308N/A<
description>User authentication using text files</
description>
308N/A<
identifier>auth_module</
identifier>
308N/A <
p>This module allows the use of HTTP Basic Authentication to
308N/A restrict access by looking up users in plain text password and
308N/A group files. Similar functionality and greater scalability is
308N/A provided by <
module>mod_auth_dbm</
module>. HTTP Digest
308N/A Authentication is provided by
308N/A <
module>mod_auth_digest</
module>.</
p>
308N/A<
seealso><
directive module="core">Require</
directive></
seealso>
1938N/A<
seealso><
directive module="core">Satisfy</
directive></
seealso>
308N/A<
seealso><
directive module="core">AuthName</
directive></
seealso>
308N/A<
seealso><
directive module="core">AuthType</
directive></
seealso>
308N/A<
name>AuthGroupFile</
name>
815N/A<
description>Sets the name of a text file containing the list
618N/Aof user groups for authentication</
description>
308N/A<
syntax>AuthGroupFile <
em>file-path</
em></
syntax>
308N/A<
contextlist><
context>directory</
context><
context>.htaccess</
context>
844N/A<
override>AuthConfig</
override>
308N/A <
p>The <
directive>AuthGroupFile</
directive> directive sets the
308N/A name of a textual file containing the list of user groups for user
308N/A authentication. <
em>File-path</
em> is the path to the group
308N/A file. If it is not absolute (<
em>
i.e.</
em>, if it doesn't begin
308N/A with a slash), it is treated as relative to the <
directive 308N/A module="core">ServerRoot</
directive>.</
p>
308N/A <
p>Each line of the group file contains a groupname followed by a
308N/A colon, followed by the member usernames separated by spaces.
308N/A<
example>mygroup: bob joe anne</
example>
308N/A <
p>Note that searching large text files is <
em>very</
em>
308N/A inefficient; <
directive 308N/A module="mod_auth_dbm">AuthDBMGroupFile</
directive> should be used
308N/A<
note><
title>Security</
title>
308N/A <
p>Make sure that the AuthGroupFile is stored outside
308N/A the document tree of the web-server; do <
em>not</
em> put it in
the directory that it protects. Otherwise, clients will be able
to download the AuthGroupFile.</
p>
<
name>AuthUserFile</
name>
<
description>Sets the name of a text file containing the list of users and
passwords for authentication</
description>
<
syntax>AuthUserFile <
em>file-path</
em></
syntax>
<
contextlist><
context>directory</
context><
context>.htaccess</
context>
<
override>AuthConfig</
override>
<
p>The <
directive>AuthUserFile</
directive> directive sets the name
of a textual file containing the list of users and passwords for
user authentication. <
em>File-path</
em> is the path to the user
file. If it is not absolute (<
em>
i.e.</
em>, if it doesn't begin
with a slash), it is treated as relative to the <
directive module="core">ServerRoot</
directive>.</
p>
<
p>Each line of the user file file contains a username followed by
a colon, followed by the <
code>crypt()</
code> encrypted
password. The behavior of multiple occurrences of the same user is
which is installed as part of the binary distribution, or which
can be found in <
code>
src/
support</
code>, is used to maintain
this password file. See the <
code>man</
code> page for more
<
p>Create a password file 'Filename' with 'username' as the
initial ID. It will prompt for the password:</
p>
<
example>htpasswd -c Filename username</
example>
<
p>Adds or modifies in password file 'Filename' the 'username':</
p>
<
example>htpasswd Filename username2</
example>
<
p>Note that searching large text files is <
em>very</
em>
module="mod_auth_dbm">AuthDBMUserFile</
directive> should be used
<
note><
title>Security</
title><
p>Make sure that the AuthUserFile is
stored outside the document tree of the web-server; do <
em>not</
em>
put it in the directory that it protects. Otherwise, clients will be
able to download the AuthUserFile.</
p></
note>
<
name>AuthAuthoritative</
name>
<
description>Sets whether authorization and authentication are
passed to lower level modules</
description>
<
syntax>AuthAuthoritative on|off</
syntax>
<
default>AuthAuthoritative on</
default>
<
contextlist><
context>directory</
context><
context>.htaccess</
context>
<
override>AuthConfig</
override>
<
note>This information has not been updated for Apache 2.0, which
uses a different system for module ordering.</
note>
<
p>Setting the <
directive>AuthAuthoritative</
directive> directive
explicitly to <
strong>'off'</
strong> allows for both
authentication and authorization to be passed on to lower level
modules (as defined in the <
code>Configuration</
code> and
<
code>
modules.c</
code> files) if there is <
strong>no
userID</
strong> or <
strong>rule</
strong> matching the supplied
userID. If there is a userID
and/
or rule specified; the usual
password and access checks will be applied and a failure will give
an Authorization Required reply.</
p>
<
p>So if a userID appears in the database of more than one module;
or if a valid <
directive module="core">Require</
directive>
directive applies to more than one module; then the first module
will verify the credentials; and no access is passed on;
regardless of the AuthAuthoritative setting.</
p>
<
p>A common use for this is in conjunction with one of the
database modules; such as <
module>auth_dbm</
module>,
<
code>mod_auth_msql</
code>, and <
module>mod_auth_anon</
module>.
These modules supply the bulk of the user credential checking; but
a few (administrator) related accesses fall through to a lower
level with a well protected <
directive module="mod_auth">AuthUserFile</
directive>.</
p>
<
p>By default; control is not passed on; and an unknown userID or
rule will result in an Authorization Required reply. Not setting
it thus keeps the system secure; and forces an NCSA compliant
<
note><
title>Security</
title> Do consider the implications of
allowing a user to allow fall-through in his .htaccess file; and
verify that this is really what you want; Generally it is easier
to just secure a single .htpasswd file, than it is to secure a
database such as mSQL. Make sure that the <
directive module="mod_auth">AuthUserFile</
directive> is stored outside the
document tree of the web-server; do <
em>not</
em> put it in the
directory that it protects. Otherwise, clients will be able to
download the <
directive module="mod_auth">AuthUserFile</
directive>.