2 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $Revision: 1.9 $ -->
7 Copyright 2002-2004 The Apache Software Foundation
9 Licensed under the Apache License, Version 2.0 (the "License");
10 you may not use this file except in compliance with the License.
11 You may obtain a copy of the License at
13 http://www.apache.org/licenses/LICENSE-2.0
15 Unless required by applicable law or agreed to in writing, software
16 distributed under the License is distributed on an "AS IS" BASIS,
17 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 See the License for the specific language governing permissions and
19 limitations under the License.
22 <modulesynopsis metafile="mod_authn_file.xml.meta">
24 <name>mod_authn_file</name>
25 <description>User authentication using text files</description>
27 <sourcefile>mod_authn_file.c</sourcefile>
28 <identifier>authn_file_module</identifier>
29 <compatibility>Available in Apache 2.1 and later</compatibility>
32 <p>This module provides authentication front-ends such as
33 <module>mod_auth_digest</module> and <module>mod_auth_basic</module>
34 to authenticate users by looking up users in plain text password files.
35 Similar functionality is provided by <module>mod_authn_dbm</module>.</p>
37 <p>When using <module>mod_auth_basic</module> or
38 <module>mod_auth_digest</module>, this module is invoked via the
39 <directive module="mod_auth_basic">AuthBasicProvider</directive> or
40 <directive module="mod_auth_digest">AuthDigestProvider</directive>
41 with the <code>file</code> value.</p>
44 <directive module="mod_auth_basic">AuthBasicProvider</directive>
47 <directive module="mod_auth_digest">AuthDigestProvider</directive>
49 <seealso><a href="../programs/htpasswd.html">htpasswd</a></seealso>
50 <seealso><a href="../programs/htdigest.html">htdigest</a></seealso>
53 <name>AuthUserFile</name>
54 <description>Sets the name of a text file containing the list of users and
55 passwords for authentication</description>
56 <syntax>AuthUserFile <var>file-path</var></syntax>
57 <contextlist><context>directory</context><context>.htaccess</context>
59 <override>AuthConfig</override>
62 <p>The <directive>AuthUserFile</directive> directive sets the name
63 of a textual file containing the list of users and passwords for
64 user authentication. <var>File-path</var> is the path to the user
65 file. If it is not absolute, it is treated as relative to the
66 <directive module="core">ServerRoot</directive>.</p>
68 <p>Each line of the user file contains a username followed by
69 a colon, followed by the encrypted password. If the same user
70 ID is defined multiple times, <module>mod_authn_file</module> will
71 use the first occurrence to verify the password.</p>
73 <p>The utility <a href="../programs/htpasswd.html">htpasswd</a>
74 which is installed as part of the binary distribution, or which
75 can be found in <code>src/support</code>, is used to maintain
76 the password file for <em>HTTP Basic Authentication</em>. See the
77 <a href="../programs/htpasswd.html">man page</a> for more details.
80 <p>Create a password file <code>Filename</code> with
81 <code>username</code> as the initial ID. It will prompt for
85 htpasswd -c Filename username
88 <p>Add or modify <code>username2</code> in the password file
89 <code>Filename</code>:</p>
92 htpasswd Filename username2
95 <p>Note that searching large text files is <em>very</em>
96 inefficient; <directive
97 module="mod_authn_dbm">AuthDBMUserFile</directive> should be used
100 <p>If you are using <em>HTTP Digest Authentication</em>, the <a
101 href="../programs/htpasswd.html">htpasswd</a> tool is not sufficient.
102 You have to use <a href="../programs/htdigest.html">htdigest</a>
103 instead. Note that you cannot mix user data for Digest Authentication
104 and Basic Authentication within the same file.</p>
106 <note type="warning"><title>Security</title>
107 <p>Make sure that the <directive>AuthUserFile</directive> is
108 stored outside the document tree of the web-server. Do
109 <strong>not</strong> put it in the directory that it protects.
110 Otherwise, clients may be able to download the
111 <directive>AuthUserFile</directive>.</p>