mod_auth.html revision 39f9a4276c8e03639d26c1be99e966468e30b774
97a9a944b5887e91042b019776c41d5dd74557aferikabele<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
b1ced323143ade589985456a78f3f64d6a6580c5yoshiki<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd BGCOLOR="#FFFFFF"
96ad5d81ee4a2cc66a4ae19893efc8aa6d06fae7jailletc TEXT="#000000"
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd LINK="#0000FF"
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd VLINK="#000080"
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen ALINK="#FF0000"
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<!--#include virtual="header.html" -->
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4ndThis module is contained in the <code>mod_auth.c</code> file, and
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowenis compiled in by default. It provides for user authentication using
3f08db06526d6901aa08c110b5bc7dde6bc39905ndtextual files.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd<!--%plaintext <?INDEX {\tt AuthGroupFile} directive> -->
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nd<strong>Syntax:</strong> AuthGroupFile <em>filename</em><br>
f19fa851b976a05691dea05be46586aa5aadeba2rbowenThe AuthGroupFile directive sets the name of a textual file containing the list
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsfof user groups for user authentication. <em>Filename</em> is the path
f6445f3ad1c82f9398dc8edd77093cd3e20b806cnoirinto the group file. If it is not absolute (<EM>i.e.</EM>, if it
f6445f3ad1c82f9398dc8edd77093cd3e20b806cnoirindoesn't begin with a slash), it is treated as relative to the ServerRoot.
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsfEach line of the group file contains a groupname followed by a colon, followed
f6445f3ad1c82f9398dc8edd77093cd3e20b806cnoirinby the member usernames separated by spaces. Example:
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf<blockquote><code>mygroup: bob joe anne</code></blockquote>
f6445f3ad1c82f9398dc8edd77093cd3e20b806cnoirinNote that searching large text files is <em>very</em> inefficient;
f6445f3ad1c82f9398dc8edd77093cd3e20b806cnoirin<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsfbe used instead.<p>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsfSecurity: make sure that the AuthGroupFile is stored outside the
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsfdocument tree of the web-server; do <em>not</em> put it in the directory that
f6445f3ad1c82f9398dc8edd77093cd3e20b806cnoirinit protects. Otherwise, clients will be able to download the AuthGroupFile.<p>
c44eeebd065e2c8cd028016b45c58afb480aaf8fdruggeri<!--%plaintext <?INDEX {\tt AuthUserFile} directive> -->
c44eeebd065e2c8cd028016b45c58afb480aaf8fdruggeri<strong>Syntax:</strong> AuthUserFile <em>filename</em><br>
117c1f888a14e73cdd821dc6c23eb0411144a41cndThe AuthUserFile directive sets the name of a textual file containing
117c1f888a14e73cdd821dc6c23eb0411144a41cndthe list of users and passwords for user
c44eeebd065e2c8cd028016b45c58afb480aaf8fdruggerifile. If it is not absolute (<EM>i.e.</EM>, if it doesn't begin with a
b41a0dbe6310c576e96b7ea6910051fd84fb06f5sfslash), it is treated as relative to the ServerRoot.
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<p> Each line of the user file file contains a username followed
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarby a colon, followed by the crypt() encrypted password. The behavior
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarof multiple occurrences of the same user is undefined.
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<p> Note that
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarsearching large text files is <EM>very</EM> inefficient;
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarused instead.
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarSecurity: make sure that the AuthUserFile is stored outside the
1f1b6bf13313fdd14a45e52e553d3ff28689b717coardocument tree of the web-server; do <em>not</em> put it in the directory that
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarit protects. Otherwise, clients will be able to download the AuthUserFile.<p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<A name="authauthoritative"><h2>AuthAuthoritative</h2></A>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> -->
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<strong>Syntax:</strong> AuthAuthoritative < <strong> on</strong>(default) | off > <br>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarSetting the AuthAuthoritative directive explicitly to <b>'off'</b>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarallows for both authentication and authorization to be passed on to
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarlower level modules (as defined in the <code>Configuration</code> and
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<code>modules.c</code> files) if there is <b>no userID</b> or
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<b>rule</b> matching the supplied userID. If there is a userID and/or
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarrule specified; the usual password and access checks will be applied
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarand a failure will give an Authorization Required reply.
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarSo if a userID appears in the database of more than one module; or if
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4nda valid require directive applies to more than one module; then the
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4ndfirst module will verify the credentials; and no access is passed on;
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4ndregardless of the AuthAuthoritative setting.
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4ndA common use for this is in conjunction with one of the database
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4ndmodules; such as <a
0c4abc32c00611fe1d52c9661f5cc79a3f74c6d4ndhref="mod_auth_db.html"><code>mod_auth_db.c</code></a>, <a
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coarhref="mod_auth_anon.html"><code>mod_auth_anon.c</code></a>. These modules
06f0540592b1d6fc148e1ec9afc95ce48162db18covenersupply the bulk of the user credential checking; but a few
06f0540592b1d6fc148e1ec9afc95ce48162db18covener(administrator) related accesses fall through to a lower level with a
06f0540592b1d6fc148e1ec9afc95ce48162db18covenerwell protected AuthUserFile.
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar<b>Default:</b> By default; control is not passed on; and an unknown
06f0540592b1d6fc148e1ec9afc95ce48162db18coveneruserID or rule will result in an Authorization Required reply. Not
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coarsetting it thus keeps the system secure; and forces an NSCA compliant
06f0540592b1d6fc148e1ec9afc95ce48162db18covenerSecurity: Do consider the implications of allowing a user to allow
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coarfall-through in his .htaccess file; and verify that this is really
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coarwhat you want; Generally it is easier to just secure a single
172025a566937b5a0492a7060e4ba52f121047f4covener.htpasswd file, than it is to secure a database such as mSQL. Make
172025a566937b5a0492a7060e4ba52f121047f4covenersure that the AuthUserFile is stored outside the document tree of the
06f0540592b1d6fc148e1ec9afc95ce48162db18covenerweb-server; do <em>not</em> put it in the directory that it
635de20c16ef862bfc5b0d5f9ceb40ebeaddfdf3noirinprotects. Otherwise, clients will be able to download the
06f0540592b1d6fc148e1ec9afc95ce48162db18covenerAuthUserFile.
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<!--#include virtual="footer.html" -->