| <?xml version="1.0"?> |
| <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> |
| <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> |
| <!-- $LastChangedRevision$ --> |
| |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <modulesynopsis metafile="mod_authn_core.xml.meta"> |
| |
| <name>mod_authn_core</name> |
| <description>Core Authentication</description> |
| <status>Base</status> |
| <sourcefile>mod_authn_core.c</sourcefile> |
| <identifier>authn_core_module</identifier> |
| <compatibility>Available in Apache 2.3 and later</compatibility> |
| |
| <summary> |
| <p>This module provides core authentication capabilities to |
| allow or deny access to portions of the web site. |
| <module>mod_authn_core</module> provides directives that are |
| common to all authentication providers.</p> |
| </summary> |
| |
| <section id="authnalias"><title>Creating Authentication Provider Aliases</title> |
| |
| <p>Extended authentication providers can be created |
| within the configuration file and assigned an alias name. The alias |
| providers can then be referenced through the directives |
| <directive module="mod_auth_basic">AuthBasicProvider</directive> or |
| <directive module="mod_auth_digest">AuthDigestProvider</directive> in |
| the same way as a base authentication provider. Besides the ability |
| to create and alias an extended provider, it also allows the same |
| extended authentication provider to be reference by multiple |
| locations.</p> |
| |
| <section id="example"><title>Examples</title> |
| |
| <p>This example checks for passwords in two different text |
| files.</p> |
| |
| <example><title>Checking multiple text password files</title> |
| <highlight language="config"> |
| # Check here first |
| <AuthnProviderAlias file file1> |
| AuthUserFile "/www/conf/passwords1" |
| </AuthnProviderAlias> |
| |
| # Then check here |
| <AuthnProviderAlias file file2> |
| AuthUserFile "/www/conf/passwords2" |
| </AuthnProviderAlias> |
| |
| <Directory "/var/web/pages/secure"> |
| AuthBasicProvider file1 file2 |
| |
| AuthType Basic |
| AuthName "Protected Area" |
| Require valid-user |
| </Directory> |
| </highlight> |
| </example> |
| |
| <p>The example below creates two different ldap authentication |
| provider aliases based on the ldap provider. This allows |
| a single authenticated location to be serviced by multiple ldap |
| hosts:</p> |
| |
| <example><title>Checking multiple LDAP servers</title> |
| <highlight language="config"> |
| <AuthnProviderAlias ldap ldap-alias1> |
| AuthLDAPBindDN "cn=youruser,o=ctx" |
| AuthLDAPBindPassword yourpassword |
| AuthLDAPURL "ldap://ldap.host/o=ctx" |
| </AuthnProviderAlias> |
| <AuthnProviderAlias ldap ldap-other-alias> |
| AuthLDAPBindDN "cn=yourotheruser,o=dev" |
| AuthLDAPBindPassword yourotherpassword |
| AuthLDAPURL "ldap://other.ldap.host/o=dev?cn" |
| </AuthnProviderAlias> |
| |
| Alias "/secure" "/webpages/secure" |
| <Directory "/webpages/secure"> |
| AuthBasicProvider ldap-other-alias ldap-alias1 |
| |
| AuthType Basic |
| AuthName "LDAP Protected Place" |
| Require valid-user |
| # Note that Require ldap-* would not work here, since the |
| # AuthnProviderAlias does not provide the config to authorization providers |
| # that are implemented in the same module as the authentication provider. |
| </Directory> |
| </highlight> |
| </example> |
| </section> |
| |
| </section> |
| |
| |
| <directivesynopsis> |
| <name>AuthName</name> |
| <description>Authorization realm for use in HTTP |
| authentication</description> |
| <syntax>AuthName <var>auth-domain</var></syntax> |
| <contextlist><context>directory</context><context>.htaccess</context> |
| </contextlist> |
| <override>AuthConfig</override> |
| |
| <usage> |
| <p>This directive sets the name of the authorization realm for a |
| directory. This realm is given to the client so that the user |
| knows which username and password to send. |
| <directive>AuthName</directive> takes a single argument; if the |
| realm name contains spaces, it must be enclosed in quotation |
| marks. It must be accompanied by <directive |
| module="mod_authn_core">AuthType</directive> and <directive |
| module="mod_authz_core">Require</directive> directives, and directives such |
| as <directive module="mod_authn_file">AuthUserFile</directive> and |
| <directive module="mod_authz_groupfile">AuthGroupFile</directive> to |
| work.</p> |
| |
| <p>For example:</p> |
| |
| <highlight language="config"> |
| AuthName "Top Secret" |
| </highlight> |
| |
| <p>The string provided for the <code>AuthName</code> is what will |
| appear in the password dialog provided by most browsers.</p> |
| |
| <p>From 2.5.0, <a href="../expr.html">expression syntax</a> can be |
| used inside the directive to produce the name dynamically.</p> |
| |
| <p>For example:</p> |
| |
| <highlight language="config"> |
| AuthName "%{HTTP_HOST}" |
| </highlight> |
| |
| </usage> |
| <seealso><a |
| href="../howto/auth.html">Authentication, Authorization, and |
| Access Control</a></seealso> |
| <seealso><module>mod_authz_core</module></seealso> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>AuthType</name> |
| <description>Type of user authentication</description> |
| <syntax>AuthType None|Basic|Digest|Form</syntax> |
| <contextlist><context>directory</context><context>.htaccess</context> |
| </contextlist> |
| <override>AuthConfig</override> |
| |
| <usage> |
| <p>This directive selects the type of user authentication for a |
| directory. The authentication types available are <code>None</code>, |
| <code>Basic</code> (implemented by |
| <module>mod_auth_basic</module>), <code>Digest</code> |
| (implemented by <module>mod_auth_digest</module>), and |
| <code>Form</code> (implemented by <module>mod_auth_form</module>).</p> |
| |
| <p>To implement authentication, you must also use the <directive |
| module="mod_authn_core">AuthName</directive> and <directive |
| module="mod_authz_core">Require</directive> directives. In addition, the |
| server must have an authentication-provider module such as |
| <module>mod_authn_file</module> and an authorization module such |
| as <module>mod_authz_user</module>.</p> |
| |
| <p>The authentication type <code>None</code> disables authentication. |
| When authentication is enabled, it is normally inherited by each |
| subsequent <a href="../sections.html#mergin">configuration section</a>, |
| unless a different authentication type is specified. If no |
| authentication is desired for a subsection of an authenticated |
| section, the authentication type <code>None</code> may be used; |
| in the following example, clients may access the |
| <code>/www/docs/public</code> directory without authenticating:</p> |
| |
| <highlight language="config"> |
| <Directory "/www/docs"> |
| AuthType Basic |
| AuthName Documents |
| AuthBasicProvider file |
| AuthUserFile "/usr/local/apache/passwd/passwords" |
| Require valid-user |
| </Directory> |
| |
| <Directory "/www/docs/public"> |
| AuthType None |
| Require all granted |
| </Directory> |
| </highlight> |
| |
| <p>From 2.5.0, <a href="../expr.html">expression syntax</a> can be |
| used inside the directive to specify the type dynamically.</p> |
| |
| <note>When disabling authentication, note that clients which have |
| already authenticated against another portion of the server's document |
| tree will typically continue to send authentication HTTP headers |
| or cookies with each request, regardless of whether the server |
| actually requires authentication for every resource.</note> |
| </usage> |
| |
| <seealso><a href="../howto/auth.html">Authentication, Authorization, |
| and Access Control</a></seealso> |
| </directivesynopsis> |
| |
| <directivesynopsis type="section"> |
| <name>AuthnProviderAlias</name> |
| <description>Enclose a group of directives that represent an |
| extension of a base authentication provider and referenced by |
| the specified alias</description> |
| <syntax><AuthnProviderAlias <var>baseProvider Alias</var>> |
| ... </AuthnProviderAlias></syntax> |
| <contextlist><context>server config</context> |
| </contextlist> |
| |
| <usage> |
| <p><code><AuthnProviderAlias></code> and |
| <code></AuthnProviderAlias></code> are used to enclose a group of |
| authentication directives that can be referenced by the alias name |
| using one of the directives <directive module="mod_auth_basic"> |
| AuthBasicProvider</directive> or <directive module="mod_auth_digest"> |
| AuthDigestProvider</directive>.</p> |
| |
| <note>This directive has no affect on authorization, even for modules that |
| provide both authentication and authorization.</note> |
| </usage> |
| </directivesynopsis> |
| |
| </modulesynopsis> |