; and
|
|
verify that this is really what you want; Generally it is easier
|
|
to just secure a single .htpasswd file, than it is to secure a
|
|
database such as mSQL. Make sure that the <a href="#authuserfile" class="directive"><code class="directive">AuthUserFile</code></a> is stored outside the
|
|
document tree of the web-server; do <em>not</em> put it in the
|
|
directory that it protects. Otherwise, clients will be able to
|
|
download the <a href="#authuserfile" class="directive"><code class="directive">AuthUserFile</code></a>.
|
|
</td></tr></table></blockquote>
|
|
</usage><hr/><h2><a name="AuthGroupFile">AuthGroupFile</a> <a name="authgroupfile">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Sets the name of a text file containing the list
|
|
of user groups for authentication</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td><syntax>AuthGroupFile <em>file-path</em></syntax></td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>AuthConfig</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_auth</td></tr></table></td></tr></table><usage>
|
|
<p>The <code class="directive">AuthGroupFile</code> directive sets the
|
|
name of a textual file containing the list of user groups for user
|
|
authentication. <em>File-path</em> is the path to the group
|
|
file. If it is not absolute (<em>i.e.</em>, if it doesn't begin
|
|
with a slash), it is treated as relative to the <a href="core.html#serverroot" class="directive"><code class="directive">ServerRoot</code></a>.</p>
|
|
|
|
<p>Each line of the group file contains a groupname followed by a
|
|
colon, followed by the member usernames separated by spaces.
|
|
Example:</p>
|
|
|
|
<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>mygroup: bob joe anne</code></td></tr></table></blockquote>
|
|
|
|
<p>Note that searching large text files is <em>very</em>
|
|
inefficient; <a href="mod_auth_dbm.html#authdbmgroupfile" class="directive"><code class="directive">AuthDBMGroupFile</code></a> should be used
|
|
instead.</p>
|
|
|
|
<blockquote><table><tr><td bgcolor="#e0e5f5"><p align="center"><strong>Security</strong></p>
|
|
<p>Make sure that the AuthGroupFile is stored outside
|
|
the document tree of the web-server; do <em>not</em> put it in
|
|
the directory that it protects. Otherwise, clients will be able
|
|
to download the AuthGroupFile.</p>
|
|
</td></tr></table></blockquote>
|
|
</usage><hr/><h2><a name="AuthUserFile">AuthUserFile</a> <a name="authuserfile">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Sets the name of a text file containing the list of users and
|
|
passwords for authentication</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td><syntax>AuthUserFile <em>file-path</em></syntax></td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>AuthConfig</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_auth</td></tr></table></td></tr></table><usage>
|
|
<p>The <code class="directive">AuthUserFile</code> directive sets the name
|
|
of a textual file containing the list of users and passwords for
|
|
user authentication. <em>File-path</em> is the path to the user
|
|
file. If it is not absolute (<em>i.e.</em>, if it doesn't begin
|
|
with a slash), it is treated as relative to the <a href="core.html#serverroot" class="directive"><code class="directive">ServerRoot</code></a>.</p>
|
|
|
|
<p>Each line of the user file file contains a username followed by
|
|
a colon, followed by the <code>crypt()</code> encrypted
|
|
password. The behavior of multiple occurrences of the same user is
|
|
undefined.</p>
|
|
|
|
<p>The utility <a href="../programs/htpasswd.html">htpasswd</a>
|
|
which is installed as part of the binary distribution, or which
|
|
can be found in <code>src/support</code>, is used to maintain
|
|
this password file. See the <code>man</code> page for more
|
|
details. In short:</p>
|
|
|
|
<p>Create a password file 'Filename' with 'username' as the
|
|
initial ID. It will prompt for the password:</p>
|
|
<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>htpasswd -c Filename username</code></td></tr></table></blockquote>
|
|
|
|
<p>Adds or modifies in password file 'Filename' the 'username':</p>
|
|
<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>htpasswd Filename username2</code></td></tr></table></blockquote>
|
|
|
|
<p>Note that searching large text files is <em>very</em>
|
|
inefficient; <a href="mod_auth_dbm.html#authdbmuserfile" class="directive"><code class="directive">AuthDBMUserFile</code></a> should be used
|
|
instead.</p>
|
|
|
|
<blockquote><table><tr><td bgcolor="#e0e5f5"><p align="center"><strong>Security</strong></p><p>Make sure that the AuthUserFile is
|
|
stored outside the document tree of the web-server; do <em>not</em>
|
|
put it in the directory that it protects. Otherwise, clients will be
|
|
able to download the AuthUserFile.</p></td></tr></table></blockquote>
|
|
|
|
</usage><hr/><h3 align="center">Apache HTTP Server Version 2.0</h3><a href="./"><img alt="Index" src="../images/index.gif"/></a><a href="../"><img alt="Home" src="../images/home.gif"/></a></blockquote></body></html> |