mod_authz_core.html.en revision 77c77cf89621f21c8e2bbad63058b5eaa5f88d4a
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>mod_authz_core - Apache HTTP Server</title>
<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<body>
<div id="page-header">
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.3</p>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_authz_core</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="/en/mod/mod_authz_core.html" title="English"> en </a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Core Authorization</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>authz_core_module</td></tr>
<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 and later</td></tr></table>
<h3>Summary</h3>
<p>This module provides core authorization capabilities so that
authenticated users can be allowed or denied access to portions
of the web site. <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code> provides the
functionality to register various authorization providers. It is
usually used in conjunction with an authentication
provider module such as <code class="module"><a href="/mod/mod_authn_file.html">mod_authn_file</a></code> and an
authorization module such as <code class="module"><a href="/mod/mod_authz_user.html">mod_authz_user</a></code>. It
also allows for "AND" and "OR" logic to be applied to the
authorization processing.</p>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
</ul>
</div>
<div class="directive-section"><h2><a name="AuthzMergeRules" id="AuthzMergeRules">AuthzMergeRules</a> <a name="authzmergerules" id="authzmergerules">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set to 'on' to allow the parent's <Directory> or <Location>
authz rules to be merged into the current <Directory> or <Location>.
Set to 'off' to disable merging. If set to 'off', only the authz rules defined in
the current <Directory> or <Location> block will apply.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthMergeRules on | off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthMergeRules on</code></td></tr>
</table>
<p>By default all of the authorization rules within a <Directory>
<Location> hierarchy are merged together to form a single
logical authorization operation. If AuthzMergeRules is set to 'off', then
only the authorization rules that are contained with the current
<Directory> or <Location> block are considered. This
allows the configuration to determine exactly how authorization will
be determine without having to take into consideration the
authorization rules that may exist above it.</p>
</div>
<div class="directive-section"><h2><a name="Reject" id="Reject">Reject</a> <a name="reject" id="reject">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Rejects authenticated users or host based
requests from accessing a resource</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Reject <var>entity-name</var> [<var>entity-name</var>] ...</code></td></tr>
</table>
<p>This directive is similar to the
<code class="directive"><a href="#require">Require</a></code> directive however
it rejects which authenticated users or host based requests from accessing a resource. The
restrictions are processed by authorization modules. See the
<code class="directive"><a href="#require">Require</a></code> directive for details
about usage.</p>
<h3>See also</h3>
<ul>
and Access Control</a></li>
</ul>
</div>
<div class="directive-section"><h2><a name="Require" id="Require">Require</a> <a name="require" id="require">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Selects which authenticated users can access
a resource</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Require <var>entity-name</var> [<var>entity-name</var>] ...</code></td></tr>
</table>
<p>This directive selects which authenticated users can access a
resource. The restrictions are processed by authorization
modules. Some of the allowed syntaxes provided by
<code class="module"><a href="/mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> are:</p>
<dl>
<dt><code>Require user <var>userid</var> [<var>userid</var>]
...</code></dt>
<dd>Only the named users can access the resource.</dd>
<dt><code>Require group <var>group-name</var> [<var>group-name</var>]
...</code></dt>
<dd>Only users in the named groups can access the resource.</dd>
<dt><code>Require valid-user</code></dt>
<dd>All valid users can access the resource.</dd>
</dl>
<p>Other authorization modules that implement require options
<code class="module"><a href="/mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, <code class="module"><a href="/mod/mod_authz_dbd.html">mod_authz_dbd</a></code>,
<p>For a complete authentication and authorization configuration,
<code class="directive">Require</code> must be accompanied by
<code class="directive"><a href="/mod/mod_authn_core.html#authname">AuthName</a></code>, <code class="directive"><a href="/mod/mod_authn_core.html#authtype">AuthType</a></code> and
<code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>
directives, and directives such as
and <code class="directive"><a href="/mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> (to
define users and groups) in order to work correctly. Example:</p>
<div class="example"><p><code>
AuthType Basic<br />
AuthName "Restricted Resource"<br />
AuthBasicProvider file<br />
Require group admin
</code></p></div>
<p>Access controls which are applied in this way are effective for
<strong>all</strong> methods. <strong>This is what is normally
desired.</strong> If you wish to apply access controls only to
specific methods, while leaving other methods unprotected, then
place the <code class="directive">Require</code> statement into a
section.</p>
<h3>See also</h3>
<ul>
and Access Control</a></li>
</ul>
</div>
<div class="directive-section"><h2><a name="SatisfyAll" id="SatisfyAll"><SatisfyAll></a> <a name="satisfyall" id="satisfyall">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives that must all
be satisfied in order to grant access to a resource. This block allows
for 'AND' logic to be applied to various authorization providers.</td></tr>
... </SatisfyAll></code></td></tr>
</table>
<p><code class="directive"><SatisfyAll></code> and
<code></SatisfyAll></code> are used to enclose a group of
authorization directives that must all be satisfied in order to
grant access to a resource.</p>
<p>The <code class="directive"><a href="# <satisfyall>">
<SatisfyAll></a></code> block as well as the
<code class="directive"><a href="#<satisfyone>"><SatisfyOne></a></code> block
allow you to apply "AND" and "OR" logic to the authorization processing.
For example the following authorization block would apply the logic:</p>
<div class="example"><p><code>
# if ((user == "John") ||<br />
# ((Group == "admin")<br />
# && (ldap-group <ldap-object> contains auth'ed_user)<br />
# && ((ldap-attribute dept == "sales")<br />
# || (file-group contains auth'ed_user))))<br />
# then<br />
# auth_granted<br />
# else<br />
# auth_denied<br />
#<br />
<span class="indent">
Authname ...<br />
AuthBasicProvider ...<br />
...<br />
Require user John<br />
<SatisfyAll><br />
<span class="indent">
Require Group admins<br />
Require ldap-group cn=mygroup,o=foo<br />
<SatisfyOne><br />
<span class="indent">
Require ldap-attribute dept="sales"<br />
Require file-group<br />
</span>
</SatisfyOne><br />
</span>
</SatisfyAll><br />
</span>
</Directory>
</code></p></div>
<h3>See also</h3>
<ul>
and Access Control</a></li>
</ul>
</div>
<div class="directive-section"><h2><a name="SatisfyOne" id="SatisfyOne"><SatisfyOne></a> <a name="satisfyone" id="satisfyone">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives that must
satisfy at least one in order to grant access to a resource. This
block allows for 'OR' logic to be applied to various authorization
providers.</td></tr>
... </SatisfyOne></code></td></tr>
</table>
<p><code class="directive"><SatisfyOne></code> and
<code></SatisfyOne></code> are used to enclose a group of
authorization directives that must satisfy at least one in order to
grant access to a resource.</p>
<p>See the <code class="directive"><a href="# <satisfyall>">
<SatisfyAll></a></code> directive for a usage example.</p>
<h3>See also</h3>
<ul>
and Access Control</a></li>
</ul>
</div>
</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="/en/mod/mod_authz_core.html" title="English"> en </a></p>
</div><div id="footer">
<p class="apache">Copyright 2006 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div>
</body></html>