1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 --><title>mod_authn_file - Apache HTTP Server</title><link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /><link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /><link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link href="../images/favicon.ico" rel="shortcut icon" /></head><body><div id="page-header"><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p><p class="apache">Apache HTTP Server Version 2.0</p><img alt="" src="../images/feather.gif" /></div><div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div><div id="path"><a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs-project/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">Modules</a></div><div id="page-content"><div id="preamble"><h1>Apache Module mod_authn_file</h1><table class="module"><tr><th><a href="module-dict.html#Description">Description:
8 </a></th><td>User authentication using text files</td></tr><tr><th><a href="module-dict.html#Status">Status:
9 </a></th><td>Base</td></tr><tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:
10 </a></th><td>authn_file_module</td></tr><tr><th><a href="module-dict.html#SourceFile">Source File:
11 </a></th><td>mod_authn_file.c</td></tr><tr><th><a href="module-dict.html#Compatibility">Compatibility:
12 </a></th><td>Available in Apache 2.0.42 and later</td></tr></table><h3>Summary</h3>
14 <p>This module provides authentication front-ends such as
15 <code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code> and <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code>
16 to authenticate users by looking up users in plain text password files.
17 Similar functionality is provided by <code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code>.</p>
19 <p>When using <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> or
20 <code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code>, this module is invoked via the
21 <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> or
22 <code class="directive"><a href="../mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code>
23 with the 'file' value.</p>
25 </div><div id="quickview"><h3 class="directives">Directives</h3><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#authuserfile">AuthUserFile</a></li><li><img alt="" src="../images/down.gif" /> <a href="#authuserfileauthoritative">AuthUserFileAuthoritative</a></li></ul><h3>See also</h3><ul class="seealso"><li><code class="directive"><a href="../mod/core.html#authname">AuthName</a></code></li><li><code class="directive"><a href="../mod/core.html#authtype">AuthType</a></code></li><li>
26 <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>
28 <code class="directive"><a href="../mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code>
29 </li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="AuthUserFile" id="AuthUserFile">AuthUserFile</a> <a name="authuserfile" id="authuserfile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
30 </a></th><td>Sets the name of a text file containing the list of users and
31 passwords for authentication</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
32 </a></th><td>AuthUserFile <em>file-path</em></td></tr><tr><th><a href="directive-dict.html#Context">Context:
33 </a></th><td>directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
34 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
35 </a></th><td>Base</td></tr><tr><th><a href="directive-dict.html#Module">Module:
36 </a></th><td>mod_authn_file</td></tr></table>
37 <p>The <code class="directive">AuthUserFile</code> directive sets the name
38 of a textual file containing the list of users and passwords for
39 user authentication. <em>File-path</em> is the path to the user
40 file. If it is not absolute (<em>i.e.</em>, if it doesn't begin
41 with a slash), it is treated as relative to the <code class="directive"><a href="../mod/core.html#serverroot">ServerRoot</a></code>.</p>
43 <p>Each line of the user file contains a username followed by
44 a colon, followed by the <code>crypt()</code> encrypted
45 password. The behavior of multiple occurrences of the same user is
48 <p>The utility <a href="../programs/htpasswd.html">htpasswd</a>
49 which is installed as part of the binary distribution, or which
50 can be found in <code>src/support</code>, is used to maintain
51 this password file. See the <code>man</code> page for more
52 details. In short:</p>
54 <p>Create a password file 'Filename' with 'username' as the
55 initial ID. It will prompt for the password:</p>
56 <div class="example"><p><code>htpasswd -c Filename username</code></p></div>
58 <p>Add or modify 'username2' in the password file 'Filename':</p>
59 <div class="example"><p><code>htpasswd Filename username2</code></p></div>
61 <p>Note that searching large text files is <em>very</em>
62 inefficient; <code class="directive"><a href="../mod/mod_authn_dbm.html#authdbmuserfile">AuthDBMUserFile</a></code> should be used
65 <div class="note"><h3>Security</h3>
66 <p>Make sure that the <code class="directive">AuthUserFile</code> is
67 stored outside the document tree of the web-server; do <em>not</em>
68 put it in the directory that it protects. Otherwise, clients will
69 be able to download the <code class="directive">AuthUserFile</code>.</p>
71 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="AuthUserFileAuthoritative" id="AuthUserFileAuthoritative">AuthUserFileAuthoritative</a> <a name="authuserfileauthoritative" id="authuserfileauthoritative">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
72 </a></th><td>Sets whether authorization and authentication are
73 passed to lower level modules</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
74 </a></th><td>AuthUserFileAuthoritative on|off</td></tr><tr><th><a href="directive-dict.html#Default">Default:
75 </a></th><td><code>AuthUserFileAuthoritative on</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
76 </a></th><td>directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
77 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
78 </a></th><td>Base</td></tr><tr><th><a href="directive-dict.html#Module">Module:
79 </a></th><td>mod_authn_file</td></tr></table>
80 <div class="note">This information has not been updated for Apache 2.0, which
81 uses a different system for module ordering.</div>
83 <p>Setting the <code class="directive">AuthAuthoritative</code> directive
84 explicitly to <strong>'off'</strong> allows for both
85 authentication and authorization to be passed on to lower level
86 modules (as defined in the <code>Configuration</code> and
87 <code>modules.c</code> files) if there is <strong>no
88 userID</strong> or <strong>rule</strong> matching the supplied
89 userID. If there is a userID and/or rule specified; the usual
90 password and access checks will be applied and a failure will give
91 an Authorization Required reply.</p>
93 <p>So if a userID appears in the database of more than one module;
94 or if a valid <code class="directive"><a href="../mod/core.html#require">Require</a></code>
95 directive applies to more than one module; then the first module
96 will verify the credentials; and no access is passed on;
97 regardless of the AuthAuthoritative setting.</p>
99 <p>By default; control is not passed on; and an unknown userID or
100 rule will result in an Authorization Required reply. Not setting
101 it thus keeps the system secure; and forces an NCSA compliant
104 <div class="note"><h3>Security</h3> Do consider the implications of
105 allowing a user to allow fall-through in his .htaccess file; and
106 verify that this is really what you want; Generally it is easier
107 to just secure a single .htpasswd file, than it is to secure a
108 database such as mSQL. Make sure that the <code class="directive"><a href="#authuserfile">AuthUserFile</a></code> and the <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> are stored outside
109 the document tree of the web-server; do <em>not</em> put them in the
110 directory that they protect. Otherwise, clients will be able to
111 download the <code class="directive"><a href="#authuserfile">AuthUserFile</a></code>
112 and the <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code>.
114 </div></div><div id="footer"><p class="apache">Maintained by the <a href="http://httpd.apache.org/docs-project/">Apache HTTP Server Documentation Project</a></p><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div></body></html>