mod_auth.html revision d030d579df50673f566f5dbcd1904fd59cd310e0
2454dfa32c93c20a8522c6ed42fe057baaac9f9aStephan Bosch<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
8b24f7bd7be67dc54bbda16a41530d365c8fed59Stephan Bosch BGCOLOR="#FFFFFF"
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi TEXT="#000000"
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi LINK="#0000FF"
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi VLINK="#000080"
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi ALINK="#FF0000"
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi<!--#include virtual="header.html" -->
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki TuomiThis module is contained in the <CODE>mod_auth.c</CODE> file, and
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomiis compiled in by default. It provides for user authentication using
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomitextual files.
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi<LI><A HREF="#authauthoritative">AuthAuthoritative</A>
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi<!--%plaintext <?INDEX {\tt AuthGroupFile} directive> -->
ce916cf4c7f29ffc8cc61205f1ee17b22e08c0ccStephan Bosch><STRONG>Syntax:</STRONG></A> AuthGroupFile <EM>filename</EM><BR>
ce916cf4c7f29ffc8cc61205f1ee17b22e08c0ccStephan Bosch><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
df45032f2f7149c8254beb1a818e6c32acc1270dStephan BoschThe AuthGroupFile directive sets the name of a textual file containing the list
80a225c0b1f4bf322a562cc7c21d5891fb6895eeStephan Boschof user groups for user authentication. <EM>Filename</EM> is the path
80a225c0b1f4bf322a562cc7c21d5891fb6895eeStephan Boschto the group file. If it is not absolute (<EM>i.e.</EM>, if it
80a225c0b1f4bf322a562cc7c21d5891fb6895eeStephan Boschdoesn't begin with a slash), it is treated as relative to the ServerRoot.
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki TuomiEach line of the group file contains a groupname followed by a colon, followed
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschby the member usernames separated by spaces. Example:
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi<BLOCKQUOTE><CODE>mygroup: bob joe anne</CODE></BLOCKQUOTE>
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki TuomiNote that searching large text files is <EM>very</EM> inefficient;
394a8734060604a6389affe6fd2d456640341fa4Timo Sirainen<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomibe used instead.<P>
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki TuomiSecurity: make sure that the AuthGroupFile is stored outside the
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomidocument tree of the web-server; do <EM>not</EM> put it in the directory that
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomiit protects. Otherwise, clients will be able to download the AuthGroupFile.<P>
ce916cf4c7f29ffc8cc61205f1ee17b22e08c0ccStephan BoschSee also <A HREF="core.html#authname">AuthName</A>,
457869440af910388110dc5a58c4ab86b0f5a359Stephan Bosch<H2><A NAME="authuserfile">AuthUserFile</A></H2>
457869440af910388110dc5a58c4ab86b0f5a359Stephan Bosch<!--%plaintext <?INDEX {\tt AuthUserFile} directive> -->
457869440af910388110dc5a58c4ab86b0f5a359Stephan Bosch><STRONG>Syntax:</STRONG></A> AuthUserFile <EM>filename</EM><BR>
2642aad18ae201b898f8a0dfc022ad87667a2cc2Aki Tuomi><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
48283371557ae090382ac165c67a7de1336ba00aAki Tuomi HREF="directive-dict.html#Override"
14e38f2900e9f49da471f9a4f1b4ab8908906fdaStephan BoschThe AuthUserFile directive sets the name of a textual file containing
457869440af910388110dc5a58c4ab86b0f5a359Stephan Boschthe list of users and passwords for user
457869440af910388110dc5a58c4ab86b0f5a359Stephan Boschauthentication. <EM>Filename</EM> is the path to the user
457869440af910388110dc5a58c4ab86b0f5a359Stephan Boschfile. If it is not absolute (<EM>i.e.</EM>, if it doesn't begin with a
457869440af910388110dc5a58c4ab86b0f5a359Stephan Boschslash), it is treated as relative to the ServerRoot.
48283371557ae090382ac165c67a7de1336ba00aAki Tuomi<P> Each line of the user file file contains a username followed
2642aad18ae201b898f8a0dfc022ad87667a2cc2Aki Tuomiby a colon, followed by the crypt() encrypted password. The behavior
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschof multiple occurrences of the same user is undefined.
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschsearching large text files is <EM>very</EM> inefficient;
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Bosch<A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
df45032f2f7149c8254beb1a818e6c32acc1270dStephan BoschSecurity: make sure that the AuthUserFile is stored outside the
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschdocument tree of the web-server; do <EM>not</EM> put it in the directory that
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschit protects. Otherwise, clients will be able to download the AuthUserFile.<P>
df45032f2f7149c8254beb1a818e6c32acc1270dStephan BoschSee also <A HREF="core.html#authname">AuthName</A>,
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Bosch<H2><A NAME="authauthoritative">AuthAuthoritative</A></H2>
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Bosch<!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> -->
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Bosch><STRONG>Syntax:</STRONG></A> AuthAuthoritative <
457869440af910388110dc5a58c4ab86b0f5a359Stephan Bosch><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi HREF="directive-dict.html#Override"
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki TuomiSetting the AuthAuthoritative directive explicitly to <STRONG>'off'</STRONG>
457869440af910388110dc5a58c4ab86b0f5a359Stephan Boschallows for both authentication and authorization to be passed on to
457869440af910388110dc5a58c4ab86b0f5a359Stephan Boschlower level modules (as defined in the <CODE>Configuration</CODE> and
4b2c68685ac8bd7615c3bf57306e9c5d2ac59185Stephan Bosch<CODE>modules.c</CODE> files) if there is <STRONG>no userID</STRONG> or
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi<STRONG>rule</STRONG> matching the supplied userID. If there is a userID and/or
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschrule specified; the usual password and access checks will be applied
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomiand a failure will give an Authorization Required reply.
457869440af910388110dc5a58c4ab86b0f5a359Stephan BoschSo if a userID appears in the database of more than one module; or if
457869440af910388110dc5a58c4ab86b0f5a359Stephan Boscha valid require directive applies to more than one module; then the
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomifirst module will verify the credentials; and no access is passed on;
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschregardless of the AuthAuthoritative setting.
4b2c68685ac8bd7615c3bf57306e9c5d2ac59185Stephan BoschA common use for this is in conjunction with one of the database
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschmodules; such as <A
457869440af910388110dc5a58c4ab86b0f5a359Stephan BoschHREF="mod_auth_db.html"><CODE>mod_auth_db.c</CODE></A>, <A
457869440af910388110dc5a58c4ab86b0f5a359Stephan BoschHREF="mod_auth_dbm.html"><CODE>mod_auth_dbm.c</CODE></A>,
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki TuomiHREF="mod_auth_anon.html"><CODE>mod_auth_anon.c</CODE></A>. These modules
df45032f2f7149c8254beb1a818e6c32acc1270dStephan Boschsupply the bulk of the user credential checking; but a few
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomi(administrator) related accesses fall through to a lower level with a
1e11a94ec50fc9b57eb2c859771c6a326ccaf86fAki Tuomiwell protected AuthUserFile.
664503c588de5db6ca138f90b3c7fa56352adcadStephan Bosch><STRONG>Default:</STRONG></A> By default; control is not passed on; and an
664503c588de5db6ca138f90b3c7fa56352adcadStephan BoschuserID or rule will result in an Authorization Required reply. Not
664503c588de5db6ca138f90b3c7fa56352adcadStephan Boschsetting it thus keeps the system secure; and forces an NSCA compliant
664503c588de5db6ca138f90b3c7fa56352adcadStephan BoschSecurity: Do consider the implications of allowing a user to allow
664503c588de5db6ca138f90b3c7fa56352adcadStephan Boschfall-through in his .htaccess file; and verify that this is really
664503c588de5db6ca138f90b3c7fa56352adcadStephan Boschwhat you want; Generally it is easier to just secure a single
664503c588de5db6ca138f90b3c7fa56352adcadStephan Bosch.htpasswd file, than it is to secure a database such as mSQL. Make
664503c588de5db6ca138f90b3c7fa56352adcadStephan Boschsure that the AuthUserFile is stored outside the document tree of the
664503c588de5db6ca138f90b3c7fa56352adcadStephan Boschweb-server; do <EM>not</EM> put it in the directory that it
664503c588de5db6ca138f90b3c7fa56352adcadStephan Boschprotects. Otherwise, clients will be able to download the
664503c588de5db6ca138f90b3c7fa56352adcadStephan BoschSee also <A HREF="core.html#authname">AuthName</A>,
664503c588de5db6ca138f90b3c7fa56352adcadStephan Bosch<!--#include virtual="footer.html" -->