manual/mod/mod_authz_groupfile.xml

	mod_authz_groupfile.xml revision 35ffb30f57f777dbf3f17c5a5ddf706559942c16
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<?xml version="1.0"?>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<modulesynopsis>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<name>mod_authz_groupfile</name>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<description>Group authorization using plaintext files</description>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd<status>Base</status>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<sourcefile>mod_authz_groupfile.c</sourcefile>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<identifier>authz_groupfile_module</identifier>
169280c7e65362d4ed444ec262c3f22a6a280166nd<compatibility>Available in Apache 2.1 and later</compatibility>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<summary>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    <p>This module provides authorization capabilities so that
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    authenticated users can be allowed or denied access to portions
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    of the web site by group membership. Similar functionality is
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    provided by <module>mod_authz_dbm</module>.</p>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</summary>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<seealso><directive module="core">Require</directive></seealso>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<seealso><directive module="core">Satisfy</directive></seealso>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<directivesynopsis>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<name>AuthGroupFile</name>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<description>Sets the name of a text file containing the list
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantzof user groups for authentication</description>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd<syntax>AuthGroupFile <var>file-path</var></syntax>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd<contextlist><context>directory</context><context>.htaccess</context>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</contextlist>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<override>AuthConfig</override>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<usage>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    <p>The <directive>AuthGroupFile</directive> directive sets the
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    name of a textual file containing the list of user groups for user
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    authentication. <var>File-path</var> is the path to the group
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    file. If it is not absolute, it is treated as relative to the <directive
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    module="core">ServerRoot</directive>.</p>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    <p>Each line of the group file contains a groupname followed by a
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    colon, followed by the member usernames separated by spaces.</p>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    <example><title>Example:</title>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      mygroup: bob joe anne
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    </example>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    <p>Note that searching large text files is <em>very</em>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    inefficient; <directive module="mod_authz_dbm"
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    >AuthDBMGroupFile</directive> provides a much better performance.</p>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    <note type="warning"><title>Security</title>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      <p>Make sure that the <directive>AuthGroupFile</directive> is
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      stored outside the document tree of the web-server; do <em>not</em>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      put it in the directory that it protects. Otherwise, clients may
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      be able to download the <directive>AuthGroupFile</directive>.</p>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    </note>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</usage>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</directivesynopsis>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<directivesynopsis>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<name>AuthzGroupFileAuthoritative</name>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd<description>Sets whether authorization will be passed on to lower level
35ffb30f57f777dbf3f17c5a5ddf706559942c16ndmodules</description>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd<syntax>AuthzGroupFileAuthoritative On|Off</syntax>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd<default>AuthzGroupFileAuthoritative On</default>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd<contextlist><context>directory</context><context>.htaccess</context>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</contextlist>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<override>AuthConfig</override>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<usage>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    <p>Setting the <directive>AuthzGroupFileAuthoritative</directive>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    directive explicitly to <code>Off</code> allows for
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    group authorization to be passed on to lower level modules (as defined
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    in the <code>modules.c</code> files) if there is <strong>no
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    group</strong> matching the supplied userID.</p>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    <p>By default, control is not passed on and an unknown group
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    will result in an Authentication Required reply. Not
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    setting it thus keeps the system secure and forces an NCSA
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz    compliant behaviour.</p>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    <note type="warning"><title>Security</title>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      <p>Do consider the implications of allowing a user to
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      allow fall-through in his <code>.htaccess</code> file; and verify
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      that this is really what you want; Generally it is easier to just
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      secure a single <code>.htpasswd</code> file, than it is to secure
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd      a database which might have more access interfaces.</p>
35ffb30f57f777dbf3f17c5a5ddf706559942c16nd    </note>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</usage>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</directivesynopsis>
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz
f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</modulesynopsis>