| <?xml version="1.0"?> |
| <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> |
| <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> |
| <modulesynopsis> |
| |
| <name>mod_auth</name> |
| <description>User authentication using text files</description> |
| <status>Obsolete</status> |
| <hint>obsolete since 2.0.44</hint> |
| <sourcefile>mod_auth.c</sourcefile> |
| <identifier>auth_module</identifier> |
| <compatibility>Available only in versions up to 2.0.43</compatibility> |
| |
| <summary> |
| <note type="warning"><title>This module is obsolete!</title> |
| <p>Note, that this module has been marked as obsolete. A bunch |
| of modules was introduced in Apache version 2.0.44 that |
| support the new Authentication/Authorization provider mechnism.</p> |
| |
| <p>In order to get the ability of HTTP Basic Authentication, you have |
| to use the <module>mod_auth_basic</module> module that implements |
| the HTTP part. <module>mod_authn_file</module> provides for user |
| authentication based on plain text files. File based group |
| authorization is now done by the <module>mod_authz_groupfile</module> |
| module.</p> |
| |
| <p>This document is kept only for historical reasons and no |
| longer maintained.</p> |
| </note> |
| |
| <p>This module allows the use of HTTP Basic Authentication to |
| restrict access by looking up users in plain text password and |
| group files. Similar functionality and greater scalability is |
| provided by <module status="obsolete">mod_auth_dbm</module>. HTTP Digest |
| Authentication is provided by |
| <module status="obsolete">mod_auth_digest</module>.</p> |
| |
| </summary> |
| <seealso><directive module="core">Require</directive></seealso> |
| <seealso><directive module="core">Satisfy</directive></seealso> |
| <seealso><directive module="core">AuthName</directive></seealso> |
| <seealso><directive module="core">AuthType</directive></seealso> |
| |
| <directivesynopsis> |
| <name>AuthGroupFile</name> |
| <description>Sets the name of a text file containing the list |
| of user groups for authentication</description> |
| <syntax>AuthGroupFile <var>file-path</var></syntax> |
| <contextlist><context>directory</context><context>.htaccess</context> |
| </contextlist> |
| <override>AuthConfig</override> |
| |
| <usage> |
| <p>The <directive>AuthGroupFile</directive> directive sets the |
| name of a textual file containing the list of user groups for user |
| authentication. <var>File-path</var> is the path to the group |
| file. If it is not absolute (<em>i.e.</em>, if it doesn't begin |
| with a slash), it is treated as relative to the <directive |
| module="core">ServerRoot</directive>.</p> |
| |
| <p>Each line of the group file contains a groupname followed by a |
| colon, followed by the member usernames separated by spaces. |
| Example:</p> |
| |
| <example>mygroup: bob joe anne</example> |
| |
| <p>Note that searching large text files is <em>very</em> |
| inefficient; <directive |
| module="mod_auth_dbm" status="obsolete">AuthDBMGroupFile</directive> should be used |
| instead.</p> |
| |
| <note><title>Security</title> |
| <p>Make sure that the <directive>AuthGroupFile</directive> is |
| stored outside the document tree of the web-server; do <em>not</em> |
| put it in the directory that it protects. Otherwise, clients will |
| be able to download the <directive>AuthGroupFile</directive>.</p> |
| </note> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>AuthUserFile</name> |
| <description>Sets the name of a text file containing the list of users and |
| passwords for authentication</description> |
| <syntax>AuthUserFile <var>file-path</var></syntax> |
| <contextlist><context>directory</context><context>.htaccess</context> |
| </contextlist> |
| <override>AuthConfig</override> |
| |
| <usage> |
| <p>The <directive>AuthUserFile</directive> directive sets the name |
| of a textual file containing the list of users and passwords for |
| user authentication. <var>File-path</var> is the path to the user |
| file. If it is not absolute (<em>i.e.</em>, if it doesn't begin |
| with a slash), it is treated as relative to the <directive |
| module="core">ServerRoot</directive>.</p> |
| |
| <p>Each line of the user file contains a username followed by |
| a colon, followed by the <code>crypt()</code> encrypted |
| password. The behavior of multiple occurrences of the same user is |
| undefined.</p> |
| |
| <p>The utility <a href="../programs/htpasswd.html">htpasswd</a> |
| which is installed as part of the binary distribution, or which |
| can be found in <code>src/support</code>, is used to maintain |
| this password file. See the <code>man</code> page for more |
| details. In short:</p> |
| |
| <p>Create a password file 'Filename' with 'username' as the |
| initial ID. It will prompt for the password:</p> |
| |
| <example>htpasswd -c Filename username</example> |
| |
| <p>Add or modify 'username2' in the password file 'Filename':</p> |
| |
| <example>htpasswd Filename username2</example> |
| |
| <p>Note that searching large text files is <em>very</em> |
| inefficient; <directive |
| module="mod_auth_dbm" status="obsolete">AuthDBMUserFile</directive> should be used |
| instead.</p> |
| |
| <note><title>Security</title> |
| <p>Make sure that the <directive>AuthUserFile</directive> is |
| stored outside the document tree of the web-server; do <em>not</em> |
| put it in the directory that it protects. Otherwise, clients will |
| be able to download the <directive>AuthUserFile</directive>.</p> |
| </note> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>AuthAuthoritative</name> |
| <description>Sets whether authorization and authentication are |
| passed to lower level modules</description> |
| <syntax>AuthAuthoritative on|off</syntax> |
| <default>AuthAuthoritative on</default> |
| <contextlist><context>directory</context><context>.htaccess</context> |
| </contextlist> |
| <override>AuthConfig</override> |
| |
| <usage> |
| <note>This information has not been updated for Apache 2.0, which |
| uses a different system for module ordering.</note> |
| |
| <p>Setting the <directive>AuthAuthoritative</directive> directive |
| explicitly to <strong>'off'</strong> allows for both |
| authentication and authorization to be passed on to lower level |
| modules (as defined in the <code>Configuration</code> and |
| <code>modules.c</code> files) if there is <strong>no |
| userID</strong> or <strong>rule</strong> matching the supplied |
| userID. If there is a userID and/or rule specified; the usual |
| password and access checks will be applied and a failure will give |
| an Authorization Required reply.</p> |
| |
| <p>So if a userID appears in the database of more than one module; |
| or if a valid <directive module="core">Require</directive> |
| directive applies to more than one module; then the first module |
| will verify the credentials; and no access is passed on; |
| regardless of the AuthAuthoritative setting.</p> |
| |
| <p>A common use for this is in conjunction with one of the |
| database modules; such as <module status="obsolete">mod_auth_dbm</module>, |
| <code>mod_auth_msql</code>, and <module status="obsolete">mod_auth_anon</module>. |
| These modules supply the bulk of the user credential checking; but |
| a few (administrator) related accesses fall through to a lower |
| level with a well protected <directive |
| module="mod_auth" status="obsolete">AuthUserFile</directive>.</p> |
| |
| <p>By default; control is not passed on; and an unknown userID or |
| rule will result in an Authorization Required reply. Not setting |
| it thus keeps the system secure; and forces an NCSA compliant |
| behaviour.</p> |
| |
| <note><title>Security</title> Do consider the implications of |
| allowing a user to allow fall-through in his .htaccess file; and |
| verify that this is really what you want; Generally it is easier |
| to just secure a single .htpasswd file, than it is to secure a |
| database such as mSQL. Make sure that the <directive |
| module="mod_auth" status="obsolete">AuthUserFile</directive> and the <directive |
| module="mod_auth" status="obsolete">AuthGroupFile</directive> are stored outside the |
| document tree of the web-server; do <em>not</em> put them in the |
| directory that they protect. Otherwise, clients will be able to |
| download the <directive module="mod_auth" status="obsolete">AuthUserFile</directive> |
| and the <directive module="mod_auth" status="obsolete">AuthGroupFile</directive>. |
| </note> |
| </usage> |
| </directivesynopsis> |
| |
| </modulesynopsis> |