docs/manual/mod/mod_auth.html - httpd - Git at Google

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <HTML>
 <HEAD>
 <TITLE>Apache module mod_auth</TITLE>
 </HEAD>

 <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
 <BODY
  BGCOLOR="#FFFFFF"
  TEXT="#000000"
  LINK="#0000FF"
  VLINK="#000080"
  ALINK="#FF0000"
 >
 <!--#include virtual="header.html" -->

 <H1 ALIGN="CENTER">Module mod_auth</H1>

 This module is contained in the <CODE>mod_auth.c</CODE> file, and
 is compiled in by default. It provides for user authentication using
 textual files.


 <MENU>
 <LI><A HREF="#authgroupfile">AuthGroupFile</A>
 <LI><A HREF="#authuserfile">AuthUserFile</A>
 <LI><A HREF="#authauthoritative">AuthAuthoritative</A>
 </MENU>
 <HR>


 <H2><A NAME="authgroupfile">AuthGroupFile</A></H2>
 <!--%plaintext &lt;?INDEX {\tt AuthGroupFile} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> AuthGroupFile <EM>filename</EM><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> AuthConfig<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_auth<P>

 The AuthGroupFile directive sets the name of a textual file containing the list
 of user groups for user authentication. <EM>Filename</EM> is the path
 to the group file.  If it is not absolute (<EM>i.e.</EM>, if it
 doesn't begin with a slash), it is treated as relative to the ServerRoot.
 <P>
 Each line of the group file contains a groupname followed by a colon, followed
 by the member usernames separated by spaces. Example:
 <BLOCKQUOTE><CODE>mygroup: bob joe anne</CODE></BLOCKQUOTE>
 Note that searching large text files is <EM>very</EM> inefficient;
 <A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
 be used instead.<P>

 Security: make sure that the AuthGroupFile is stored outside the
 document tree of the web-server; do <EM>not</EM> put it in the directory that
 it protects. Otherwise, clients will be able to download the AuthGroupFile.<P>

 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authuserfile">AuthUserFile</A>.<P><HR>

 <H2><A NAME="authuserfile">AuthUserFile</A></H2>
 <!--%plaintext &lt;?INDEX {\tt AuthUserFile} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> AuthUserFile <EM>filename</EM><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> AuthConfig<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_auth<P>

 The AuthUserFile directive sets the name of a textual file containing
 the list of users and passwords for user
 authentication. <EM>Filename</EM> is the path to the user
 file. If it is not absolute (<EM>i.e.</EM>, if it doesn't begin with a
 slash), it is treated as relative to the ServerRoot.
 <P> Each line of the user file file contains a username followed
 by a colon, followed by the crypt() encrypted password. The behavior
 of multiple occurrences of the same user is undefined.
 <P>
 The utility <code>htpasswd</code> which is installed as part of the
 binary distribution, or which can be found in <code>src/support</code>,
 is used to maintain this password file. See the <code>man</code>
 page for more details. In short
 <p>
 <blockquote>
 	<code>htpasswd -c Filename username</code><br>
 	Create a password file 'Filename' with 'username'
 	as the initial ID. It will prompt for the password.
 	<code>htpasswd Filename username2</code><br>
 	Adds or modifies in password file 'Filename' the 'username'.
 </blockquote>
 <P> Note that
 searching large text files is <EM>very</EM> inefficient;
 <A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
 used instead.
 <P>

 Security: make sure that the AuthUserFile is stored outside the
 document tree of the web-server; do <EM>not</EM> put it in the directory that
 it protects. Otherwise, clients will be able to download the AuthUserFile.<P>

 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authgroupfile">AuthGroupFile</A>.<P>
 <HR>
 <H2><A NAME="authauthoritative">AuthAuthoritative</A></H2>
 <!--%plaintext &lt;?INDEX {\tt AuthAuthoritative} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> AuthAuthoritative &lt;
  <STRONG> on</STRONG>(default) | off &gt; <BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> AuthConfig<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_auth<P>

 Setting the AuthAuthoritative directive explicitly to <STRONG>'off'</STRONG>
 allows for both authentication and authorization to be passed on to
 lower level modules (as defined in the <CODE>Configuration</CODE> and
 <CODE>modules.c</CODE> files) if there is <STRONG>no userID</STRONG> or
 <STRONG>rule</STRONG> matching the supplied userID. If there is a userID and/or
 rule specified; the usual password and access checks will be applied
 and a failure will give an Authorization Required reply.

 <P>

 So if a userID appears in the database of more than one module; or if
 a valid require directive applies to more than one module; then the
 first module will verify the credentials; and no access is passed on;
 regardless of the AuthAuthoritative setting.

 <P>

 A common use for this is in conjunction with one of the database
 modules; such as <A
 HREF="mod_auth_db.html"><CODE>mod_auth_db.c</CODE></A>, <A
 HREF="mod_auth_dbm.html"><CODE>mod_auth_dbm.c</CODE></A>,
 <CODE>mod_auth_msql.c</CODE>, and <A
 HREF="mod_auth_anon.html"><CODE>mod_auth_anon.c</CODE></A>. These modules
 supply the bulk of the user credential checking; but a few
 (administrator) related accesses fall through to a lower level with a
 well protected AuthUserFile.

 <P>

 <A
  HREF="directive-dict.html#Default"
  REL="Help"
 ><STRONG>Default:</STRONG></A> By default; control is not passed on; and an
  unknown
 userID or rule will result in an Authorization Required reply. Not
 setting it thus keeps the system secure; and forces an NCSA compliant
 behaviour.

 <P>

 Security: Do consider the implications of allowing a user to allow
 fall-through in his .htaccess file; and verify that this is really
 what you want; Generally it is easier to just secure a single
 .htpasswd file, than it is to secure a database such as mSQL. Make
 sure that the AuthUserFile is stored outside the document tree of the
 web-server; do <EM>not</EM> put it in the directory that it
 protects. Otherwise, clients will be able to download the
 AuthUserFile.

 <P>
 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authgroupfile">AuthGroupFile</A>.<P>

 <!--#include virtual="footer.html" -->
 </BODY>
 </HTML>
	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
	<HTML>
	<HEAD>
	<TITLE>Apache module mod_auth</TITLE>
	</HEAD>

	<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
	<BODY
	BGCOLOR="#FFFFFF"
	TEXT="#000000"
	LINK="#0000FF"
	VLINK="#000080"
	ALINK="#FF0000"
	>
	<!--#include virtual="header.html" -->

	<H1 ALIGN="CENTER">Module mod_auth</H1>

	This module is contained in the <CODE>mod_auth.c</CODE> file, and
	is compiled in by default. It provides for user authentication using
	textual files.


	<MENU>
	<LI><A HREF="#authgroupfile">AuthGroupFile</A>
	<LI><A HREF="#authuserfile">AuthUserFile</A>
	<LI><A HREF="#authauthoritative">AuthAuthoritative</A>
	</MENU>
	<HR>


	<H2><A NAME="authgroupfile">AuthGroupFile</A></H2>
	<!--%plaintext <?INDEX {\tt AuthGroupFile} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> AuthGroupFile <EM>filename</EM><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> AuthConfig<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_auth<P>

	The AuthGroupFile directive sets the name of a textual file containing the list
	of user groups for user authentication. <EM>Filename</EM> is the path
	to the group file. If it is not absolute (<EM>i.e.</EM>, if it
	doesn't begin with a slash), it is treated as relative to the ServerRoot.
	<P>
	Each line of the group file contains a groupname followed by a colon, followed
	by the member usernames separated by spaces. Example:
	<BLOCKQUOTE><CODE>mygroup: bob joe anne</CODE></BLOCKQUOTE>
	Note that searching large text files is <EM>very</EM> inefficient;
	<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
	be used instead.<P>

	Security: make sure that the AuthGroupFile is stored outside the
	document tree of the web-server; do <EM>not</EM> put it in the directory that
	it protects. Otherwise, clients will be able to download the AuthGroupFile.<P>

	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authuserfile">AuthUserFile</A>.<P><HR>

	<H2><A NAME="authuserfile">AuthUserFile</A></H2>
	<!--%plaintext <?INDEX {\tt AuthUserFile} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> AuthUserFile <EM>filename</EM><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> AuthConfig<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_auth<P>

	The AuthUserFile directive sets the name of a textual file containing
	the list of users and passwords for user
	authentication. <EM>Filename</EM> is the path to the user
	file. If it is not absolute (<EM>i.e.</EM>, if it doesn't begin with a
	slash), it is treated as relative to the ServerRoot.
	<P> Each line of the user file file contains a username followed
	by a colon, followed by the crypt() encrypted password. The behavior
	of multiple occurrences of the same user is undefined.
	<P>
	The utility <code>htpasswd</code> which is installed as part of the
	binary distribution, or which can be found in <code>src/support</code>,
	is used to maintain this password file. See the <code>man</code>
	page for more details. In short
	<p>
	<blockquote>
	<code>htpasswd -c Filename username</code><br>
	Create a password file 'Filename' with 'username'
	as the initial ID. It will prompt for the password.
	<code>htpasswd Filename username2</code><br>
	Adds or modifies in password file 'Filename' the 'username'.
	</blockquote>
	<P> Note that
	searching large text files is <EM>very</EM> inefficient;
	<A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
	used instead.
	<P>

	Security: make sure that the AuthUserFile is stored outside the
	document tree of the web-server; do <EM>not</EM> put it in the directory that
	it protects. Otherwise, clients will be able to download the AuthUserFile.<P>

	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authgroupfile">AuthGroupFile</A>.<P>
	<HR>
	<H2><A NAME="authauthoritative">AuthAuthoritative</A></H2>
	<!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> AuthAuthoritative <
	<STRONG> on</STRONG>(default) \| off > <BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> AuthConfig<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_auth<P>

	Setting the AuthAuthoritative directive explicitly to <STRONG>'off'</STRONG>
	allows for both authentication and authorization to be passed on to
	lower level modules (as defined in the <CODE>Configuration</CODE> and
	<CODE>modules.c</CODE> files) if there is <STRONG>no userID</STRONG> or
	<STRONG>rule</STRONG> matching the supplied userID. If there is a userID and/or
	rule specified; the usual password and access checks will be applied
	and a failure will give an Authorization Required reply.

	<P>

	So if a userID appears in the database of more than one module; or if
	a valid require directive applies to more than one module; then the
	first module will verify the credentials; and no access is passed on;
	regardless of the AuthAuthoritative setting.

	<P>

	A common use for this is in conjunction with one of the database
	modules; such as <A
	HREF="mod_auth_db.html"><CODE>mod_auth_db.c</CODE></A>, <A
	HREF="mod_auth_dbm.html"><CODE>mod_auth_dbm.c</CODE></A>,
	<CODE>mod_auth_msql.c</CODE>, and <A
	HREF="mod_auth_anon.html"><CODE>mod_auth_anon.c</CODE></A>. These modules
	supply the bulk of the user credential checking; but a few
	(administrator) related accesses fall through to a lower level with a
	well protected AuthUserFile.

	<P>

	<A
	HREF="directive-dict.html#Default"
	REL="Help"
	><STRONG>Default:</STRONG></A> By default; control is not passed on; and an
	unknown
	userID or rule will result in an Authorization Required reply. Not
	setting it thus keeps the system secure; and forces an NCSA compliant
	behaviour.

	<P>

	Security: Do consider the implications of allowing a user to allow
	fall-through in his .htaccess file; and verify that this is really
	what you want; Generally it is easier to just secure a single
	.htpasswd file, than it is to secure a database such as mSQL. Make
	sure that the AuthUserFile is stored outside the document tree of the
	web-server; do <EM>not</EM> put it in the directory that it
	protects. Otherwise, clients will be able to download the
	AuthUserFile.

	<P>
	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authgroupfile">AuthGroupFile</A>.<P>

	<!--#include virtual="footer.html" -->
	</BODY>
	</HTML>