mod_authz_groupfile.xml revision 6fbd2e53c97ea6976d93e0ac521adabc55e0fb73
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Copyright 2002-2004 The Apache Software Foundation
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley Licensed under the Apache License, Version 2.0 (the "License");
70e5a7403f0e0a3bd292b8287c5fed5772c15270Automatic Updater you may not use this file except in compliance with the License.
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence You may obtain a copy of the License at
142784f574e0b63e8bbcccb762eb8727ac7c76feBrian Wellington Unless required by applicable law or agreed to in writing, software
6a759e38699d133302d0df120d7afcd4af721951David Lawrence distributed under the License is distributed on an "AS IS" BASIS,
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont See the License for the specific language governing permissions and
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley limitations under the License.
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<modulesynopsis metafile="mod_authz_groupfile.xml.meta">
2c395a842ba85ddba8408445e1ed2910c37fe2e1Bob Halley<description>Group authorization using plaintext files</description>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<identifier>authz_groupfile_module</identifier>
c11f8f20d9e76b1c9c183f0d6a4ece3d922ff365James Brister<compatibility>Available in Apache 2.1 and later</compatibility>
2c395a842ba85ddba8408445e1ed2910c37fe2e1Bob Halley <p>This module provides authorization capabilities so that
2c395a842ba85ddba8408445e1ed2910c37fe2e1Bob Halley authenticated users can be allowed or denied access to portions
2c395a842ba85ddba8408445e1ed2910c37fe2e1Bob Halley of the web site by group membership. Similar functionality is
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<seealso><directive module="core">Require</directive></seealso>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<seealso><directive module="core">Satisfy</directive></seealso>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<directivesynopsis>
95bcf47ff9b8073faea99ea9bd65a7119ea4ee41Bob Halley<description>Sets the name of a text file containing the list
d386111bff0dac486bcaa37beb29a6ff8e57b068Bob Halleyof user groups for authentication</description>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<syntax>AuthGroupFile <var>file-path</var></syntax>
6a759e38699d133302d0df120d7afcd4af721951David Lawrence<contextlist><context>directory</context><context>.htaccess</context>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley</contextlist>
95bcf47ff9b8073faea99ea9bd65a7119ea4ee41Bob Halley <p>The <directive>AuthGroupFile</directive> directive sets the
95bcf47ff9b8073faea99ea9bd65a7119ea4ee41Bob Halley name of a textual file containing the list of user groups for user
95bcf47ff9b8073faea99ea9bd65a7119ea4ee41Bob Halley authentication. <var>File-path</var> is the path to the group
95bcf47ff9b8073faea99ea9bd65a7119ea4ee41Bob Halley file. If it is not absolute, it is treated as relative to the <directive
d386111bff0dac486bcaa37beb29a6ff8e57b068Bob Halley <p>Each line of the group file contains a groupname followed by a
d386111bff0dac486bcaa37beb29a6ff8e57b068Bob Halley colon, followed by the member usernames separated by spaces.</p>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley mygroup: bob joe anne
c11f8f20d9e76b1c9c183f0d6a4ece3d922ff365James Brister <p>Note that searching large text files is <em>very</em>
d386111bff0dac486bcaa37beb29a6ff8e57b068Bob Halley >AuthDBMGroupFile</directive> provides a much better performance.</p>
b6b21d80450f81d873d7e8cd21e7b72fdf512507Mark Andrews <p>Make sure that the <directive>AuthGroupFile</directive> is
075a8494bdea31342a1e20b29917dc280d489da9Bob Halley stored outside the document tree of the web-server; do <em>not</em>
075a8494bdea31342a1e20b29917dc280d489da9Bob Halley put it in the directory that it protects. Otherwise, clients may
075a8494bdea31342a1e20b29917dc280d489da9Bob Halley be able to download the <directive>AuthGroupFile</directive>.</p>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley</directivesynopsis>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<directivesynopsis>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<description>Sets whether authorization will be passed on to lower level
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halleymodules</description>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<syntax>AuthzGroupFileAuthoritative On|Off</syntax>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley<contextlist><context>directory</context><context>.htaccess</context>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley</contextlist>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley <p>Setting the <directive>AuthzGroupFileAuthoritative</directive>
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley directive explicitly to <code>Off</code> allows for
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley group authorization to be passed on to lower level modules (as defined
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley in the <code>modules.c</code> files) if there is <strong>no
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley <p>By default, control is not passed on and an unknown group
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley will result in an Authentication Required reply. Not
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley setting it thus keeps the system secure and forces an NCSA
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley compliant behaviour.</p>
ff0e32ceea3f8aaaab8c9c50c07f76a25196234bBob Halley <p>Do consider the implications of allowing a user to
95bcf47ff9b8073faea99ea9bd65a7119ea4ee41Bob Halley allow fall-through in his <code>.htaccess</code> file; and verify
95bcf47ff9b8073faea99ea9bd65a7119ea4ee41Bob Halley that this is really what you want; Generally it is easier to just
ea6ace7d0ddf7ca69b036d6fed49e26d32164b9fBob Halley secure a single <code>.htpasswd</code> file, than it is to secure
c9f9dd2dd2344e45cf7b95d064338d97f08f1fb8Bob Halley a database which might have more access interfaces.</p>
ea6ace7d0ddf7ca69b036d6fed49e26d32164b9fBob Halley</directivesynopsis>
c11f8f20d9e76b1c9c183f0d6a4ece3d922ff365James Brister</modulesynopsis>