f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<?xml version="1.0"?>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<modulesynopsis>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<name>mod_authz_groupfile</name>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<description>Group authorization using plaintext files</description>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<status>Extension</status>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<sourcefile>mod_authz_groupfile.c</sourcefile>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<identifier>authz_groupfile_module</identifier>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<compatibility>Available in Apache 2.0.42 and later</compatibility>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<summary>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>This module provides authorization capabilities so that

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz authenticated users can be allowed or denied access to portions

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz of the web site by group membership. Similar functionality is

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz provided by <module>mod_authz_dbm</module>.</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</summary>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<seealso><directive module="core">Require</directive></seealso>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<seealso><directive module="core">Satisfy</directive></seealso>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<directivesynopsis>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<name>AuthGroupFile</name>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<description>Sets the name of a text file containing the list

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantzof user groups for authentication</description>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<syntax>AuthGroupFile <em>file-path</em></syntax>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<contextlist>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <context>directory</context>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <context>.htaccess</context>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</contextlist>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<override>AuthConfig</override>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<usage>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>The <directive>AuthGroupFile</directive> directive sets the

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz name of a textual file containing the list of user groups for user

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz authentication. <em>File-path</em> is the path to the group

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz file. If it is not absolute (<em>i.e.</em>, if it doesn't begin

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz with a slash), it is treated as relative to the <directive

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz module="core">ServerRoot</directive>.</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>Each line of the group file contains a groupname followed by a

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz colon, followed by the member usernames separated by spaces.

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz Example:</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <example>mygroup: bob joe anne</example>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>Note that searching large text files is <em>very</em>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz inefficient; <directive

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz module="mod_authz_dbm">AuthDBMGroupFile</directive> should be used

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz instead.</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <note><title>Security</title>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>Make sure that the <directive>AuthGroupFile</directive> is

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz stored outside the document tree of the web-server; do <em>not</em>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz put it in the directory that it protects. Otherwise, clients will

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz be able to download the <directive>AuthGroupFile</directive>.</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz </note>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</usage>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</directivesynopsis>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<directivesynopsis>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<name>AuthzGroupFileAuthoritative</name>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<description>Sets whether authorization will be passed on to lower level modules</description>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<syntax>AuthzGroupFileAuthoritative on|off</syntax>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<default>AuthzGroupFileAuthoritative on</default>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<contextlist>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <context>directory</context>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <context>.htaccess</context>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</contextlist>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<override>AuthConfig</override>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz<usage>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>Setting the <directive>AuthzGroupFileAuthoritative</directive>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz directive explicitly to <strong>'off'</strong> allows for

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz authorization to be passed on to lower level modules (as defined in

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz the <code>Configuration</code> and <code>modules.c</code> file if

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz there is <strong>no userID</strong> or <strong>rule</strong> matching

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz the supplied userID. If there is a userID and/or rule specified; the

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz usual password and access checks will be applied and a failure will

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz give an Authorization Required reply.</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>So if a valid <directive module="core">Require</directive>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz directive applies to more than one module; then the first module

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz will verify the credentials; and no access is passed on;

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz regardless of the <directive>AuthzGroupFileAuthoritative</directive>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz setting.</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>By default, control is not passed on and an unknown userID

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz or rule will result in an Authorization Required reply. Not

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz setting it thus keeps the system secure and forces an NCSA

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz compliant behaviour.</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz <p>Security: Do consider the implications of allowing a user to

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz allow fall-through in his .htaccess file; and verify that this

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz is really what you want; Generally it is easier to just secure

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz a single .htpasswd file, than it is to secure a database which

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz might have more access interfaces.</p>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</usage>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</directivesynopsis>

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz

f43ed9051a7f4db461d67ed4f7ece175b3dbca7cjerenkrantz</modulesynopsis>