docs/manual/mod/mod_auth.html - httpd - Git at Google

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <HTML>
 <HEAD>
 <TITLE>Apache module mod_auth</TITLE>
 </HEAD>

 <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
 <BODY
  BGCOLOR="#FFFFFF"
  TEXT="#000000"
  LINK="#0000FF"
  VLINK="#000080"
  ALINK="#FF0000"
 >
 <!--#include virtual="header.html" -->

 <H1 ALIGN="CENTER">Module mod_auth</h1>

 This module is contained in the <code>mod_auth.c</code> file, and
 is compiled in by default. It provides for user authentication using
 textual files.


 <menu>
 <li><A HREF="#authgroupfile">AuthGroupFile</A>
 <li><A HREF="#authuserfile">AuthUserFile</A>
 <li><A HREF="#authauthoritative">AuthAuthoritative</A>
 </menu>
 <hr>


 <A name="authgroupfile"><h2>AuthGroupFile</h2></A>
 <!--%plaintext &lt;?INDEX {\tt AuthGroupFile} directive&gt; -->
 <strong>Syntax:</strong> AuthGroupFile <em>filename</em><br>
 <Strong>Context:</strong> directory, .htaccess<br>
 <Strong>Override:</strong> AuthConfig<br>
 <strong>Status:</strong> Base<br>
 <strong>Module:</strong> mod_auth<p>

 The AuthGroupFile directive sets the name of a textual file containing the list
 of user groups for user authentication. <em>Filename</em> is the absolute path
 to the group file.<p>
 Each line of the group file contains a groupname followed by a colon, followed
 by the member usernames separated by spaces. Example:
 <blockquote><code>mygroup: bob joe anne</code></blockquote>
 Note that searching large groups files is <em>very</em> inefficient;
 <A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
 be used instead.<p>

 Security: make sure that the AuthGroupFile is stored outside the
 document tree of the web-server; do <em>not</em> put it in the directory that
 it protects. Otherwise, clients will be able to download the AuthGroupFile.<p>

 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authuserfile">AuthUserFile</A>.<p><hr>

 <A name="authuserfile"><h2>AuthUserFile</h2></A>
 <!--%plaintext &lt;?INDEX {\tt AuthUserFile} directive&gt; -->
 <strong>Syntax:</strong> AuthUserFile <em>filename</em><br>
 <Strong>Context:</strong> directory, .htaccess<br>
 <Strong>Override:</strong> AuthConfig<br>
 <strong>Status:</strong> Base<br>
 <strong>Module:</strong> mod_auth<p>

 The AuthUserFile directive sets the name of a textual file containing
 the list of users and passwords for user
 authentication. <em>Filename</em> is the absolute path to the user
 file.<p> Each line of the user file file contains a username followed
 by a colon, followed by the crypt() encrypted password. The behavior
 of multiple occurrences of the same user is undefined.<p> Note that
 searching user groups files is inefficient; <A
 HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
 used instead.<p>

 Security: make sure that the AuthUserFile is stored outside the
 document tree of the web-server; do <em>not</em> put it in the directory that
 it protects. Otherwise, clients will be able to download the AuthUserFile.<p>

 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authgroupfile">AuthGroupFile</A>.<p>
 <hr>
 <A name="authauthoritative"><h2>AuthAuthoritative</h2></A>
 <!--%plaintext &lt;?INDEX {\tt AuthAuthoritative} directive&gt; -->
 <strong>Syntax:</strong> AuthAuthoritative &lt; <strong> on</strong>(default) | off &gt; <br>
 <Strong>Context:</strong> directory, .htaccess<br>
 <Strong>Override:</strong> AuthConfig<br>
 <strong>Status:</strong> Base<br>
 <strong>Module:</strong> mod_auth<p>

 Setting the AuthAuthoritative directive explicitly to <b>'off'</b>
 allows for both authentication and authorization to be passed on to
 lower level modules (as defined in the <code>Configuration</code> and
 <code>modules.c</code> files) if there is <b>no userID</b> or
 <b>rule</b> matching the supplied userID. If there is a userID and/or
 rule specified; the usual password and access checks will be applied
 and a failure will give an Authorization Required reply.

 <p>

 So if a userID appears in the database of more than one module; or if
 a valid require directive applies to more than one module; then the
 first module will verify the credentials; and no access is passed on;
 regardless of the AuthAuthoritative setting.

 <p>

 A common use for this is in conjunction with one of the database
 modules; such as <a
 href="mod_auth_db.html"><code>mod_auth_db.c</code></a>, <a
 href="mod_auth_dbm.html"><code>mod_auth_dbm.c</code></a>, <a
 href="mod_auth_msql.html"><code>mod_auth_msql.c</code></a> and <a
 href="mod_auth_anon.html"><code>mod_auth_anon.c</code></a>. These modules
 supply the bulk of the user credential checking; but a few
 (administrator) related accesses fall through to a lower level with a
 well protected AuthUserFile.

 <p>

 <b>Default:</b> By default; control is not passed on; and an unknown
 userID or rule will result in an Authorization Required reply. Not
 setting it thus keeps the system secure; and forces an NSCA compliant
 behaviour.

 <p>

 Security: Do consider the implications of allowing a user to allow
 fall-through in his .htaccess file; and verify that this is really
 what you want; Generally it is easier to just secure a single
 .htpasswd file, than it is to secure a database such as mSQL. Make
 sure that the AuthUserFile is stored outside the document tree of the
 web-server; do <em>not</em> put it in the directory that it
 protects. Otherwise, clients will be able to download the
 AuthUserFile.

 <p>
 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authgroupfile">AuthGroupFile</A>.<p>

 <!--#include virtual="footer.html" -->
 </BODY>
 </HTML>
	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
	<HTML>
	<HEAD>
	<TITLE>Apache module mod_auth</TITLE>
	</HEAD>

	<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
	<BODY
	BGCOLOR="#FFFFFF"
	TEXT="#000000"
	LINK="#0000FF"
	VLINK="#000080"
	ALINK="#FF0000"
	>
	<!--#include virtual="header.html" -->

	<H1 ALIGN="CENTER">Module mod_auth</h1>

	This module is contained in the <code>mod_auth.c</code> file, and
	is compiled in by default. It provides for user authentication using
	textual files.


	<menu>
	<li><A HREF="#authgroupfile">AuthGroupFile</A>
	<li><A HREF="#authuserfile">AuthUserFile</A>
	<li><A HREF="#authauthoritative">AuthAuthoritative</A>
	</menu>
	<hr>


	<A name="authgroupfile"><h2>AuthGroupFile</h2></A>
	<!--%plaintext <?INDEX {\tt AuthGroupFile} directive> -->
	<strong>Syntax:</strong> AuthGroupFile <em>filename</em><br>
	<Strong>Context:</strong> directory, .htaccess<br>
	<Strong>Override:</strong> AuthConfig<br>
	<strong>Status:</strong> Base<br>
	<strong>Module:</strong> mod_auth<p>

	The AuthGroupFile directive sets the name of a textual file containing the list
	of user groups for user authentication. <em>Filename</em> is the absolute path
	to the group file.<p>
	Each line of the group file contains a groupname followed by a colon, followed
	by the member usernames separated by spaces. Example:
	<blockquote><code>mygroup: bob joe anne</code></blockquote>
	Note that searching large groups files is <em>very</em> inefficient;
	<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
	be used instead.<p>

	Security: make sure that the AuthGroupFile is stored outside the
	document tree of the web-server; do <em>not</em> put it in the directory that
	it protects. Otherwise, clients will be able to download the AuthGroupFile.<p>

	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authuserfile">AuthUserFile</A>.<p><hr>

	<A name="authuserfile"><h2>AuthUserFile</h2></A>
	<!--%plaintext <?INDEX {\tt AuthUserFile} directive> -->
	<strong>Syntax:</strong> AuthUserFile <em>filename</em><br>
	<Strong>Context:</strong> directory, .htaccess<br>
	<Strong>Override:</strong> AuthConfig<br>
	<strong>Status:</strong> Base<br>
	<strong>Module:</strong> mod_auth<p>

	The AuthUserFile directive sets the name of a textual file containing
	the list of users and passwords for user
	authentication. <em>Filename</em> is the absolute path to the user
	file.<p> Each line of the user file file contains a username followed
	by a colon, followed by the crypt() encrypted password. The behavior
	of multiple occurrences of the same user is undefined.<p> Note that
	searching user groups files is inefficient; <A
	HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
	used instead.<p>

	Security: make sure that the AuthUserFile is stored outside the
	document tree of the web-server; do <em>not</em> put it in the directory that
	it protects. Otherwise, clients will be able to download the AuthUserFile.<p>

	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authgroupfile">AuthGroupFile</A>.<p>
	<hr>
	<A name="authauthoritative"><h2>AuthAuthoritative</h2></A>
	<!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> -->
	<strong>Syntax:</strong> AuthAuthoritative < <strong> on</strong>(default) \| off > <br>
	<Strong>Context:</strong> directory, .htaccess<br>
	<Strong>Override:</strong> AuthConfig<br>
	<strong>Status:</strong> Base<br>
	<strong>Module:</strong> mod_auth<p>

	Setting the AuthAuthoritative directive explicitly to <b>'off'</b>
	allows for both authentication and authorization to be passed on to
	lower level modules (as defined in the <code>Configuration</code> and
	<code>modules.c</code> files) if there is <b>no userID</b> or
	<b>rule</b> matching the supplied userID. If there is a userID and/or
	rule specified; the usual password and access checks will be applied
	and a failure will give an Authorization Required reply.

	<p>

	So if a userID appears in the database of more than one module; or if
	a valid require directive applies to more than one module; then the
	first module will verify the credentials; and no access is passed on;
	regardless of the AuthAuthoritative setting.

	<p>

	A common use for this is in conjunction with one of the database
	modules; such as <a
	href="mod_auth_db.html"><code>mod_auth_db.c</code></a>, <a
	href="mod_auth_dbm.html"><code>mod_auth_dbm.c</code></a>, <a
	href="mod_auth_msql.html"><code>mod_auth_msql.c</code></a> and <a
	href="mod_auth_anon.html"><code>mod_auth_anon.c</code></a>. These modules
	supply the bulk of the user credential checking; but a few
	(administrator) related accesses fall through to a lower level with a
	well protected AuthUserFile.

	<p>

	<b>Default:</b> By default; control is not passed on; and an unknown
	userID or rule will result in an Authorization Required reply. Not
	setting it thus keeps the system secure; and forces an NSCA compliant
	behaviour.

	<p>

	Security: Do consider the implications of allowing a user to allow
	fall-through in his .htaccess file; and verify that this is really
	what you want; Generally it is easier to just secure a single
	.htpasswd file, than it is to secure a database such as mSQL. Make
	sure that the AuthUserFile is stored outside the document tree of the
	web-server; do <em>not</em> put it in the directory that it
	protects. Otherwise, clients will be able to download the
	AuthUserFile.

	<p>
	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authgroupfile">AuthGroupFile</A>.<p>

	<!--#include virtual="footer.html" -->
	</BODY>
	</HTML>