docs/manual/mod/mod_authz_core.xml - httpd - Git at Google

 <?xml version="1.0"?>
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
 <!-- $LastChangedRevision$ -->

 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->

 <modulesynopsis metafile="mod_authz_core.xml.meta">

 <name>mod_authz_core</name>
 <description>Core Authorization</description>
 <status>Base</status>
 <sourcefile>mod_authz_core.c</sourcefile>
 <identifier>authz_core_module</identifier>
 <compatibility>Available in Apache 2.3 and later</compatibility>

 <summary>
     <p>This module provides core authorization capabilities so that
     authenticated users can be allowed or denied access to portions
     of the web site. <module>mod_authz_core</module> provides the
     functionality to register various authorization providers. It is
     usually used in conjunction with an authentication
     provider module such as <module>mod_authn_file</module> and an
     authorization module such as <module>mod_authz_user</module>. It
     also allows for advanced logic to be applied to the
     authorization processing.</p>
 </summary>

 <section id="authzalias"><title>Creating Authorization Provider Aliases</title>

     <p>Extended authorization providers can be created within the configuration
     file and assigned an alias name.  The alias providers can then be referenced
     through the <directive module="mod_authz_core">Require</directive> and
     <directive module="mod_authz_core">Match</directive> directives
     in the same way as a base authorization provider.  Besides the ability to
     create and alias an extended provider, it also allows the same extended
     authorization provider to be reference by multiple locations.
     </p>

     <section id="example"><title>Example</title>
         <p>The example below creates two different ldap authorization provider
         aliases based on the ldap-group authorization provider.  This example
         allows a single authorization location to check group membership within
         multiple ldap hosts:
         </p>

         <example><title>Example</title>
           &lt;AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx&gt;<br />
           <indent>
              AuthLDAPBindDN cn=youruser,o=ctx<br />
              AuthLDAPBindPassword yourpassword<br />
              AuthLDAPURL ldap://ldap.host/o=ctx<br />
           </indent>
           &lt;/AuthzProviderAlias&gt;<br /><br />
           &lt;AuthzProviderAlias ldap-group ldap-group-alias2
            cn=my-other-group,o=dev&gt;<br />
           <indent>
              AuthLDAPBindDN cn=yourotheruser,o=dev<br />
              AuthLDAPBindPassword yourotherpassword<br />
              AuthLDAPURL ldap://other.ldap.host/o=dev?cn<br />
           </indent>
           &lt;/AuthzProviderAlias&gt;<br /><br />

           Alias /secure /webpages/secure<br />
           &lt;Directory /webpages/secure&gt;<br />
           <indent>
              Order deny,allow<br />
              Allow from all<br /><br />

              AuthBasicProvider file<br /><br />

              AuthType Basic<br />
              AuthName LDAP_Protected_Place<br /><br />

              #implied OR operation<br />
              Require alias1-ldap-group<br />
              Require alias2-ldap-group<br />
           </indent> &lt;/Directory&gt;<br />
         </example>
     </section>

 </section>

 <section id="logic"><title>Authorization Containers</title>

     <p>The authorization container directives
     <directive module="mod_authz_core" type="section">MatchAll</directive>,
     <directive module="mod_authz_core" type="section">MatchAny</directive>,
     <directive module="mod_authz_core" type="section">MatchNotAll</directive>
     and
     <directive module="mod_authz_core" type="section">MatchNotAny</directive>
     may be combined with each other and with the
     <directive module="mod_authz_core">Match</directive>
     directive to express complex authorization logic.</p>

     <p>The example below expresses the following authorization logic.
     In order to access the resource, the user must either be the
     <code>superadmin</code> user, or belong to both the
     <code>admins</code> group and the <code>Administrators</code> LDAP
     group and either belong to the <code>sales</code> group or
     have the LDAP <code>dept</code> attribute <code>sales</code>.
     Furthermore, in order to access the resource, the user must
     not belong to either the <code>temps</code> group or the
     LDAP group <code>Temporary Employees</code>.</p>

     <example>
         &lt;Directory /www/mydocs&gt;
         <indent>
             &lt;MatchAny&gt;
             <indent>
                 Match user superadmin<br />
                 &lt;MatchAll&gt;
                 <indent>
                     Match group admins<br />
                     Match ldap-group cn=Administrators,o=Airius<br />
                     &lt;MatchAny&gt;
                     <indent>
                         Match group sales<br />
                         Match ldap-attribute dept="sales"
                     </indent>
                     &lt;/MatchAny&gt;
                 </indent>
                 &lt;/MatchAll&gt;
             </indent>
             &lt;/MatchAny&gt;<br />
             &lt;MatchNotAny&gt;
             <indent>
                 Match group temps<br />
                 Match ldap-group cn=Temporary Employees,o=Airius
             </indent>
             &lt;/MatchNotAny&gt;
         </indent>
         &lt;/Directory&gt;
     </example>
 </section>

 <directivesynopsis>
 <name>Require</name>
 <description>Tests whether an authenticated user is authorized by
 an authorization provider.</description>
 <syntax>Require <var>entity-name</var> [<var>entity-name</var>] ...</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>

 <usage>
     <p>This directive tests whether an authenticated user is authorized
     according to a particular authorization provider and the specified
     restrictions.  Some of the allowed syntaxes provided by
     <module>mod_authz_user</module> and
     <module>mod_authz_groupfile</module> are:</p>

     <dl>
       <dt><code>Require user <var>userid</var> [<var>userid</var>]
       ...</code></dt>
       <dd>Only the named users can access the resource.</dd>

       <dt><code>Require group <var>group-name</var> [<var>group-name</var>]
       ...</code></dt>
       <dd>Only users in the named groups can access the resource.</dd>

       <dt><code>Require valid-user</code></dt>
       <dd>All valid users can access the resource.</dd>
     </dl>

     <p>Other authorization modules that implement require options
     include <module>mod_authnz_ldap</module>,
     <module>mod_authz_dbm</module>, <module>mod_authz_dbd</module>,
     <module>mod_authz_host</module>, and
     <module>mod_authz_owner</module>.</p>

     <p>For a complete authentication and authorization configuration,
     <directive>Require</directive> must be accompanied by
     <directive module="mod_authn_core">AuthName</directive>, <directive
     module="mod_authn_core">AuthType</directive> and
     <directive module="mod_auth_basic">AuthBasicProvider</directive> or
     <directive module="mod_auth_digest">AuthDigestProvider</directive>
     directives, and directives such as
     <directive module="mod_authn_file">AuthUserFile</directive>
     and <directive module="mod_authz_groupfile">AuthGroupFile</directive> (to
     define users and groups) in order to work correctly. Example:</p>

     <example>
        AuthType Basic<br />
        AuthName "Restricted Resource"<br />
        AuthBasicProvider file<br />
        AuthUserFile /web/users<br />
        AuthGroupFile /web/groups<br />
        Require group admin
     </example>

     <p>Access controls which are applied in this way are effective for
     <strong>all</strong> methods. <strong>This is what is normally
     desired.</strong> If you wish to apply access controls only to
     specific methods, while leaving other methods unprotected, then
     place the <directive>Require</directive> statement into a
     <directive module="core" type="section">Limit</directive>
     section.</p>

     <p>When multiple <directive>Require</directive> directives are
     used in a single
     <a href="../sections.html#mergin">configuration section</a>,
     the first one to authorize a user authorizes the entire request,
     and subsequent <directive>Require</directive> directives are
     ignored.  In other words, all <directive>Require</directive> directives
     are enclosed in an implied <directive module="mod_authz_core"
     type="section">MatchAny</directive> directive.</p>

     <note><directive>Require</directive> directives may not be combined
     with the <directive module="mod_authz_core">Match</directive> directive
     or any authorization container directives, such as
     <directive module="mod_authz_core"
     type="section">MatchAll</directive>.</note>
 </usage>

 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso>
 <seealso><module>mod_authn_core</module></seealso>
 <seealso><module>mod_authz_host</module></seealso>
 </directivesynopsis>

 <directivesynopsis>
 <name>Match</name>
 <description>Tests whether an authenticated user is authorized by
 an authorization provider.</description>
 <syntax>Match [not] <var>entity-name</var>
 [<var>entity-name</var>] ...</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>

 <usage>
     <p>This directive is similar to the
     <directive module="mod_authz_core">Require</directive> directive;
     it tests whether an authenticated user is authorized according to
     a particular authorization provider and the specified restrictions.</p>

     <p>Unlike the <directive module="mod_authz_core">Require</directive>
     directive, it may be used with and inside authorization container
     directives such as
     <directive module="mod_authz_core" type="section">MatchAll</directive>.</p>

     <p>Furthermore, its result may be negated through the use of the
     <code>not</code> option.  As with other negated authorization directives,
     in this case the <directive>Match</directive> directive may only
     either fail or return a neutral result, and can therefore never
     independently authorize a request.</p>

     <p>In the following example, all users in the <code>alpha</code>
     and <code>beta</code> groups are authorized, except for those who
     are also in the <code>reject</code> group.</p>

     <example>
         &lt;Directory /www/docs&gt;
         <indent>
             Match group alpha beta<br />
             Match not group reject
         </indent>
         &lt;/Directory&gt;
     </example>

     <p>When multiple <directive>Match</directive> directives are
     used in a single
     <a href="../sections.html#mergin">configuration section</a>
     and are not contained in another authorization directive like
     <directive module="mod_authz_core" type="section">MatchAny</directive>,
     they are implicitly contained within a
     <directive module="mod_authz_core" type="section">MatchAll</directive>
     directive.  Thus for the user to be authorized, all such
     <directive>Match</directive> directives must not fail, and
     at least one must be successful.</p>

     <note><directive>Match</directive> directives may not be combined
     with the <directive module="mod_authz_core">Require</directive>
     directive.</note>
 </usage>

 <seealso><directive module="mod_authz_core">Require</directive></seealso>
 <seealso><a href="#logic">Authorization Containers</a></seealso>
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso>
 </directivesynopsis>

 <directivesynopsis type="section">
 <name>MatchAll</name>
 <description>Enclose a group of authorization directives of which none
 must fail and at least one must succeed for the enclosing directive to
 succeed.</description>
 <syntax>&lt;MatchAll&gt;
 ... &lt;/MatchAll&gt;</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>

 <usage>
     <p><directive type="section">MatchAll</directive> and
     <code>&lt;/MatchAll&gt;</code> are used to enclose a group of
     authorization directives of which none must fail and at least one
     must succeed in order for
     the <directive type="section">MatchAll</directive> directive to
     succeed.</p>

     <p>If none of the directives contained within the
     <directive type="section">MatchAll</directive> directive fails,
     and at least one succeeds, then the
     <directive type="section">MatchAll</directive> directive
     succeeds.  If none succeed and none fail, then it returns a
     neutral result.  In all other cases, it fails.</p>
 </usage>

 <seealso><a href="#logic">Authorization Containers</a></seealso>
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso>

 </directivesynopsis>

 <directivesynopsis type="section">
 <name>MatchAny</name>
 <description>Enclose a group of authorization directives of which one
 must succeed for the enclosing directive to succeed.</description>
 <syntax>&lt;MatchAny&gt;
 ... &lt;/MatchAny&gt;</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>

 <usage>
     <p><directive type="section">MatchAny</directive> and
     <code>&lt;/MatchAny&gt;</code> are used to enclose a group of
     authorization directives of which one must succeed in order for
     the <directive type="section">MatchAny</directive> directive to
     succeed.</p>

     <p>If one or more of the directives contained within the
     <directive type="section">MatchAny</directive> directive succeed,
     then the <directive type="section">MatchAny</directive> directive
     succeeds.  If none succeed and none fail, then it returns a
     neutral result.  In all other cases, it fails.</p>

     <note>Because negated authorization directives are unable to
     return a successful result, they can not significantly influence
     the result of a <directive type="section">MatchAny</directive>
     directive.  (At most they could cause the directive to fail in
     the case where they failed and all other directives returned a
     neutral value.)  Therefore negated authorization directives
     are not permitted within a <directive type="section">MatchAny</directive>
     directive.</note>
 </usage>

 <seealso><a href="#logic">Authorization Containers</a></seealso>
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso>

 </directivesynopsis>

 <directivesynopsis type="section">
 <name>MatchNotAll</name>
 <description>Enclose a group of authorization directives of which some
 must fail or none must succeed for the enclosing directive to
 not fail.</description>
 <syntax>&lt;MatchNotAll&gt;
 ... &lt;/MatchNotAll&gt;</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>

 <usage>
     <p><directive type="section">MatchNotAll</directive> and
     <code>&lt;/MatchNotAll&gt;</code> are used to enclose a group of
     authorization directives of which some must fail or none must succeed
     in order for the
     <directive type="section">MatchNotAll</directive> directive to
     not fail.</p>

     <p>If none of the directives contained within the
     <directive type="section">MatchNotAll</directive> directive
     fail, and one or more succeed, then the
     <directive type="section">MatchNotAll</directive> directive fails.
     In all other cases, it returns a neutral result.  Thus as with
     the other negated authorization directives, it can never independently
     authorize a request because it can never return a successful result.
     It can be used, however, to restrict the set of users who are
     authorized to access a resource.</p>
 </usage>

 <seealso><a href="#logic">Authorization Containers</a></seealso>
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso>

 </directivesynopsis>

 <directivesynopsis type="section">
 <name>MatchNotAny</name>
 <description>Enclose a group of authorization directives of which none
 none must succeed for the enclosing directive to not fail.</description>
 <syntax>&lt;MatchNotAny&gt;
 ... &lt;/MatchNotAny&gt;</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>

 <usage>
     <p><directive type="section">MatchNotAny</directive> and
     <code>&lt;/MatchNotAny&gt;</code> are used to enclose a group of
     authorization directives of which none must succeed
     in order for the
     <directive type="section">MatchNotAny</directive> directive to
     not fail.</p>

     <p>If one or more of the directives contained within the
     <directive type="section">MatchNotAny</directive> directive succeed,
     then the <directive type="section">MatchNotAny</directive> directive
     fails.  In all other cases, it returns a neutral result.  Thus as with
     the other negated authorization directives, it can never independently
     authorize a request because it can never return a successful result.
     It can be used, however, to restrict the set of users who are
     authorized to access a resource.</p>

     <note>Because negated authorization directives are unable to
     return a successful result, they can not significantly influence
     the result of a <directive type="section">MatchNotAny</directive>
     directive.  Therefore negated authorization directives
     are not permitted within a
     <directive type="section">MatchNotAny</directive> directive.</note>
 </usage>

 <seealso><a href="#logic">Authorization Containers</a></seealso>
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso>

 </directivesynopsis>

 <directivesynopsis>
 <name>MergeAuthz</name>
 <description>Controls the manner in which each configuration section's
 authorization logic is combined with that of preceding configuration
 sections.</description>
 <syntax>MergeAuthz Off | MatchAll | MatchAny</syntax>
 <default>MergeAuthz Off</default>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>

 <usage>
     <p>When authorization is enabled, it is normally inherited by each
     subsequent <a href="../sections.html#mergin">configuration section</a>,
     unless a different set of authorization directives are specified.
     This is the default action, which corresponds to an explicit setting
     of <code>MergeAuthz Off</code>.</p>

     <p>However, there may be circumstances in which is it desirable
     for a configuration section's authorization to be combined with
     that of its predecessor while configuration sections are being
     merged.  Two options are available for this case, <code>MatchAll</code>
     and <code>MatchAny</code>.</p>

     <p>When a configuration section contains <code>AuthzMerge MatchAll</code>
     or <code>AuthzMerge MatchAny</code>,
     its authorization logic is combined with that of the nearest
     predecessor (according to the overall order of configuration sections)
     which also contains authorization logic as if the two sections
     were jointly contained within a
     <directive module="mod_authz_core" type="section">MatchAll</directive> or
     <directive module="mod_authz_core" type="section">MatchAny</directive>
     directive, respectively.</p>

     <note>The setting of <directive>AuthzMerge</directive> is not
     inherited outside of the configuration section in which it appears.
     In the following example, only users belonging to group <code>alpha</code>
     may access <code>/www/docs</code>.  Users belonging to either
     groups <code>alpha</code> or <code>beta</code> may access
     <code>/www/docs/ab</code>.  However, the default <code>Off</code>
     setting of <directive>AuthzMerge</directive> applies to the
     <directive type="section" module="core">Directory</directive>
     configuration section for <code>/www/docs/ab/gamma</code>, so
     that section's authorization directives override those of the
     preceding sections.  Thus only users belong to the group
     <code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</note>

     <example>
         &lt;Directory /www/docs&gt;
         <indent>
             AuthType Basic<br />
             AuthName Documents<br />
             AuthBasicProvider file<br />
             AuthUserFile /usr/local/apache/passwd/passwords<br />
             Match group alpha
         </indent>
         &lt;/Directory&gt;<br />
         <br />
         &lt;Directory /www/docs/ab&gt;
         <indent>
             AuthzMerge MatchAny<br />
             Match group beta
         </indent>
         &lt;/Directory&gt;<br />
         <br />
         &lt;Directory /www/docs/ab/gamma&gt;
         <indent>
             Match group gamma
         </indent>
         &lt;/Directory&gt;
     </example>
 </usage>

 </directivesynopsis>

 <directivesynopsis type="section">
 <name>AuthzProviderAlias</name>
 <description>Enclose a group of directives that represent an
 extension of a base authorization provider and referenced by the specified
 alias</description>
 <syntax>&lt;AuthzProviderAlias <var>baseProvider Alias Require-Parameters</var>&gt;
 ... &lt;/AuthzProviderAlias&gt;
 </syntax>
 <contextlist><context>server config</context>
 </contextlist>

 <usage>
     <p><directive type="section">AuthzProviderAlias</directive> and
     <code>&lt;/AuthzProviderAlias&gt;</code> are used to enclose a group of
     authorization directives that can be referenced by the alias name using the
     directive <directive module="mod_authz_core">Require</directive>.</p>

 </usage>
 </directivesynopsis>

 </modulesynopsis>
	<?xml version="1.0"?>
	<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
	<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
	<!-- $LastChangedRevision$ -->

	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<modulesynopsis metafile="mod_authz_core.xml.meta">

	<name>mod_authz_core</name>
	<description>Core Authorization</description>
	<status>Base</status>
	<sourcefile>mod_authz_core.c</sourcefile>
	<identifier>authz_core_module</identifier>
	<compatibility>Available in Apache 2.3 and later</compatibility>

	<summary>
	<p>This module provides core authorization capabilities so that
	authenticated users can be allowed or denied access to portions
	of the web site. <module>mod_authz_core</module> provides the
	functionality to register various authorization providers. It is
	usually used in conjunction with an authentication
	provider module such as <module>mod_authn_file</module> and an
	authorization module such as <module>mod_authz_user</module>. It
	also allows for advanced logic to be applied to the
	authorization processing.</p>
	</summary>

	<section id="authzalias"><title>Creating Authorization Provider Aliases</title>

	<p>Extended authorization providers can be created within the configuration
	file and assigned an alias name. The alias providers can then be referenced
	through the <directive module="mod_authz_core">Require</directive> and
	<directive module="mod_authz_core">Match</directive> directives
	in the same way as a base authorization provider. Besides the ability to
	create and alias an extended provider, it also allows the same extended
	authorization provider to be reference by multiple locations.
	</p>

	<section id="example"><title>Example</title>
	<p>The example below creates two different ldap authorization provider
	aliases based on the ldap-group authorization provider. This example
	allows a single authorization location to check group membership within
	multiple ldap hosts:
	</p>

	<example><title>Example</title>
	<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx><br />
	<indent>
	AuthLDAPBindDN cn=youruser,o=ctx<br />
	AuthLDAPBindPassword yourpassword<br />
	AuthLDAPURL ldap://ldap.host/o=ctx<br />
	</indent>
	</AuthzProviderAlias><br /><br />
	<AuthzProviderAlias ldap-group ldap-group-alias2
	cn=my-other-group,o=dev><br />
	<indent>
	AuthLDAPBindDN cn=yourotheruser,o=dev<br />
	AuthLDAPBindPassword yourotherpassword<br />
	AuthLDAPURL ldap://other.ldap.host/o=dev?cn<br />
	</indent>
	</AuthzProviderAlias><br /><br />

	Alias /secure /webpages/secure<br />
	<Directory /webpages/secure><br />
	<indent>
	Order deny,allow<br />
	Allow from all<br /><br />

	AuthBasicProvider file<br /><br />

	AuthType Basic<br />
	AuthName LDAP_Protected_Place<br /><br />

	#implied OR operation<br />
	Require alias1-ldap-group<br />
	Require alias2-ldap-group<br />
	</indent> </Directory><br />
	</example>
	</section>

	</section>

	<section id="logic"><title>Authorization Containers</title>

	<p>The authorization container directives
	<directive module="mod_authz_core" type="section">MatchAll</directive>,
	<directive module="mod_authz_core" type="section">MatchAny</directive>,
	<directive module="mod_authz_core" type="section">MatchNotAll</directive>
	and
	<directive module="mod_authz_core" type="section">MatchNotAny</directive>
	may be combined with each other and with the
	<directive module="mod_authz_core">Match</directive>
	directive to express complex authorization logic.</p>

	<p>The example below expresses the following authorization logic.
	In order to access the resource, the user must either be the
	<code>superadmin</code> user, or belong to both the
	<code>admins</code> group and the <code>Administrators</code> LDAP
	group and either belong to the <code>sales</code> group or
	have the LDAP <code>dept</code> attribute <code>sales</code>.
	Furthermore, in order to access the resource, the user must
	not belong to either the <code>temps</code> group or the
	LDAP group <code>Temporary Employees</code>.</p>

	<example>
	<Directory /www/mydocs>
	<indent>
	<MatchAny>
	<indent>
	Match user superadmin<br />
	<MatchAll>
	<indent>
	Match group admins<br />
	Match ldap-group cn=Administrators,o=Airius<br />
	<MatchAny>
	<indent>
	Match group sales<br />
	Match ldap-attribute dept="sales"
	</indent>
	</MatchAny>
	</indent>
	</MatchAll>
	</indent>
	</MatchAny><br />
	<MatchNotAny>
	<indent>
	Match group temps<br />
	Match ldap-group cn=Temporary Employees,o=Airius
	</indent>
	</MatchNotAny>
	</indent>
	</Directory>
	</example>
	</section>

	<directivesynopsis>
	<name>Require</name>
	<description>Tests whether an authenticated user is authorized by
	an authorization provider.</description>
	<syntax>Require <var>entity-name</var> [<var>entity-name</var>] ...</syntax>
	<contextlist><context>directory</context><context>.htaccess</context>
	</contextlist>
	<override>AuthConfig</override>

	<usage>
	<p>This directive tests whether an authenticated user is authorized
	according to a particular authorization provider and the specified
	restrictions. Some of the allowed syntaxes provided by
	<module>mod_authz_user</module> and
	<module>mod_authz_groupfile</module> are:</p>

	<dl>
	<dt><code>Require user <var>userid</var> [<var>userid</var>]
	...</code></dt>
	<dd>Only the named users can access the resource.</dd>

	<dt><code>Require group <var>group-name</var> [<var>group-name</var>]
	...</code></dt>
	<dd>Only users in the named groups can access the resource.</dd>

	<dt><code>Require valid-user</code></dt>
	<dd>All valid users can access the resource.</dd>
	</dl>

	<p>Other authorization modules that implement require options
	include <module>mod_authnz_ldap</module>,
	<module>mod_authz_dbm</module>, <module>mod_authz_dbd</module>,
	<module>mod_authz_host</module>, and
	<module>mod_authz_owner</module>.</p>

	<p>For a complete authentication and authorization configuration,
	<directive>Require</directive> must be accompanied by
	<directive module="mod_authn_core">AuthName</directive>, <directive
	module="mod_authn_core">AuthType</directive> and
	<directive module="mod_auth_basic">AuthBasicProvider</directive> or
	<directive module="mod_auth_digest">AuthDigestProvider</directive>
	directives, and directives such as
	<directive module="mod_authn_file">AuthUserFile</directive>
	and <directive module="mod_authz_groupfile">AuthGroupFile</directive> (to
	define users and groups) in order to work correctly. Example:</p>

	<example>
	AuthType Basic<br />
	AuthName "Restricted Resource"<br />
	AuthBasicProvider file<br />
	AuthUserFile /web/users<br />
	AuthGroupFile /web/groups<br />
	Require group admin
	</example>

	<p>Access controls which are applied in this way are effective for
	<strong>all</strong> methods. <strong>This is what is normally
	desired.</strong> If you wish to apply access controls only to
	specific methods, while leaving other methods unprotected, then
	place the <directive>Require</directive> statement into a
	<directive module="core" type="section">Limit</directive>
	section.</p>

	<p>When multiple <directive>Require</directive> directives are
	used in a single
	<a href="../sections.html#mergin">configuration section</a>,
	the first one to authorize a user authorizes the entire request,
	and subsequent <directive>Require</directive> directives are
	ignored. In other words, all <directive>Require</directive> directives
	are enclosed in an implied <directive module="mod_authz_core"
	type="section">MatchAny</directive> directive.</p>

	<note><directive>Require</directive> directives may not be combined
	with the <directive module="mod_authz_core">Match</directive> directive
	or any authorization container directives, such as
	<directive module="mod_authz_core"
	type="section">MatchAll</directive>.</note>
	</usage>

	<seealso><a href="../howto/auth.html">Authentication, Authorization,
	and Access Control</a></seealso>
	<seealso><module>mod_authn_core</module></seealso>
	<seealso><module>mod_authz_host</module></seealso>
	</directivesynopsis>

	<directivesynopsis>
	<name>Match</name>
	<description>Tests whether an authenticated user is authorized by
	an authorization provider.</description>
	<syntax>Match [not] <var>entity-name</var>
	[<var>entity-name</var>] ...</syntax>
	<contextlist><context>directory</context><context>.htaccess</context>
	</contextlist>
	<override>AuthConfig</override>

	<usage>
	<p>This directive is similar to the
	<directive module="mod_authz_core">Require</directive> directive;
	it tests whether an authenticated user is authorized according to
	a particular authorization provider and the specified restrictions.</p>

	<p>Unlike the <directive module="mod_authz_core">Require</directive>
	directive, it may be used with and inside authorization container
	directives such as
	<directive module="mod_authz_core" type="section">MatchAll</directive>.</p>

	<p>Furthermore, its result may be negated through the use of the
	<code>not</code> option. As with other negated authorization directives,
	in this case the <directive>Match</directive> directive may only
	either fail or return a neutral result, and can therefore never
	independently authorize a request.</p>

	<p>In the following example, all users in the <code>alpha</code>
	and <code>beta</code> groups are authorized, except for those who
	are also in the <code>reject</code> group.</p>

	<example>
	<Directory /www/docs>
	<indent>
	Match group alpha beta<br />
	Match not group reject
	</indent>
	</Directory>
	</example>

	<p>When multiple <directive>Match</directive> directives are
	used in a single
	<a href="../sections.html#mergin">configuration section</a>
	and are not contained in another authorization directive like
	<directive module="mod_authz_core" type="section">MatchAny</directive>,
	they are implicitly contained within a
	<directive module="mod_authz_core" type="section">MatchAll</directive>
	directive. Thus for the user to be authorized, all such
	<directive>Match</directive> directives must not fail, and
	at least one must be successful.</p>

	<note><directive>Match</directive> directives may not be combined
	with the <directive module="mod_authz_core">Require</directive>
	directive.</note>
	</usage>

	<seealso><directive module="mod_authz_core">Require</directive></seealso>
	<seealso><a href="#logic">Authorization Containers</a></seealso>
	<seealso><a href="../howto/auth.html">Authentication, Authorization,
	and Access Control</a></seealso>
	</directivesynopsis>

	<directivesynopsis type="section">
	<name>MatchAll</name>
	<description>Enclose a group of authorization directives of which none
	must fail and at least one must succeed for the enclosing directive to
	succeed.</description>
	<syntax><MatchAll>
	... </MatchAll></syntax>
	<contextlist><context>directory</context><context>.htaccess</context>
	</contextlist>
	<override>AuthConfig</override>

	<usage>
	<p><directive type="section">MatchAll</directive> and
	<code></MatchAll></code> are used to enclose a group of
	authorization directives of which none must fail and at least one
	must succeed in order for
	the <directive type="section">MatchAll</directive> directive to
	succeed.</p>

	<p>If none of the directives contained within the
	<directive type="section">MatchAll</directive> directive fails,
	and at least one succeeds, then the
	<directive type="section">MatchAll</directive> directive
	succeeds. If none succeed and none fail, then it returns a
	neutral result. In all other cases, it fails.</p>
	</usage>

	<seealso><a href="#logic">Authorization Containers</a></seealso>
	<seealso><a href="../howto/auth.html">Authentication, Authorization,
	and Access Control</a></seealso>

	</directivesynopsis>

	<directivesynopsis type="section">
	<name>MatchAny</name>
	<description>Enclose a group of authorization directives of which one
	must succeed for the enclosing directive to succeed.</description>
	<syntax><MatchAny>
	... </MatchAny></syntax>
	<contextlist><context>directory</context><context>.htaccess</context>
	</contextlist>
	<override>AuthConfig</override>

	<usage>
	<p><directive type="section">MatchAny</directive> and
	<code></MatchAny></code> are used to enclose a group of
	authorization directives of which one must succeed in order for
	the <directive type="section">MatchAny</directive> directive to
	succeed.</p>

	<p>If one or more of the directives contained within the
	<directive type="section">MatchAny</directive> directive succeed,
	then the <directive type="section">MatchAny</directive> directive
	succeeds. If none succeed and none fail, then it returns a
	neutral result. In all other cases, it fails.</p>

	<note>Because negated authorization directives are unable to
	return a successful result, they can not significantly influence
	the result of a <directive type="section">MatchAny</directive>
	directive. (At most they could cause the directive to fail in
	the case where they failed and all other directives returned a
	neutral value.) Therefore negated authorization directives
	are not permitted within a <directive type="section">MatchAny</directive>
	directive.</note>
	</usage>

	<seealso><a href="#logic">Authorization Containers</a></seealso>
	<seealso><a href="../howto/auth.html">Authentication, Authorization,
	and Access Control</a></seealso>

	</directivesynopsis>

	<directivesynopsis type="section">
	<name>MatchNotAll</name>
	<description>Enclose a group of authorization directives of which some
	must fail or none must succeed for the enclosing directive to
	not fail.</description>
	<syntax><MatchNotAll>
	... </MatchNotAll></syntax>
	<contextlist><context>directory</context><context>.htaccess</context>
	</contextlist>
	<override>AuthConfig</override>

	<usage>
	<p><directive type="section">MatchNotAll</directive> and
	<code></MatchNotAll></code> are used to enclose a group of
	authorization directives of which some must fail or none must succeed
	in order for the
	<directive type="section">MatchNotAll</directive> directive to
	not fail.</p>

	<p>If none of the directives contained within the
	<directive type="section">MatchNotAll</directive> directive
	fail, and one or more succeed, then the
	<directive type="section">MatchNotAll</directive> directive fails.
	In all other cases, it returns a neutral result. Thus as with
	the other negated authorization directives, it can never independently
	authorize a request because it can never return a successful result.
	It can be used, however, to restrict the set of users who are
	authorized to access a resource.</p>
	</usage>

	<seealso><a href="#logic">Authorization Containers</a></seealso>
	<seealso><a href="../howto/auth.html">Authentication, Authorization,
	and Access Control</a></seealso>

	</directivesynopsis>

	<directivesynopsis type="section">
	<name>MatchNotAny</name>
	<description>Enclose a group of authorization directives of which none
	none must succeed for the enclosing directive to not fail.</description>
	<syntax><MatchNotAny>
	... </MatchNotAny></syntax>
	<contextlist><context>directory</context><context>.htaccess</context>
	</contextlist>
	<override>AuthConfig</override>

	<usage>
	<p><directive type="section">MatchNotAny</directive> and
	<code></MatchNotAny></code> are used to enclose a group of
	authorization directives of which none must succeed
	in order for the
	<directive type="section">MatchNotAny</directive> directive to
	not fail.</p>

	<p>If one or more of the directives contained within the
	<directive type="section">MatchNotAny</directive> directive succeed,
	then the <directive type="section">MatchNotAny</directive> directive
	fails. In all other cases, it returns a neutral result. Thus as with
	the other negated authorization directives, it can never independently
	authorize a request because it can never return a successful result.
	It can be used, however, to restrict the set of users who are
	authorized to access a resource.</p>

	<note>Because negated authorization directives are unable to
	return a successful result, they can not significantly influence
	the result of a <directive type="section">MatchNotAny</directive>
	directive. Therefore negated authorization directives
	are not permitted within a
	<directive type="section">MatchNotAny</directive> directive.</note>
	</usage>

	<seealso><a href="#logic">Authorization Containers</a></seealso>
	<seealso><a href="../howto/auth.html">Authentication, Authorization,
	and Access Control</a></seealso>

	</directivesynopsis>

	<directivesynopsis>
	<name>MergeAuthz</name>
	<description>Controls the manner in which each configuration section's
	authorization logic is combined with that of preceding configuration
	sections.</description>
	<syntax>MergeAuthz Off \| MatchAll \| MatchAny</syntax>
	<default>MergeAuthz Off</default>
	<contextlist><context>directory</context><context>.htaccess</context>
	</contextlist>
	<override>AuthConfig</override>

	<usage>
	<p>When authorization is enabled, it is normally inherited by each
	subsequent <a href="../sections.html#mergin">configuration section</a>,
	unless a different set of authorization directives are specified.
	This is the default action, which corresponds to an explicit setting
	of <code>MergeAuthz Off</code>.</p>

	<p>However, there may be circumstances in which is it desirable
	for a configuration section's authorization to be combined with
	that of its predecessor while configuration sections are being
	merged. Two options are available for this case, <code>MatchAll</code>
	and <code>MatchAny</code>.</p>

	<p>When a configuration section contains <code>AuthzMerge MatchAll</code>
	or <code>AuthzMerge MatchAny</code>,
	its authorization logic is combined with that of the nearest
	predecessor (according to the overall order of configuration sections)
	which also contains authorization logic as if the two sections
	were jointly contained within a
	<directive module="mod_authz_core" type="section">MatchAll</directive> or
	<directive module="mod_authz_core" type="section">MatchAny</directive>
	directive, respectively.</p>

	<note>The setting of <directive>AuthzMerge</directive> is not
	inherited outside of the configuration section in which it appears.
	In the following example, only users belonging to group <code>alpha</code>
	may access <code>/www/docs</code>. Users belonging to either
	groups <code>alpha</code> or <code>beta</code> may access
	<code>/www/docs/ab</code>. However, the default <code>Off</code>
	setting of <directive>AuthzMerge</directive> applies to the
	<directive type="section" module="core">Directory</directive>
	configuration section for <code>/www/docs/ab/gamma</code>, so
	that section's authorization directives override those of the
	preceding sections. Thus only users belong to the group
	<code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</note>

	<example>
	<Directory /www/docs>
	<indent>
	AuthType Basic<br />
	AuthName Documents<br />
	AuthBasicProvider file<br />
	AuthUserFile /usr/local/apache/passwd/passwords<br />
	Match group alpha
	</indent>
	</Directory><br />
	<br />
	<Directory /www/docs/ab>
	<indent>
	AuthzMerge MatchAny<br />
	Match group beta
	</indent>
	</Directory><br />
	<br />
	<Directory /www/docs/ab/gamma>
	<indent>
	Match group gamma
	</indent>
	</Directory>
	</example>
	</usage>

	</directivesynopsis>

	<directivesynopsis type="section">
	<name>AuthzProviderAlias</name>
	<description>Enclose a group of directives that represent an
	extension of a base authorization provider and referenced by the specified
	alias</description>
	<syntax><AuthzProviderAlias <var>baseProvider Alias Require-Parameters</var>>
	... </AuthzProviderAlias>
	</syntax>
	<contextlist><context>server config</context>
	</contextlist>

	<usage>
	<p><directive type="section">AuthzProviderAlias</directive> and
	<code></AuthzProviderAlias></code> are used to enclose a group of
	authorization directives that can be referenced by the alias name using the
	directive <directive module="mod_authz_core">Require</directive>.</p>

	</usage>
	</directivesynopsis>

	</modulesynopsis>