Apache HTTP Server Version 2.3
Available Languages: en
Description: | Core Authorization |
---|---|
Status: | Base |
Module Identifier: | authz_core_module |
Source File: | mod_authz_core.c |
Compatibility: | Available in Apache 2.3 and later |
This module provides core authorization capabilities so that
authenticated users can be allowed or denied access to portions
of the web site. mod_authz_core
provides the
functionality to register various authorization providers. It is
usually used in conjunction with an authentication
provider module such as mod_authn_file
and an
authorization module such as mod_authz_user
. It
also allows for "AND" and "OR" logic to be applied to the
authorization processing.
Extended authorization providers can be created within the configuration
file and assigned an alias name. The alias providers can then be referenced
through the Require
directive
in the same way as a base authorization provider. Besides the ability to
create and alias an extended provider, it also allows the same extended
authorization provider to be reference by multiple locations.
The example below creates two different ldap authorization provider aliases based on the ldap-group authorization provider. This example allows a single authorization location to check group membership within multiple ldap hosts:
<RequireAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx
</RequireAlias>
<AuthnProviderAlias ldap-group ldap-group-alias2
cn=my-other-group,o=dev>
AuthLDAPBindDN cn=yourotheruser,o=dev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=dev?cn
</RequireAlias>
Alias /secure /webpages/secure
<Directory /webpages/secure>
Order deny,allow
Allow from all
AuthBasicProvider file
AuthType Basic
AuthName LDAP_Protected_Place
#implied OR operation
Require alias1-ldap-group
Require alias2-ldap-group
</Directory>
Description: | Set to 'on' to allow the parent's <Directory> or <Location> authz rules to be merged into the current <Directory> or <Location>. Set to 'off' to disable merging. If set to 'off', only the authz rules defined in the current <Directory> or <Location> block will apply. |
---|---|
Syntax: | AuthMergeRules on | off |
Default: | AuthMergeRules on |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
By default all of the authorization rules within a <Directory> <Location> hierarchy are merged together to form a single logical authorization operation. If AuthzMergeRules is set to 'off', then only the authorization rules that are contained with the current <Directory> or <Location> block are considered. This allows the configuration to determine exactly how authorization will be determine without having to take into consideration the authorization rules that may exist above it.
Description: | Rejects authenticated users or host based requests from accessing a resource |
---|---|
Syntax: | Reject entity-name [entity-name] ... |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
This directive is similar to the
Require
directive however
it rejects which authenticated users or host based requests from accessing a resource. The
restrictions are processed by authorization modules. See the
Require
directive for details
about usage.
Description: | Selects which authenticated users can access a resource |
---|---|
Syntax: | Require entity-name [entity-name] ... |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
This directive selects which authenticated users can access a
resource. The restrictions are processed by authorization
modules. Some of the allowed syntaxes provided by
mod_authz_user
and
mod_authz_groupfile
are:
Require user userid [userid]
...
Require group group-name [group-name]
...
Require valid-user
Other authorization modules that implement require options
include mod_authnz_ldap
,
mod_authz_dbm
, mod_authz_dbd
,
mod_authz_host
, and
mod_authz_owner
.
For a complete authentication and authorization configuration,
Require
must be accompanied by
AuthName
, AuthType
and
AuthBasicProvider
directives, and directives such as
AuthUserFile
and AuthGroupFile
(to
define users and groups) in order to work correctly. Example:
AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider file
AuthUserFile /web/users
AuthGroupFile /web/groups
Require group admin
Access controls which are applied in this way are effective for
all methods. This is what is normally
desired. If you wish to apply access controls only to
specific methods, while leaving other methods unprotected, then
place the Require
statement into a
<Limit>
section.
Description: | Enclose a group of directives that represent an extension of a base authorization provider and referenced by the specified alias |
---|---|
Syntax: | <RequireAlias baseProvider Alias Require-Parameters>
... </RequireAlias>
|
Context: | server config |
Status: | Base |
Module: | mod_authz_core |
<RequireAlias>
and
</RequireAlias>
are used to enclose a group of
authorization directives that can be referenced by the alias name using the
directive Require
.
Description: | Enclose a group of authorization directives that must all be satisfied in order to grant access to a resource. This block allows for 'AND' logic to be applied to various authorization providers. |
---|---|
Syntax: | <SatisfyAll>
... </SatisfyAll> |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
<SatisfyAll>
and
</SatisfyAll>
are used to enclose a group of
authorization directives that must all be satisfied in order to
grant access to a resource.
The
<SatisfyAll>
block as well as the
<SatisfyOne>
block
allow you to apply "AND" and "OR" logic to the authorization processing.
For example the following authorization block would apply the logic:
# if ((user == "John") ||
# ((Group == "admin")
# && (ldap-group <ldap-object> contains auth'ed_user)
# && ((ldap-attribute dept == "sales")
# || (file-group contains auth'ed_user))))
# then
# auth_granted
# else
# auth_denied
#
<Directory /www/mydocs>
Authname ...
AuthBasicProvider ...
...
Require user John
<SatisfyAll>
Require Group admins
Require ldap-group cn=mygroup,o=foo
<SatisfyOne>
Require ldap-attribute dept="sales"
Require file-group
</SatisfyOne>
</SatisfyAll>
</Directory>
Description: | Enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource. This block allows for 'OR' logic to be applied to various authorization providers. |
---|---|
Syntax: | <SatisfyOne>
... </SatisfyOne> |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
<SatisfyOne>
and
</SatisfyOne>
are used to enclose a group of
authorization directives that must satisfy at least one in order to
grant access to a resource.
See the
<SatisfyAll>
directive for a usage example.
Available Languages: en