mirror of
https://github.com/apache/httpd.git
synced 2025-05-17 15:21:13 +03:00
f88b50dec4
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91116 13f79535-47bb-0310-9956-ffa450edef68
222 lines
9.1 KiB
HTML
222 lines
9.1 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta name="generator" content="HTML Tidy, see www.w3.org" />
|
|
|
|
<title>Apache module mod_auth</title>
|
|
</head>
|
|
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
|
|
|
|
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
|
|
vlink="#000080" alink="#FF0000">
|
|
<!--#include virtual="header.html" -->
|
|
|
|
<h1 align="CENTER">Module mod_auth</h1>
|
|
|
|
<p>This module provides for user authentication using text
|
|
files.</p>
|
|
|
|
<p><a href="module-dict.html#Status"
|
|
rel="Help"><strong>Status:</strong></a> Base<br />
|
|
<a href="module-dict.html#SourceFile"
|
|
rel="Help"><strong>Source File:</strong></a> mod_auth.c<br />
|
|
<a href="module-dict.html#ModuleIdentifier"
|
|
rel="Help"><strong>Module Identifier:</strong></a>
|
|
auth_module</p>
|
|
|
|
<h2>Summary</h2>
|
|
|
|
<p>This module allows the use of HTTP Basic Authentication to
|
|
restrict access by looking up users in plain text password and
|
|
group files. Similar functionality and greater scalability is
|
|
provided by <a href="mod_auth_dbm.html">mod_auth_dbm</a> and <a
|
|
href="mod_auth_db.html">mod_auth_db</a>. HTTP Digest
|
|
Authentication is provided by <a
|
|
href="mod_auth_digest.html">mod_auth_digest</a>.</p>
|
|
|
|
<h2>Directives</h2>
|
|
|
|
<ul>
|
|
<li><a href="#authgroupfile">AuthGroupFile</a></li>
|
|
|
|
<li><a href="#authuserfile">AuthUserFile</a></li>
|
|
|
|
<li><a href="#authauthoritative">AuthAuthoritative</a></li>
|
|
</ul>
|
|
|
|
<p>See also: <a href="core.html#require">require</a> and <a
|
|
href="core.html#satisfy">satisfy</a>.</p>
|
|
<hr />
|
|
|
|
<h2><a id="authgroupfile"
|
|
name="authgroupfile">AuthGroupFile</a> directive</h2>
|
|
<!--%plaintext <?INDEX {\tt AuthGroupFile} directive> -->
|
|
<a href="directive-dict.html#Syntax"
|
|
rel="Help"><strong>Syntax:</strong></a> AuthGroupFile
|
|
<em>file-path</em><br />
|
|
<a href="directive-dict.html#Context"
|
|
rel="Help"><strong>Context:</strong></a> directory,
|
|
.htaccess<br />
|
|
<a href="directive-dict.html#Override"
|
|
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
|
|
<a href="directive-dict.html#Status"
|
|
rel="Help"><strong>Status:</strong></a> Base<br />
|
|
<a href="directive-dict.html#Module"
|
|
rel="Help"><strong>Module:</strong></a> mod_auth
|
|
|
|
<p>The AuthGroupFile directive sets the name of a textual file
|
|
containing the list of user groups for user authentication.
|
|
<em>File-path</em> is the path to the group file. If it is not
|
|
absolute (<em>i.e.</em>, if it doesn't begin with a slash), it
|
|
is treated as relative to the ServerRoot.</p>
|
|
|
|
<p>Each line of the group file contains a groupname followed by
|
|
a colon, followed by the member usernames separated by spaces.
|
|
Example:</p>
|
|
|
|
<blockquote>
|
|
<code>mygroup: bob joe anne</code>
|
|
</blockquote>
|
|
Note that searching large text files is <em>very</em>
|
|
inefficient; <a
|
|
href="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</a>
|
|
should be used instead.
|
|
|
|
<p>Security: make sure that the AuthGroupFile is stored outside
|
|
the document tree of the web-server; do <em>not</em> put it in
|
|
the directory that it protects. Otherwise, clients will be able
|
|
to download the AuthGroupFile.</p>
|
|
|
|
<p>See also <a href="core.html#authname">AuthName</a>, <a
|
|
href="core.html#authtype">AuthType</a> and <a
|
|
href="#authuserfile">AuthUserFile</a>.</p>
|
|
<hr />
|
|
|
|
<h2><a id="authuserfile" name="authuserfile">AuthUserFile</a>
|
|
directive</h2>
|
|
<!--%plaintext <?INDEX {\tt AuthUserFile} directive> -->
|
|
<a href="directive-dict.html#Syntax"
|
|
rel="Help"><strong>Syntax:</strong></a> AuthUserFile
|
|
<em>file-path</em><br />
|
|
<a href="directive-dict.html#Context"
|
|
rel="Help"><strong>Context:</strong></a> directory,
|
|
.htaccess<br />
|
|
<a href="directive-dict.html#Override"
|
|
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
|
|
<a href="directive-dict.html#Status"
|
|
rel="Help"><strong>Status:</strong></a> Base<br />
|
|
<a href="directive-dict.html#Module"
|
|
rel="Help"><strong>Module:</strong></a> mod_auth
|
|
|
|
<p>The AuthUserFile directive sets the name of a textual file
|
|
containing the list of users and passwords for user
|
|
authentication. <em>File-path</em> is the path to the user
|
|
file. If it is not absolute (<em>i.e.</em>, if it doesn't begin
|
|
with a slash), it is treated as relative to the ServerRoot.</p>
|
|
|
|
<p>Each line of the user file file contains a username followed
|
|
by a colon, followed by the crypt() encrypted password. The
|
|
behavior of multiple occurrences of the same user is
|
|
undefined.</p>
|
|
|
|
<p>The utility <a href="../programs/htpasswd.html">htpasswd</a>
|
|
which is installed as part of the binary distribution, or which
|
|
can be found in <code>src/support</code>, is used to maintain
|
|
this password file. See the <code>man</code> page for more
|
|
details. In short</p>
|
|
|
|
<blockquote>
|
|
<code>htpasswd -c Filename username</code><br />
|
|
Create a password file 'Filename' with 'username' as the
|
|
initial ID. It will prompt for the password. <code>htpasswd
|
|
Filename username2</code><br />
|
|
Adds or modifies in password file 'Filename' the 'username'.
|
|
</blockquote>
|
|
|
|
<p>Note that searching large text files is <em>very</em>
|
|
inefficient; <a
|
|
href="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</a>
|
|
should be used instead.</p>
|
|
|
|
<p>Security: make sure that the AuthUserFile is stored outside
|
|
the document tree of the web-server; do <em>not</em> put it in
|
|
the directory that it protects. Otherwise, clients will be able
|
|
to download the AuthUserFile.</p>
|
|
|
|
<p>See also <a href="core.html#authname">AuthName</a>, <a
|
|
href="core.html#authtype">AuthType</a> and <a
|
|
href="#authgroupfile">AuthGroupFile</a>.</p>
|
|
<hr />
|
|
|
|
<h2><a id="authauthoritative"
|
|
name="authauthoritative">AuthAuthoritative</a> directive</h2>
|
|
<!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> -->
|
|
<a href="directive-dict.html#Syntax"
|
|
rel="Help"><strong>Syntax:</strong></a> AuthAuthoritative
|
|
on|off<br />
|
|
<a href="directive-dict.html#Default"
|
|
rel="Help"><strong>Default:</strong></a>
|
|
<code>AuthAuthoritative on</code><br />
|
|
<a href="directive-dict.html#Context"
|
|
rel="Help"><strong>Context:</strong></a> directory,
|
|
.htaccess<br />
|
|
<a href="directive-dict.html#Override"
|
|
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
|
|
<a href="directive-dict.html#Status"
|
|
rel="Help"><strong>Status:</strong></a> Base<br />
|
|
<a href="directive-dict.html#Module"
|
|
rel="Help"><strong>Module:</strong></a> mod_auth
|
|
|
|
<p>Setting the AuthAuthoritative directive explicitly to
|
|
<strong>'off'</strong> allows for both authentication and
|
|
authorization to be passed on to lower level modules (as
|
|
defined in the <code>Configuration</code> and
|
|
<code>modules.c</code> files) if there is <strong>no
|
|
userID</strong> or <strong>rule</strong> matching the supplied
|
|
userID. If there is a userID and/or rule specified; the usual
|
|
password and access checks will be applied and a failure will
|
|
give an Authorization Required reply.</p>
|
|
|
|
<p>So if a userID appears in the database of more than one
|
|
module; or if a valid <code>Require</code> directive applies to
|
|
more than one module; then the first module will verify the
|
|
credentials; and no access is passed on; regardless of the
|
|
AuthAuthoritative setting.</p>
|
|
|
|
<p>A common use for this is in conjunction with one of the
|
|
database modules; such as <a
|
|
href="mod_auth_db.html"><code>mod_auth_db.c</code></a>, <a
|
|
href="mod_auth_dbm.html"><code>mod_auth_dbm.c</code></a>,
|
|
<code>mod_auth_msql.c</code>, and <a
|
|
href="mod_auth_anon.html"><code>mod_auth_anon.c</code></a>.
|
|
These modules supply the bulk of the user credential checking;
|
|
but a few (administrator) related accesses fall through to a
|
|
lower level with a well protected AuthUserFile.</p>
|
|
|
|
<p><a href="directive-dict.html#Default"
|
|
rel="Help"><strong>Default:</strong></a> By default; control is
|
|
not passed on; and an unknown userID or rule will result in an
|
|
Authorization Required reply. Not setting it thus keeps the
|
|
system secure; and forces an NCSA compliant behaviour.</p>
|
|
|
|
<p>Security: Do consider the implications of allowing a user to
|
|
allow fall-through in his .htaccess file; and verify that this
|
|
is really what you want; Generally it is easier to just secure
|
|
a single .htpasswd file, than it is to secure a database such
|
|
as mSQL. Make sure that the AuthUserFile is stored outside the
|
|
document tree of the web-server; do <em>not</em> put it in the
|
|
directory that it protects. Otherwise, clients will be able to
|
|
download the AuthUserFile.</p>
|
|
|
|
<p>See also <a href="core.html#authname">AuthName</a>, <a
|
|
href="core.html#authtype">AuthType</a> and <a
|
|
href="#authgroupfile">AuthGroupFile</a>.</p>
|
|
|
|
<p><!--#include virtual="footer.html" -->
|
|
</p>
|
|
</body>
|
|
</html>
|
|
|