auth.html.en revision 15292da5451dea4ad10c12d35d9addc88be302c5
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<?xml version="1.0" encoding="ISO-8859-1"?>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak This file is generated from xml source: DO NOT EDIT
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak -->
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<title>Authentication and Authorization - Apache HTTP Server</title>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<script src="/style/scripts/prettify.js" type="text/javascript">
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen</script>
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/images/favicon.ico" rel="shortcut icon" /></head>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<body id="manual-page"><div id="page-header">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
d229f940abfb2490dee17979e9a5ff31b7012eb5rbowen<p class="apache">Apache HTTP Server Version 2.5</p>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<img alt="" src="/images/feather.gif" /></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div id="path">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.5</a> &gt; <a href="./">How-To / Tutorials</a></div><div id="page-content"><div id="preamble"><h1>Authentication and Authorization</h1>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<div class="toplang">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<p><span>Available Languages: </span><a href="/en/howto/auth.html" title="English">&nbsp;en&nbsp;</a> |
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<a href="/fr/howto/auth.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a> |
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<a href="/ja/howto/auth.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |
c04f76acce77126cf88b09350e56ea8c6b4a064enilgun<a href="/ko/howto/auth.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<a href="/tr/howto/auth.html" hreflang="tr" rel="alternate" title="T�rk�e">&nbsp;tr&nbsp;</a></p>
91f378b5a10f2d83820902ed10ba7967a3920c18nilgun</div>
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>Authentication is any process by which you verify that
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem someone is who they claim they are. Authorization is any
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem process by which someone is allowed to be where they want to
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak go, or to have information that they want to have.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>For general access control, see the <a href="access.html">Access
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak Control How-To</a>.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak</div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#related">Related Modules and Directives</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#introduction">Introduction</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#theprerequisites">The Prerequisites</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#gettingitworking">Getting it working</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#lettingmorethanonepersonin">Letting more than one
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakperson in</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#possibleproblems">Possible problems</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#dbmdbd">Alternate password storage</a></li>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh<li><img alt="" src="/images/down.gif" /> <a href="#multprovider">Using multiple providers</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#beyond">Beyond just authorization</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#socache">Authentication Cacheing</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<li><img alt="" src="/images/down.gif" /> <a href="#moreinformation">More information</a></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak</ul></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div class="section">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<h2><a name="related" id="related">Related Modules and Directives</a></h2>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<p>There are three types of modules involved in the authentication and
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakauthorization process. You will usually need to choose at least one
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakmodule from each group.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<ul>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li>Authentication type (see the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="directive"><a href="/mod/mod_authn_core.html#authtype">AuthType</a></code> directive)
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <ul>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_auth_digest.html">mod_auth_digest</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </ul>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li>Authentication provider (see the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> and
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="directive"><a href="/mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code> directives)
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <ul>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authn_anon.html">mod_authn_anon</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authn_file.html">mod_authn_file</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authn_socache.html">mod_authn_socache</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </ul>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li>Authorization (see the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive)
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <ul>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authz_dbd.html">mod_authz_dbd</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authz_dbm.html">mod_authz_dbm</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authz_owner.html">mod_authz_owner</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <li><code class="module"><a href="/mod/mod_authz_user.html">mod_authz_user</a></code></li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </ul>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </li>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak</ul>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>In addition to these modules, there are also
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="module"><a href="/mod/mod_authn_core.html">mod_authn_core</a></code> and
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code>. These module implement core
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak directives that are core to all auth modules.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>The module <code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> is both an
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak authentication and authorization provider. The module
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code> provides authorization
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak and access control based on hostname, IP address or characteristics
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak of the request, but is not part of the authentication provider
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak system. For backwards compatibility with the mod_access, there is
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak a new module <code class="module"><a href="/mod/mod_access_compat.html">mod_access_compat</a></code>.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>You probably also want to take a look at the <a href="access.html">Access Control</a> howto, which discusses the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak various ways to control access to your server.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div class="section">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<h2><a name="introduction" id="introduction">Introduction</a></h2>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>If you have information on your web site that is sensitive
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak or intended for only a small group of people, the techniques in
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak this article will help you make sure that the people that see
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak those pages are the people that you wanted to see them.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>This article covers the "standard" way of protecting parts
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak of your web site that most of you are going to use.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <div class="note"><h3>Note:</h3>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>If your data really needs to be secure, consider using
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> in addition to any authentication.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div class="section">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<h2><a name="theprerequisites" id="theprerequisites">The Prerequisites</a></h2>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>The directives discussed in this article will need to go
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak either in your main server configuration file (typically in a
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="directive"><a href="/mod/core.html#directory">&lt;Directory&gt;</a></code> section), or
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak in per-directory configuration files (<code>.htaccess</code> files).</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>If you plan to use <code>.htaccess</code> files, you will
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak need to have a server configuration that permits putting
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak authentication directives in these files. This is done with the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="directive"><a href="/mod/core.html#allowoverride">AllowOverride</a></code> directive, which
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak specifies which directives, if any, may be put in per-directory
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak configuration files.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>Since we're talking here about authentication, you will need
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak an <code class="directive"><a href="/mod/core.html#allowoverride">AllowOverride</a></code> directive like the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak following:</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <pre class="prettyprint lang-config">AllowOverride AuthConfig</pre>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>Or, if you are just going to put the directives directly in
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak your main server configuration file, you will of course need to
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak have write permission to that file.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>And you'll need to know a little bit about the directory
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak structure of your server, in order to know where some files are
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak kept. This should not be terribly difficult, and I'll try to
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak make this clear when we come to that point.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>You will also need to make sure that the modules
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="module"><a href="/mod/mod_authn_core.html">mod_authn_core</a></code> and <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak have either been built into the httpd binary or loaded by the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak httpd.conf configuration file. Both of these modules provide core
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak directives and functionality that are critical to the configuration
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak and use of authentication and authorization in the web server.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div class="section">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<h2><a name="gettingitworking" id="gettingitworking">Getting it working</a></h2>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>Here's the basics of password protecting a directory on your
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak server.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>First, you need to create a password file. Exactly how you do
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak this will vary depending on what authentication provider you have
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak chosen. More on that later. To start with, we'll use a text password
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak file.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>This file should be
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak placed somewhere not accessible from the web. This is so that
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak folks cannot download the password file. For example, if your
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak documents are served out of <code>/usr/local/apache/htdocs</code> you
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak might want to put the password file(s) in
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code>/usr/local/apache/passwd</code>.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>To create the file, use the <code class="program"><a href="/programs/htpasswd.html">htpasswd</a></code> utility that
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak came with Apache. This will be located in the <code>bin</code> directory
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak of wherever you installed Apache. If you have installed Apache from
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak a third-party package, it may be in your execution path.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>To create the file, type:</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <div class="example"><p><code>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak htpasswd -c /usr/local/apache/passwd/passwords rbowen
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </code></p></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p><code class="program"><a href="/programs/htpasswd.html">htpasswd</a></code> will ask you for the password, and
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak then ask you to type it again to confirm it:</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <div class="example"><p><code>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak # htpasswd -c /usr/local/apache/passwd/passwords rbowen<br />
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak New password: mypassword<br />
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak Re-type new password: mypassword<br />
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak Adding password for user rbowen
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </code></p></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>If <code class="program"><a href="/programs/htpasswd.html">htpasswd</a></code> is not in your path, of course
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak you'll have to type the full path to the file to get it to run.
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak With a default installation, it's located at
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code>/usr/local/apache2/bin/htpasswd</code></p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>Next, you'll need to configure the server to request a
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak password and tell the server which users are allowed access.
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak You can do this either by editing the <code>httpd.conf</code>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak file or using an <code>.htaccess</code> file. For example, if
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak you wish to protect the directory
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code>/usr/local/apache/htdocs/secret</code>, you can use the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak following directives, either placed in the file
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code>/usr/local/apache/htdocs/secret/.htaccess</code>, or
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak placed in <code>httpd.conf</code> inside a &lt;Directory
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak /usr/local/apache/htdocs/secret&gt; section.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <pre class="prettyprint lang-config">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthType Basic
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthName "Restricted Files"
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak# (Following line optional)
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthBasicProvider file
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthUserFile /usr/local/apache/passwd/passwords
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakRequire user rbowen
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </pre>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>Let's examine each of those directives individually. The <code class="directive"><a href="/mod/mod_authn_core.html#authtype">AuthType</a></code> directive selects
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak that method that is used to authenticate the user. The most
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak common method is <code>Basic</code>, and this is the method
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak implemented by <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code>. It is important to be aware,
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak however, that Basic authentication sends the password from the client to
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak the server unencrypted. This method should therefore not be used for
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak highly sensitive data, unless accompanied by <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code>.
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak Apache supports one other authentication method:
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code>AuthType Digest</code>. This method is implemented by <code class="module"><a href="/mod/mod_auth_digest.html">mod_auth_digest</a></code> and is much more secure. Most recent
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak browsers support Digest authentication.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>The <code class="directive"><a href="/mod/mod_authn_core.html#authname">AuthName</a></code> directive sets
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak the <dfn>Realm</dfn> to be used in the authentication. The realm serves
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak two major functions. First, the client often presents this information to
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak the user as part of the password dialog box. Second, it is used by the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak client to determine what password to send for a given authenticated
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak area.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>So, for example, once a client has authenticated in the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code>"Restricted Files"</code> area, it will automatically
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak retry the same password for any area on the same server that is
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak marked with the <code>"Restricted Files"</code> Realm.
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak Therefore, you can prevent a user from being prompted more than
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak once for a password by letting multiple restricted areas share
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak the same realm. Of course, for security reasons, the client
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak will always need to ask again for the password whenever the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak hostname of the server changes.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>The <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> is,
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak in this case, optional, since <code>file</code> is the default value
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak for this directive. You'll need to use this directive if you are
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak choosing a different source for authentication, such as
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code> or <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code>.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>The <code class="directive"><a href="/mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak directive sets the path to the password file that we just
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak created with <code class="program"><a href="/programs/htpasswd.html">htpasswd</a></code>. If you have a large number
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak of users, it can be quite slow to search through a plain text
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak file to authenticate the user on each request. Apache also has
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak the ability to store user information in fast database files.
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak The <code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code> module provides the <code class="directive"><a href="/mod/mod_authn_dbm.html#authdbmuserfile">AuthDBMUserFile</a></code> directive. These
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak files can be created and manipulated with the <code class="program"><a href="/programs/dbmmanage.html">dbmmanage</a></code> program. Many
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak other types of authentication options are available from third
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak party modules in the <a href="http://modules.apache.org/">Apache Modules
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak Database</a>.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>Finally, the <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak directive provides the authorization part of the process by
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak setting the user that is allowed to access this region of the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak server. In the next section, we discuss various ways to use the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<div class="section">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<h2><a name="lettingmorethanonepersonin" id="lettingmorethanonepersonin">Letting more than one
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakperson in</a></h2>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>The directives above only let one person (specifically
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak someone with a username of <code>rbowen</code>) into the
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak directory. In most cases, you'll want to let more than one
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak person in. This is where the <code class="directive"><a href="/mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> comes in.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>If you want to let more than one person in, you'll need to
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak create a group file that associates group names with a list of
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak users in that group. The format of this file is pretty simple,
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak and you can create it with your favorite editor. The contents
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak of the file will look like this:</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <div class="example"><p><code>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak GroupName: rbowen dpitts sungo rshersey
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </code></p></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>That's just a list of the members of the group in a long
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak line separated by spaces.</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>To add a user to your already existing password file,
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak type:</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <div class="example"><p><code>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak htpasswd /usr/local/apache/passwd/passwords dpitts
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </code></p></div>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>You'll get the same response as before, but it will be
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak appended to the existing file, rather than creating a new file.
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak (It's the <code>-c</code> that makes it create a new password
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak file).</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <p>Now, you need to modify your <code>.htaccess</code> file to
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak look like the following:</p>
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak <pre class="prettyprint lang-config">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthType Basic
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthName "By Invitation Only"
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak# Optional line:
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthBasicProvider file
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthUserFile /usr/local/apache/passwd/passwords
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniakAuthGroupFile /usr/local/apache/passwd/groups
c04f76acce77126cf88b09350e56ea8c6b4a064enilgunRequire group GroupName
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak </pre>
91f378b5a10f2d83820902ed10ba7967a3920c18nilgun
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <p>Now, anyone that is listed in the group <code>GroupName</code>,
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh and has an entry in the <code>password</code> file, will be let in, if
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh they type the correct password.</p>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <p>There's another way to let multiple users in that is less
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh specific. Rather than creating a group file, you can just use
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh the following directive:</p>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <pre class="prettyprint lang-config">Require valid-user</pre>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh <p>Using that rather than the <code>Require user rbowen</code>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh line will allow anyone in that is listed in the password file,
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh and who correctly enters their password. You can even emulate
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh the group behavior here, by just keeping a separate password
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh file for each group. The advantage of this approach is that
5effc8b39fae5cd169d17f342bfc265705840014rbowen Apache only has to check one file, rather than two. The
d229f940abfb2490dee17979e9a5ff31b7012eb5rbowen disadvantage is that you have to maintain a bunch of password
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd files, and remember to reference the right one in the
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd <code class="directive"><a href="/mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code> directive.</p>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd<div class="section">
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak<h2><a name="possibleproblems" id="possibleproblems">Possible problems</a></h2>
<p>Because of the way that Basic authentication is specified,
your username and password must be verified every time you
request a document from the server. This is even if you're
reloading the same page, and for every image on the page (if
they come from a protected directory). As you can imagine, this
slows things down a little. The amount that it slows things
down is proportional to the size of the password file, because
it has to open up that file, and go down the list of users
until it gets to your name. And it has to do this every time a
page is loaded.</p>
<p>A consequence of this is that there's a practical limit to
how many users you can put in one password file. This limit
will vary depending on the performance of your particular
server machine, but you can expect to see slowdowns once you
get above a few hundred entries, and may wish to consider a
different authentication method at that time.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="dbmdbd" id="dbmdbd">Alternate password storage</a></h2>
<p>Because storing passwords in plain text files has the above
problems, you may wish to store your passwords somewhere else, such
as in a database.</p>
<p><code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code> and <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code> are two
modules which make this possible. Rather than selecting <code><code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> file</code>, instead
you can choose <code>dbm</code> or <code>dbd</code> as your storage
format.</p>
<p>To select a dbd file rather than a text file, for example:</p>
<pre class="prettyprint lang-config">
&lt;Directory /www/docs/private&gt;
AuthName "Private"
AuthType Basic
AuthBasicProvider dbm
AuthDBMUserFile /www/passwords/passwd.dbm
Require valid-user
&lt;/Directory&gt;
</pre>
<p>Other options are available. Consult the
<code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code> documentation for more details.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="multprovider" id="multprovider">Using multiple providers</a></h2>
<p>With the introduction of the new provider based authentication and
authorization architecture, you are no longer locked into a single
authentication or authorization method. In fact any number of the
providers can be mixed and matched to provide you with exactly the
scheme that meets your needs. In the following example, both the
file and LDAP based authentication providers are being used.</p>
<pre class="prettyprint lang-config">
&lt;Directory /www/docs/private&gt;
AuthName "Private"
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile /usr/local/apache/passwd/passwords
AuthLDAPURL ldap://ldaphost/o=yourorg
Require valid-user
&lt;/Directory&gt;
</pre>
<p>In this example the file provider will attempt to authenticate
the user first. If it is unable to authenticate the user, the LDAP
provider will be called. This allows the scope of authentication
to be broadened if your organization implements more than
one type of authentication store. Other authentication and authorization
scenarios may include mixing one type of authentication with a
different type of authorization. For example, authenticating against
a password file yet authorizing against an LDAP directory.</p>
<p>Just as multiple authentication providers can be implemented, multiple
authorization methods can also be used. In this example both file group
authorization as well as LDAP group authorization is being used.</p>
<pre class="prettyprint lang-config">
&lt;Directory /www/docs/private&gt;
AuthName "Private"
AuthType Basic
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
AuthLDAPURL ldap://ldaphost/o=yourorg
AuthGroupFile /usr/local/apache/passwd/groups
Require group GroupName
Require ldap-group cn=mygroup,o=yourorg
&lt;/Directory&gt;
</pre>
<p>To take authorization a little further, authorization container
directives such as
<code class="directive"><a href="/mod/mod_authz_core.html#requireall">&lt;RequireAll&gt;</a></code>
and
<code class="directive"><a href="/mod/mod_authz_core.html#requireany">&lt;RequireAny&gt;</a></code>
allow logic to be applied so that the order in which authorization
is handled can be completely controled through the configuration.
See <a href="/mod/mod_authz_core.html#logic">Authorization
Containers</a> for an example of they may be applied.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="beyond" id="beyond">Beyond just authorization</a></h2>
<p>The way that authorization can be apply is now much more flexible
than just a single check against a single data store. Ordering, logic
and choosing how authorization will be done is now possible.</p>
<h3><a name="authandororder" id="authandororder">Applying logic and ordering</a></h3>
<p>Controling how and in what order authorization will be applied
has been a bit of a mystery in the past. In Apache 2.2 a provider-based
authentication mechanism was introduced to decouple the actual
authentication process from authorization and supporting functionality.
One of the side benefits was that authentication providers could be
configured and called in a specific order which didn't depend on the
load order of the auth module itself. This same provider based mechanism
has been brought forward into authorization as well. What this means is
that the <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive
not only specifies which authorization methods should be used, it also
specifies the order in which they are called. Multiple authorization
methods are called in the same order in which the
<code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directives
appear in the configuration.</p>
<p>With the introduction of authorization container directives
such as
<code class="directive"><a href="/mod/mod_authz_core.html#requireall">&lt;RequireAll&gt;</a></code>
and
<code class="directive"><a href="/mod/mod_authz_core.html#requireany">&lt;RequireAny&gt;</a></code>,
the configuration also has control over when the
authorization methods are called and what criteria determines when
access is granted. See
<a href="/mod/mod_authz_core.html#logic">Authorization Containers</a>
for an example of how they may be used to express complex
authorization logic.</p>
<p>By default all
<code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code>
directives are handled as though contained within a
<code class="directive"><a href="/mod/mod_authz_core.html#requireany">&lt;RequireAny&gt;</a></code>
container directive. In other words, if
any of the specified authorization methods succeed, then authorization
is granted.</p>
<h3><a name="reqaccessctrl" id="reqaccessctrl">Using authorization providers for access control</a></h3>
<p>Authentication by username and password is only part of the
story. Frequently you want to let people in based on something
other than who they are. Something such as where they are
coming from.</p>
<p>The authorization providers <code class="directive"><a href="/mod/mod_authz_host.html#&#10; all">
all</a></code>, <code class="directive"><a href="/mod/mod_authz_host.html#&#10; env">
env</a></code>, <code class="directive"><a href="/mod/mod_authz_host.html#&#10; host">
host</a></code> and <code class="directive"><a href="/mod/mod_authz_host.html#&#10; ip">
ip</a></code> let you allow or deny access based other host based
criteria such as host name or ip address of the machine requesting
a document.</p>
<p>The usage of these providers is specified through the
<code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive.
This directive registers the authorization providers
that will be called during the authorization stage of the request
processing. For example:</p>
<pre class="prettyprint lang-config">Require ip <var>address</var></pre>
<p>where <var>address</var> is an IP address (or a partial IP
address) or:</p>
<pre class="prettyprint lang-config">Require host <var>domain_name</var></pre>
<p>where <var>domain_name</var> is a fully qualified domain name
(or a partial domain name); you may provide multiple addresses or
domain names, if desired.</p>
<p>For example, if you have someone spamming your message
board, and you want to keep them out, you could do the
following:</p>
<pre class="prettyprint lang-config">
&lt;RequireAll&gt;
Require all granted
Require not ip 10.252.46.165
&lt;/RequireAll&gt;
</pre>
<p>Visitors coming from that address will not be able to see
the content covered by this directive. If, instead, you have a
machine name, rather than an IP address, you can use that.</p>
<pre class="prettyprint lang-config">
&lt;RequireAll&gt;
Require all granted
Require not host <var>host.example.com</var>
&lt;/RequireAll&gt;
</pre>
<p>And, if you'd like to block access from an entire domain,
you can specify just part of an address or domain name:</p>
<pre class="prettyprint lang-config">
&lt;RequireAll&gt;
Require all granted
&lt;RequireNone&gt;
Require ip 192.168.205
Require host phishers.example.com moreidiots.example
Require host ke
&lt;/RequireNone&gt;
&lt;/RequireAll&gt;
</pre>
<p>The above example uses the <code class="directive"><a href="/mod/mod_authz_core.html#requirenone">&lt;RequireNone&gt;</a></code> directive
to make sure that none of the
<code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directives
contained within it
match their parameters before granting access.</p>
<h3><a name="filesystem" id="filesystem">Access Control backwards compatibility</a></h3>
<p>One of the side effects of adopting a provider based mechanism for
authentication is that the need for the previous access control directives
<code class="directive"><a href="/mod/mod_access_compat.html#order">Order</a></code>,
<code class="directive"><a href="/mod/mod_access_compat.html#allow">Allow</a></code>,
<code class="directive"><a href="/mod/mod_access_compat.html#deny">Deny</a></code> and
<code class="directive"><a href="/mod/mod_access_compat.html#satisfy">Satisfy</a></code> are no longer needed.
However to provide backwards compatibility for older configurations, these
directives have been moved to the <code class="module"><a href="/mod/mod_access_compat.html">mod_access_compat</a></code> module.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="socache" id="socache">Authentication Cacheing</a></h2>
<p>There may be times when authentication puts an unacceptable load
on a provider or on your network. This is most likely to affect users
of <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code> (or third-party/custom providers).
To deal with this, HTTPD 2.3/2.4 introduces a new cacheing provider
<code class="module"><a href="/mod/mod_authn_socache.html">mod_authn_socache</a></code> to cache credentials and reduce
the load on the origin provider(s).</p>
<p>This may offer a substantial performance boost to some users.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
<div class="section">
<h2><a name="moreinformation" id="moreinformation">More information</a></h2>
<p>You should also read the documentation for
<code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code> and <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code> which
contain some more information about how this all works.
The directive <code class="directive"><a href="/mod/mod_authn_core.html#&lt;authnprovideralias&gt;">&lt;AuthnProviderAlias&gt;</a></code>
can also help in simplifying certain authentication configurations.</p>
<p>The various ciphers supported by Apache for authentication data are
explained in <a href="/misc/password_encryptions.html">Password
Encryptions</a>.</p>
<p>And you may want to look at the <a href="access.html">Access
Control</a> howto, which discusses a number of related topics.</p>
</div></div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="/en/howto/auth.html" title="English">&nbsp;en&nbsp;</a> |
<a href="/fr/howto/auth.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a> |
<a href="/ja/howto/auth.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |
<a href="/ko/howto/auth.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
<a href="/tr/howto/auth.html" hreflang="tr" rel="alternate" title="T�rk�e">&nbsp;tr&nbsp;</a></p>
</div><div id="footer">
<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript">
if (typeof(prettyPrint) !== undefined) {
prettyPrint();
}
</script>
</body></html>