ffb88a4885747797937e30a5ac8b1606da3cb4adnd<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<!-- $LastChangedRevision$ -->
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding Licensed to the Apache Software Foundation (ASF) under one or more
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding contributor license agreements. See the NOTICE file distributed with
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding this work for additional information regarding copyright ownership.
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding The ASF licenses this file to You under the Apache License, Version 2.0
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding (the "License"); you may not use this file except in compliance with
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding the License. You may obtain a copy of the License at
ffb88a4885747797937e30a5ac8b1606da3cb4adnd Unless required by applicable law or agreed to in writing, software
ffb88a4885747797937e30a5ac8b1606da3cb4adnd distributed under the License is distributed on an "AS IS" BASIS,
ffb88a4885747797937e30a5ac8b1606da3cb4adnd WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
ffb88a4885747797937e30a5ac8b1606da3cb4adnd See the License for the specific language governing permissions and
ffb88a4885747797937e30a5ac8b1606da3cb4adnd limitations under the License.
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<compatibility>Available in Apache 2.3 and later</compatibility>
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim <p>This module provides core authentication capabilities to
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim allow or deny access to portions of the web site.
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim <module>mod_authn_core</module> provides directives that are
ffb88a4885747797937e30a5ac8b1606da3cb4adnd common to all authentication providers.</p>
8fd572cca68670bef3948b603518523d2d9ab01abnicholes<section id="authnalias"><title>Creating Authentication Provider Aliases</title>
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim <p>Extended authentication providers can be created
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim within the configuration file and assigned an alias name. The alias
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim providers can then be referenced through the directives
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim <directive module="mod_auth_basic">AuthBasicProvider</directive> or
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes <directive module="mod_auth_digest">AuthDigestProvider</directive> in
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes the same way as a base authentication provider. Besides the ability
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim to create and alias an extended provider, it also allows the same
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim extended authentication provider to be reference by multiple
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes locations.</p>
bb37893866942b9e73f6a842311eb1b61fa8bdcarbowen <p>This example checks for passwords in two different text
bb37893866942b9e73f6a842311eb1b61fa8bdcarbowen <example><title>Checking multiple text password files</title>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh# Check here first
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh<AuthnProviderAlias file file1>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh</AuthnProviderAlias>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh# Then check here
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar<AuthnProviderAlias file file2>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh</AuthnProviderAlias>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthBasicProvider file1 file2
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthType Basic
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthName "Protected Area"
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh Require valid-user
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh</Directory>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh </highlight>
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim <p>The example below creates two different ldap authentication
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes provider aliases based on the ldap provider. This allows
8fd572cca68670bef3948b603518523d2d9ab01abnicholes a single authenticated location to be serviced by multiple ldap
bb37893866942b9e73f6a842311eb1b61fa8bdcarbowen <example><title>Checking multiple LDAP servers</title>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh<AuthnProviderAlias ldap ldap-alias1>
3658293f56f1683ca41e3bc5b70d98b203d8004bcoar AuthLDAPBindDN "cn=youruser,o=ctx"
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthLDAPBindPassword yourpassword
3658293f56f1683ca41e3bc5b70d98b203d8004bcoar AuthLDAPURL "ldap://ldap.host/o=ctx"
1116ef1b391cabf18f2b6e310a035096f2d86740humbedooh</AuthnProviderAlias>
1116ef1b391cabf18f2b6e310a035096f2d86740humbedooh<AuthnProviderAlias ldap ldap-other-alias>
3658293f56f1683ca41e3bc5b70d98b203d8004bcoar AuthLDAPBindDN "cn=yourotheruser,o=dev"
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthLDAPBindPassword yourotherpassword
3658293f56f1683ca41e3bc5b70d98b203d8004bcoar AuthLDAPURL "ldap://other.ldap.host/o=dev?cn"
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh</AuthnProviderAlias>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthBasicProvider ldap-other-alias ldap-alias1
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthType Basic
1116ef1b391cabf18f2b6e310a035096f2d86740humbedooh AuthName "LDAP Protected Place"
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh Require valid-user
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar # Note that Require ldap-* would not work here, since the
be5569b0e4d790c51d8523e5920fd5060ffde6eecovener # AuthnProviderAlias does not provide the config to authorization providers
be5569b0e4d790c51d8523e5920fd5060ffde6eecovener # that are implemented in the same module as the authentication provider.
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh</Directory>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh </highlight>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<directivesynopsis>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<description>Authorization realm for use in HTTP
ffb88a4885747797937e30a5ac8b1606da3cb4adndauthentication</description>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<contextlist><context>directory</context><context>.htaccess</context>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd</contextlist>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd <p>This directive sets the name of the authorization realm for a
ffb88a4885747797937e30a5ac8b1606da3cb4adnd directory. This realm is given to the client so that the user
ffb88a4885747797937e30a5ac8b1606da3cb4adnd knows which username and password to send.
ffb88a4885747797937e30a5ac8b1606da3cb4adnd <directive>AuthName</directive> takes a single argument; if the
ffb88a4885747797937e30a5ac8b1606da3cb4adnd realm name contains spaces, it must be enclosed in quotation
ffb88a4885747797937e30a5ac8b1606da3cb4adnd marks. It must be accompanied by <directive
ffb88a4885747797937e30a5ac8b1606da3cb4adnd module="mod_authn_core">AuthType</directive> and <directive
ffb88a4885747797937e30a5ac8b1606da3cb4adnd module="mod_authz_core">Require</directive> directives, and directives such
ffb88a4885747797937e30a5ac8b1606da3cb4adnd as <directive module="mod_authn_file">AuthUserFile</directive> and
ffb88a4885747797937e30a5ac8b1606da3cb4adnd <directive module="mod_authz_groupfile">AuthGroupFile</directive> to
ffb88a4885747797937e30a5ac8b1606da3cb4adnd AuthName "Top Secret"
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh </highlight>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd <p>The string provided for the <code>AuthName</code> is what will
ffb88a4885747797937e30a5ac8b1606da3cb4adnd appear in the password dialog provided by most browsers.</p>
d58a848a016d401b965111e50ef829e1641f7834minfrin <p>From 2.4.13, <a href="/expr.html">expression syntax</a> can be
d58a848a016d401b965111e50ef829e1641f7834minfrin used inside the directive to produce the name dynamically.</p>
d58a848a016d401b965111e50ef829e1641f7834minfrin AuthName "%{HTTP_HOST}"
d58a848a016d401b965111e50ef829e1641f7834minfrin </highlight>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd href="/howto/auth.html">Authentication, Authorization, and
ffb88a4885747797937e30a5ac8b1606da3cb4adnd</directivesynopsis>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<directivesynopsis>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<contextlist><context>directory</context><context>.htaccess</context>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd</contextlist>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd <p>This directive selects the type of user authentication for a
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd directory. The authentication types available are <code>None</code>,
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd <module>mod_auth_basic</module>), <code>Digest</code>
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd (implemented by <module>mod_auth_digest</module>), and
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd <code>Form</code> (implemented by <module>mod_auth_form</module>).</p>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd <p>To implement authentication, you must also use the <directive
ffb88a4885747797937e30a5ac8b1606da3cb4adnd module="mod_authn_core">AuthName</directive> and <directive
ffb88a4885747797937e30a5ac8b1606da3cb4adnd module="mod_authz_core">Require</directive> directives. In addition, the
ffb88a4885747797937e30a5ac8b1606da3cb4adnd server must have an authentication-provider module such as
ffb88a4885747797937e30a5ac8b1606da3cb4adnd <module>mod_authn_file</module> and an authorization module such
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd <p>The authentication type <code>None</code> disables authentication.
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd When authentication is enabled, it is normally inherited by each
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd subsequent <a href="/sections.html#mergin">configuration section</a>,
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd unless a different authentication type is specified. If no
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd authentication is desired for a subsection of an authenticated
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd section, the authentication type <code>None</code> may be used;
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd in the following example, clients may access the
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd <code>/www/docs/public</code> directory without authenticating:</p>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthType Basic
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthName Documents
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthBasicProvider file
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh Require valid-user
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh</Directory>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh AuthType None
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh Require all granted
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh</Directory>
6f10385908fbdfd4849e4bc50e690ee54c62f2cdhumbedooh </highlight>
d58a848a016d401b965111e50ef829e1641f7834minfrin <p>From 2.4.13, <a href="/expr.html">expression syntax</a> can be
d58a848a016d401b965111e50ef829e1641f7834minfrin used inside the directive to specify the type dynamically.</p>
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd <note>When disabling authentication, note that clients which have
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd already authenticated against another portion of the server's document
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd tree will typically continue to send authentication HTTP headers
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd or cookies with each request, regardless of whether the server
ce6098001014d149e90e56ab0e89c1b4aab30136chrisd actually requires authentication for every resource.</note>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd<seealso><a href="/howto/auth.html">Authentication, Authorization,
ffb88a4885747797937e30a5ac8b1606da3cb4adnd</directivesynopsis>
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes<description>Enclose a group of directives that represent an
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholesextension of a base authentication provider and referenced by
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholesthe specified alias</description>
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes<syntax><AuthnProviderAlias <var>baseProvider Alias</var>>
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes... </AuthnProviderAlias></syntax>
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes</contextlist>
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes <code></AuthnProviderAlias></code> are used to enclose a group of
860b4efe27e7c1c9a2bf5c872b29c90f76849b51jim authentication directives that can be referenced by the alias name
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes using one of the directives <directive module="mod_auth_basic">
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes AuthBasicProvider</directive> or <directive module="mod_auth_digest">
811cb87626640c454e98542d7c6b3738f0556840covener <note>This directive has no affect on authorization, even for modules that
811cb87626640c454e98542d7c6b3738f0556840covener provide both authentication and authorization.</note>
eb5dc86f8a44b4571adfb11b831dd09a2721f159bnicholes</directivesynopsis>
ffb88a4885747797937e30a5ac8b1606da3cb4adnd</modulesynopsis>