2 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision$ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <modulesynopsis metafile="mod_authn_core.xml.meta">
25 <name>mod_authn_core</name>
26 <description>Core Authentication</description>
28 <sourcefile>mod_authn_core.c</sourcefile>
29 <identifier>authn_core_module</identifier>
30 <compatibility>Available in Apache 2.3 and later</compatibility>
33 <p>This module provides core authentication capabilities to
34 allow or deny access to portions of the web site.
35 <module>mod_authn_core</module> provides directives that are
36 common to all authentication providers.</p>
39 <section id="authnalias"><title>Creating Authentication Provider Aliases</title>
41 <p>Extended authentication providers can be created
42 within the configuration file and assigned an alias name. The alias
43 providers can then be referenced through the directives
44 <directive module="mod_auth_basic">AuthBasicProvider</directive> or
45 <directive module="mod_auth_digest">AuthDigestProvider</directive> in
46 the same way as a base authentication provider. Besides the ability
47 to create and alias an extended provider, it also allows the same
48 extended authentication provider to be reference by multiple
51 <section id="example"><title>Examples</title>
53 <p>This example checks for passwords in two different text
56 <example><title>Checking multiple text password files</title>
57 <highlight language="config">
59 <AuthnProviderAlias file file1>
60 AuthUserFile "/www/conf/passwords1"
61 </AuthnProviderAlias>
64 <AuthnProviderAlias file file2>
65 AuthUserFile "/www/conf/passwords2"
66 </AuthnProviderAlias>
68 <Directory "/var/web/pages/secure">
69 AuthBasicProvider file1 file2
72 AuthName "Protected Area"
78 <p>The example below creates two different ldap authentication
79 provider aliases based on the ldap provider. This allows
80 a single authenticated location to be serviced by multiple ldap
83 <example><title>Checking multiple LDAP servers</title>
84 <highlight language="config">
85 <AuthnProviderAlias ldap ldap-alias1>
86 AuthLDAPBindDN "cn=youruser,o=ctx"
87 AuthLDAPBindPassword yourpassword
88 AuthLDAPURL "ldap://ldap.host/o=ctx"
89 </AuthnProviderAlias>
90 <AuthnProviderAlias ldap ldap-other-alias>
91 AuthLDAPBindDN "cn=yourotheruser,o=dev"
92 AuthLDAPBindPassword yourotherpassword
93 AuthLDAPURL "ldap://other.ldap.host/o=dev?cn"
94 </AuthnProviderAlias>
96 Alias "/secure" "/webpages/secure"
97 <Directory "/webpages/secure">
98 AuthBasicProvider ldap-other-alias ldap-alias1
101 AuthName "LDAP Protected Place"
103 # Note that Require ldap-* would not work here, since the
104 # AuthnProviderAlias does not provide the config to authorization providers
105 # that are implemented in the same module as the authentication provider.
115 <name>AuthName</name>
116 <description>Authorization realm for use in HTTP
117 authentication</description>
118 <syntax>AuthName <var>auth-domain</var></syntax>
119 <contextlist><context>directory</context><context>.htaccess</context>
121 <override>AuthConfig</override>
124 <p>This directive sets the name of the authorization realm for a
125 directory. This realm is given to the client so that the user
126 knows which username and password to send.
127 <directive>AuthName</directive> takes a single argument; if the
128 realm name contains spaces, it must be enclosed in quotation
129 marks. It must be accompanied by <directive
130 module="mod_authn_core">AuthType</directive> and <directive
131 module="mod_authz_core">Require</directive> directives, and directives such
132 as <directive module="mod_authn_file">AuthUserFile</directive> and
133 <directive module="mod_authz_groupfile">AuthGroupFile</directive> to
138 <highlight language="config">
139 AuthName "Top Secret"
142 <p>The string provided for the <code>AuthName</code> is what will
143 appear in the password dialog provided by most browsers.</p>
145 <p>From 2.4.13, <a href="../expr.html">expression syntax</a> can be
146 used inside the directive to produce the name dynamically.</p>
150 <highlight language="config">
151 AuthName "%{HTTP_HOST}"
156 href="../howto/auth.html">Authentication, Authorization, and
157 Access Control</a></seealso>
158 <seealso><module>mod_authz_core</module></seealso>
162 <name>AuthType</name>
163 <description>Type of user authentication</description>
164 <syntax>AuthType None|Basic|Digest|Form</syntax>
165 <contextlist><context>directory</context><context>.htaccess</context>
167 <override>AuthConfig</override>
170 <p>This directive selects the type of user authentication for a
171 directory. The authentication types available are <code>None</code>,
172 <code>Basic</code> (implemented by
173 <module>mod_auth_basic</module>), <code>Digest</code>
174 (implemented by <module>mod_auth_digest</module>), and
175 <code>Form</code> (implemented by <module>mod_auth_form</module>).</p>
177 <p>To implement authentication, you must also use the <directive
178 module="mod_authn_core">AuthName</directive> and <directive
179 module="mod_authz_core">Require</directive> directives. In addition, the
180 server must have an authentication-provider module such as
181 <module>mod_authn_file</module> and an authorization module such
182 as <module>mod_authz_user</module>.</p>
184 <p>The authentication type <code>None</code> disables authentication.
185 When authentication is enabled, it is normally inherited by each
186 subsequent <a href="../sections.html#mergin">configuration section</a>,
187 unless a different authentication type is specified. If no
188 authentication is desired for a subsection of an authenticated
189 section, the authentication type <code>None</code> may be used;
190 in the following example, clients may access the
191 <code>/www/docs/public</code> directory without authenticating:</p>
193 <highlight language="config">
194 <Directory "/www/docs">
197 AuthBasicProvider file
198 AuthUserFile "/usr/local/apache/passwd/passwords"
202 <Directory "/www/docs/public">
208 <p>From 2.4.13, <a href="../expr.html">expression syntax</a> can be
209 used inside the directive to specify the type dynamically.</p>
211 <note>When disabling authentication, note that clients which have
212 already authenticated against another portion of the server's document
213 tree will typically continue to send authentication HTTP headers
214 or cookies with each request, regardless of whether the server
215 actually requires authentication for every resource.</note>
218 <seealso><a href="../howto/auth.html">Authentication, Authorization,
219 and Access Control</a></seealso>
222 <directivesynopsis type="section">
223 <name>AuthnProviderAlias</name>
224 <description>Enclose a group of directives that represent an
225 extension of a base authentication provider and referenced by
226 the specified alias</description>
227 <syntax><AuthnProviderAlias <var>baseProvider Alias</var>>
228 ... </AuthnProviderAlias></syntax>
229 <contextlist><context>server config</context>
233 <p><code><AuthnProviderAlias></code> and
234 <code></AuthnProviderAlias></code> are used to enclose a group of
235 authentication directives that can be referenced by the alias name
236 using one of the directives <directive module="mod_auth_basic">
237 AuthBasicProvider</directive> or <directive module="mod_auth_digest">
238 AuthDigestProvider</directive>.</p>
240 <note>This directive has no affect on authorization, even for modules that
241 provide both authentication and authorization.</note>