1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
4 <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 This file is generated from xml source: DO NOT EDIT
8 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10 <title>mod_authz_core - Apache HTTP Server Version 2.5</title>
11 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
12 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
13 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
14 <script src="../style/scripts/prettify.min.js" type="text/javascript">
17 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
19 <div id="page-header">
20 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
21 <p class="apache">Apache HTTP Server Version 2.5</p>
22 <img alt="" src="../images/feather.png" /></div>
23 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
25 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
26 <div id="page-content">
27 <div id="preamble"><h1>Apache Module mod_authz_core</h1>
29 <p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
30 <a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
32 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Core Authorization</td></tr>
33 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
34 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>authz_core_module</td></tr>
35 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_authz_core.c</td></tr>
36 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTPD 2.3 and later</td></tr></table>
39 <p>This module provides core authorization capabilities so that
40 authenticated users can be allowed or denied access to portions
41 of the web site. <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides the
42 functionality to register various authorization providers. It is
43 usually used in conjunction with an authentication
44 provider module such as <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> and an
45 authorization module such as <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>. It
46 also allows for advanced logic to be applied to the
47 authorization processing.</p>
49 <div id="quickview"><h3>Topics</h3>
51 <li><img alt="" src="../images/down.gif" /> <a href="#logic">Authorization Containers</a></li>
52 <li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li>
53 <li><img alt="" src="../images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li>
54 </ul><h3 class="directives">Directives</h3>
56 <li><img alt="" src="../images/down.gif" /> <a href="#authmerging">AuthMerging</a></li>
57 <li><img alt="" src="../images/down.gif" /> <a href="#authzprovideralias"><AuthzProviderAlias></a></li>
58 <li><img alt="" src="../images/down.gif" /> <a href="#authzsendforbiddenonfailure">AuthzSendForbiddenOnFailure</a></li>
59 <li><img alt="" src="../images/down.gif" /> <a href="#require">Require</a></li>
60 <li><img alt="" src="../images/down.gif" /> <a href="#requireall"><RequireAll></a></li>
61 <li><img alt="" src="../images/down.gif" /> <a href="#requireany"><RequireAny></a></li>
62 <li><img alt="" src="../images/down.gif" /> <a href="#requirenone"><RequireNone></a></li>
64 <h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_authz_core">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_authz_core">Report a bug</a></li></ul><h3>See also</h3>
66 <li><a href="#comments_section">Comments</a></li></ul></div>
67 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
69 <h2><a name="logic" id="logic">Authorization Containers</a></h2>
71 <p>The authorization container directives
72 <code class="directive"><a href="#requireall"><RequireAll></a></code>,
73 <code class="directive"><a href="#requireany"><RequireAny></a></code>
75 <code class="directive"><a href="#requirenone"><RequireNone></a></code>
76 may be combined with each other and with the
77 <code class="directive"><a href="#require">Require</a></code>
78 directive to express complex authorization logic.</p>
80 <p>The example below expresses the following authorization logic.
81 In order to access the resource, the user must either be the
82 <code>superadmin</code> user, or belong to both the
83 <code>admins</code> group and the <code>Administrators</code> LDAP
84 group and either belong to the <code>sales</code> group or
85 have the LDAP <code>dept</code> attribute <code>sales</code>.
86 Furthermore, in order to access the resource, the user must
87 not belong to either the <code>temps</code> group or the
88 LDAP group <code>Temporary Employees</code>.</p>
90 <pre class="prettyprint lang-config"><Directory "/www/mydocs">
93 Require user superadmin
96 Require ldap-group "cn=Administrators,o=Airius"
99 Require ldap-attribute dept="sales"
105 Require ldap-group "cn=Temporary Employees,o=Airius"
108 </Directory></pre>
110 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
111 <div class="section">
112 <h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a></h2>
114 <p><code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides some generic authorization
115 providers which can be used with the
116 <code class="directive"><a href="#require">Require</a></code> directive.</p>
118 <h3><a name="reqenv" id="reqenv">Require env</a></h3>
120 <p>The <code>env</code> provider allows access to the server
121 to be controlled based on the existence of an <a href="../env.html">environment variable</a>. When <code>Require
122 env <var>env-variable</var></code> is specified, then the request is
123 allowed access if the environment variable <var>env-variable</var>
124 exists. The server provides the ability to set environment
125 variables in a flexible way based on characteristics of the client
126 request using the directives provided by
127 <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code>. Therefore, this directive can be
128 used to allow access based on such factors as the clients
129 <code>User-Agent</code> (browser type), <code>Referer</code>, or
130 other HTTP request header fields.</p>
132 <pre class="prettyprint lang-config">SetEnvIf User-Agent "^KnockKnock/2\.0" let_me_in
133 <Directory "/docroot">
134 Require env let_me_in
135 </Directory></pre>
138 <p>In this case, browsers with a user-agent string beginning
139 with <code>KnockKnock/2.0</code> will be allowed access, and all
140 others will be denied.</p>
142 <p>When the server looks up a path via an internal
143 <a class="glossarylink" href="../glossary.html#subrequest" title="see glossary">subrequest</a> such as looking
144 for a <code class="directive"><a href="../mod/mod_dir.html#directoryindex">DirectoryIndex</a></code>
145 or generating a directory listing with <code class="module"><a href="../mod/mod_autoindex.html">mod_autoindex</a></code>,
146 per-request environment variables are <em>not</em> inherited in the
147 subrequest. Additionally,
148 <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives
149 are not separately evaluated in the subrequest due to the API phases
150 <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code> takes action in.</p>
154 <h3><a name="reqall" id="reqall">Require all</a></h3>
156 <p>The <code>all</code> provider mimics the functionality that
157 was previously provided by the 'Allow from all' and 'Deny from all'
158 directives. This provider can take one of two arguments which are
159 'granted' or 'denied'. The following examples will grant or deny
160 access to all requests.</p>
162 <pre class="prettyprint lang-config">Require all granted</pre>
165 <pre class="prettyprint lang-config">Require all denied</pre>
170 <h3><a name="reqmethod" id="reqmethod">Require method</a></h3>
172 <p>The <code>method</code> provider allows using the HTTP method in
173 authorization decisions. The GET and HEAD methods are treated as
174 equivalent. The TRACE method is not available to this provider,
175 use <code class="directive"><a href="../mod/core.html#traceenable">TraceEnable</a></code> instead.</p>
177 <p>The following example will only allow GET, HEAD, POST, and OPTIONS
180 <pre class="prettyprint lang-config">Require method GET POST OPTIONS</pre>
183 <p>The following example will allow GET, HEAD, POST, and OPTIONS
184 requests without authentication, and require a valid user for all other
187 <pre class="prettyprint lang-config"><RequireAny>
188 Require method GET POST OPTIONS
190 </RequireAny></pre>
195 <h3><a name="reqexpr" id="reqexpr">Require expr</a></h3>
197 <p>The <code>expr</code> provider allows basing authorization
198 decisions on arbitrary expressions.</p>
200 <pre class="prettyprint lang-config">Require expr %{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17</pre>
203 <pre class="prettyprint lang-config"><RequireAll>
204 Require expr "!(%{QUERY_STRING} =~ /secret/)"
205 Require expr "%{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"
206 </RequireAll></pre>
209 <pre class="prettyprint lang-config">Require expr "!(%{QUERY_STRING} =~ /secret/) && %{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"</pre>
212 <p>The syntax is described in the <a href="../expr.html">ap_expr</a>
215 <p>Normally, the expression is evaluated before authentication. However, if
216 the expression returns false and references the variable
217 <code>%{REMOTE_USER}</code>, authentication will be performed and
218 the expression will be re-evaluated.</p>
223 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
224 <div class="section">
225 <h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2>
227 <p>Extended authorization providers can be created within the configuration
228 file and assigned an alias name. The alias providers can then be referenced
229 through the <code class="directive"><a href="#require">Require</a></code> directive
230 in the same way as a base authorization provider. Besides the ability to
231 create and alias an extended provider, it also allows the same extended
232 authorization provider to be referenced by multiple locations.
235 <h3><a name="example" id="example">Example</a></h3>
236 <p>The example below creates two different ldap authorization provider
237 aliases based on the ldap-group authorization provider. This example
238 allows a single authorization location to check group membership within
242 <pre class="prettyprint lang-config"><AuthzProviderAlias ldap-group ldap-group-alias1 "cn=my-group,o=ctx">
243 AuthLDAPBindDN "cn=youruser,o=ctx"
244 AuthLDAPBindPassword yourpassword
245 AuthLDAPURL "ldap://ldap.host/o=ctx"
246 </AuthzProviderAlias>
248 <AuthzProviderAlias ldap-group ldap-group-alias2 "cn=my-other-group,o=dev">
249 AuthLDAPBindDN "cn=yourotheruser,o=dev"
250 AuthLDAPBindPassword yourotherpassword
251 AuthLDAPURL "ldap://other.ldap.host/o=dev?cn"
252 </AuthzProviderAlias>
254 Alias "/secure" "/webpages/secure"
255 <Directory "/webpages/secure">
258 AuthBasicProvider file
261 AuthName LDAP_Protected_Place
263 #implied OR operation
264 Require ldap-group-alias1
265 Require ldap-group-alias2
266 </Directory></pre>
271 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
272 <div class="directive-section"><h2><a name="AuthMerging" id="AuthMerging">AuthMerging</a> <a name="authmerging" id="authmerging">Directive</a></h2>
273 <table class="directive">
274 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls the manner in which each configuration section's
275 authorization logic is combined with that of preceding configuration
277 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthMerging Off | And | Or</code></td></tr>
278 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthMerging Off</code></td></tr>
279 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
280 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
281 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
282 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
284 <p>When authorization is enabled, it is normally inherited by each
285 subsequent <a href="../sections.html#merging">configuration section</a>,
286 unless a different set of authorization directives is specified.
287 This is the default action, which corresponds to an explicit setting
288 of <code>AuthMerging Off</code>.</p>
290 <p>However, there may be circumstances in which it is desirable
291 for a configuration section's authorization to be combined with
292 that of its predecessor while configuration sections are being
293 merged. Two options are available for this case, <code>And</code>
294 and <code>Or</code>.</p>
296 <p>When a configuration section contains <code>AuthMerging And</code>
297 or <code>AuthMerging Or</code>,
298 its authorization logic is combined with that of the nearest
299 predecessor (according to the overall order of configuration sections)
300 which also contains authorization logic as if the two sections
301 were jointly contained within a
302 <code class="directive"><a href="#requireall"><RequireAll></a></code> or
303 <code class="directive"><a href="#requireany"><RequireAny></a></code>
304 directive, respectively.</p>
306 <div class="note">The setting of <code class="directive">AuthMerging</code> is not
307 inherited outside of the configuration section in which it appears.
308 In the following example, only users belonging to group <code>alpha</code>
309 may access <code>/www/docs</code>. Users belonging to either
310 groups <code>alpha</code> or <code>beta</code> may access
311 <code>/www/docs/ab</code>. However, the default <code>Off</code>
312 setting of <code class="directive">AuthMerging</code> applies to the
313 <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code>
314 configuration section for <code>/www/docs/ab/gamma</code>, so
315 that section's authorization directives override those of the
316 preceding sections. Thus only users belong to the group
317 <code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</div>
319 <pre class="prettyprint lang-config"><Directory "/www/docs">
322 AuthBasicProvider file
323 AuthUserFile "/usr/local/apache/passwd/passwords"
327 <Directory "/www/docs/ab">
332 <Directory "/www/docs/ab/gamma">
334 </Directory></pre>
338 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
339 <div class="directive-section"><h2><a name="AuthzProviderAlias" id="AuthzProviderAlias"><AuthzProviderAlias></a> <a name="authzprovideralias" id="authzprovideralias">Directive</a></h2>
340 <table class="directive">
341 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of directives that represent an
342 extension of a base authorization provider and referenced by the specified
344 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><AuthzProviderAlias <var>baseProvider Alias Require-Parameters</var>>
345 ... </AuthzProviderAlias>
347 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
348 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
349 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
351 <p><code class="directive"><AuthzProviderAlias></code> and
352 <code></AuthzProviderAlias></code> are used to enclose a group of
353 authorization directives that can be referenced by the alias name using the
354 directive <code class="directive"><a href="#require">Require</a></code>.</p>
358 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
359 <div class="directive-section"><h2><a name="AuthzSendForbiddenOnFailure" id="AuthzSendForbiddenOnFailure">AuthzSendForbiddenOnFailure</a> <a name="authzsendforbiddenonfailure" id="authzsendforbiddenonfailure">Directive</a></h2>
360 <table class="directive">
361 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Send '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if
362 authentication succeeds but authorization fails
364 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthzSendForbiddenOnFailure On|Off</code></td></tr>
365 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthzSendForbiddenOnFailure Off</code></td></tr>
366 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
367 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
368 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
369 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
370 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTPD 2.3.11 and later</td></tr>
372 <p>If authentication succeeds but authorization fails, Apache HTTPD will
373 respond with an HTTP response code of '401 UNAUTHORIZED' by default. This
374 usually causes browsers to display the password dialogue to the user
375 again, which is not wanted in all situations.
376 <code class="directive">AuthzSendForbiddenOnFailure</code> allows to change the
377 response code to '403 FORBIDDEN'.</p>
379 <div class="warning"><h3>Security Warning</h3>
380 <p>Modifying the response in case of missing authorization weakens the
381 security of the password, because it reveals to a possible attacker, that
382 his guessed password was right.</p>
386 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
387 <div class="directive-section"><h2><a name="Require" id="Require">Require</a> <a name="require" id="require">Directive</a></h2>
388 <table class="directive">
389 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Tests whether an authenticated user is authorized by
390 an authorization provider.</td></tr>
391 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Require [not] <var>entity-name</var>
392 [<var>entity-name</var>] ...</code></td></tr>
393 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
394 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
395 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
396 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
398 <p>This directive tests whether an authenticated user is authorized
399 according to a particular authorization provider and the specified
400 restrictions. <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides the following
401 generic authorization providers:</p>
404 <dt><code>Require all granted</code></dt>
405 <dd>Access is allowed unconditionally.</dd>
407 <dt><code>Require all denied</code></dt>
408 <dd>Access is denied unconditionally.</dd>
410 <dt><code>Require env <var>env-var</var> [<var>env-var</var>]
412 <dd>Access is allowed only if one of the given environment variables is
415 <dt><code>Require method <var>http-method</var> [<var>http-method</var>]
417 <dd>Access is allowed only for the given HTTP methods.</dd>
419 <dt><code>Require expr <var>expression</var> </code></dt>
420 <dd>Access is allowed if <var>expression</var> evaluates to true.</dd>
423 <p>Some of the allowed syntaxes provided by <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>,
424 <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>,
425 and <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> are:</p>
428 <dt><code>Require user <var>userid</var> [<var>userid</var>]
430 <dd>Only the named users can access the resource.</dd>
432 <dt><code>Require group <var>group-name</var> [<var>group-name</var>]
434 <dd>Only users in the named groups can access the resource.</dd>
436 <dt><code>Require valid-user</code></dt>
437 <dd>All valid users can access the resource.</dd>
439 <dt><code>Require ip 10 172.20 192.168.2</code></dt>
440 <dd>Clients in the specified IP address ranges can access the
444 <p>Other authorization modules that implement require options
445 include <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>,
446 <code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, <code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code>,
447 <code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code> and <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
449 <p>In most cases, for a complete authentication and authorization
450 configuration, <code class="directive">Require</code> must be accompanied by
451 <code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code>, <code class="directive"><a href="../mod/mod_authn_core.html#authtype">AuthType</a></code> and
452 <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> or
453 <code class="directive"><a href="../mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code>
454 directives, and directives such as
455 <code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code>
456 and <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> (to
457 define users and groups) in order to work correctly. Example:</p>
459 <pre class="prettyprint lang-config">AuthType Basic
460 AuthName "Restricted Resource"
461 AuthBasicProvider file
462 AuthUserFile "/web/users"
463 AuthGroupFile "/web/groups"
464 Require group admin</pre>
467 <p>Access controls which are applied in this way are effective for
468 <strong>all</strong> methods. <strong>This is what is normally
469 desired.</strong> If you wish to apply access controls only to
470 specific methods, while leaving other methods unprotected, then
471 place the <code class="directive">Require</code> statement into a
472 <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code>
475 <p>The result of the <code class="directive">Require</code> directive
476 may be negated through the use of the
477 <code>not</code> option. As with the other negated authorization
478 directive <code class="directive"><RequireNone></code>,
479 when the <code class="directive">Require</code> directive is negated it can
480 only fail or return a neutral result, and therefore may never
481 independently authorize a request.</p>
483 <p>In the following example, all users in the <code>alpha</code>
484 and <code>beta</code> groups are authorized, except for those who
485 are also in the <code>reject</code> group.</p>
487 <pre class="prettyprint lang-config"><Directory "/www/docs">
489 Require group alpha beta
490 Require not group reject
492 </Directory></pre>
495 <p>When multiple <code class="directive">Require</code> directives are
497 <a href="../sections.html#merging">configuration section</a>
498 and are not contained in another authorization directive like
499 <code class="directive"><a href="#requireall"><RequireAll></a></code>,
500 they are implicitly contained within a
501 <code class="directive"><a href="#requireany"><RequireAny></a></code>
502 directive. Thus the first one to authorize a user authorizes the
503 entire request, and subsequent <code class="directive">Require</code> directives
506 <div class="warning"><h3>Security Warning</h3>
507 <p>Exercise caution when setting authorization directives in
508 <code class="directive"><a href="../mod/core.html#location">Location</a></code> sections
509 that overlap with content served out of the filesystem.
510 By default, these <a href="../sections.html#merging">configuration sections</a> overwrite authorization configuration
511 in <code class="directive"><a href="../mod/core.html#directory">Directory</a></code>,
512 and <code class="directive"><a href="../mod/core.html#files">Files</a></code> sections.</p>
513 <p>The <code class="directive"><a href="#authmerging">AuthMerging</a></code> directive
514 can be used to control how authorization configuration sections are
520 <li><a href="../howto/access.html">Access Control howto</a></li>
521 <li><a href="#logic">Authorization Containers</a></li>
522 <li><code class="module"><a href="../mod/mod_authn_core.html">mod_authn_core</a></code></li>
523 <li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
526 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
527 <div class="directive-section"><h2><a name="RequireAll" id="RequireAll"><RequireAll></a> <a name="requireall" id="requireall">Directive</a></h2>
528 <table class="directive">
529 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which none
530 must fail and at least one must succeed for the enclosing directive to
532 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireAll> ... </RequireAll></code></td></tr>
533 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
534 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
535 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
536 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
538 <p><code class="directive"><RequireAll></code> and
539 <code></RequireAll></code> are used to enclose a group of
540 authorization directives of which none must fail and at least one
541 must succeed in order for
542 the <code class="directive"><RequireAll></code> directive to
545 <p>If none of the directives contained within the
546 <code class="directive"><RequireAll></code> directive fails,
547 and at least one succeeds, then the
548 <code class="directive"><RequireAll></code> directive
549 succeeds. If none succeed and none fail, then it returns a
550 neutral result. In all other cases, it fails.</p>
554 <li><a href="#logic">Authorization Containers</a></li>
555 <li><a href="../howto/auth.html">Authentication, Authorization,
556 and Access Control</a></li>
559 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
560 <div class="directive-section"><h2><a name="RequireAny" id="RequireAny"><RequireAny></a> <a name="requireany" id="requireany">Directive</a></h2>
561 <table class="directive">
562 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which one
563 must succeed for the enclosing directive to succeed.</td></tr>
564 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireAny> ... </RequireAny></code></td></tr>
565 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
566 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
567 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
568 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
570 <p><code class="directive"><RequireAny></code> and
571 <code></RequireAny></code> are used to enclose a group of
572 authorization directives of which one must succeed in order for
573 the <code class="directive"><RequireAny></code> directive to
576 <p>If one or more of the directives contained within the
577 <code class="directive"><RequireAny></code> directive succeed,
578 then the <code class="directive"><RequireAny></code> directive
579 succeeds. If none succeed and none fail, then it returns a
580 neutral result. In all other cases, it fails.</p>
582 <div class="note">Because negated authorization directives are unable to
583 return a successful result, they can not significantly influence
584 the result of a <code class="directive"><RequireAny></code>
585 directive. (At most they could cause the directive to fail in
586 the case where they failed and all other directives returned a
587 neutral value.) Therefore negated authorization directives
588 are not permitted within a <code class="directive"><RequireAny></code>
593 <li><a href="#logic">Authorization Containers</a></li>
594 <li><a href="../howto/auth.html">Authentication, Authorization,
595 and Access Control</a></li>
598 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
599 <div class="directive-section"><h2><a name="RequireNone" id="RequireNone"><RequireNone></a> <a name="requirenone" id="requirenone">Directive</a></h2>
600 <table class="directive">
601 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which none
602 must succeed for the enclosing directive to not fail.</td></tr>
603 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireNone> ... </RequireNone></code></td></tr>
604 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
605 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
606 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
607 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
609 <p><code class="directive"><RequireNone></code> and
610 <code></RequireNone></code> are used to enclose a group of
611 authorization directives of which none must succeed
613 <code class="directive"><RequireNone></code> directive to
616 <p>If one or more of the directives contained within the
617 <code class="directive"><RequireNone></code> directive succeed,
618 then the <code class="directive"><RequireNone></code> directive
619 fails. In all other cases, it returns a neutral result. Thus as with
620 the other negated authorization directive <code>Require not</code>,
621 it can never independently
622 authorize a request because it can never return a successful result.
623 It can be used, however, to restrict the set of users who are
624 authorized to access a resource.</p>
626 <div class="note">Because negated authorization directives are unable to
627 return a successful result, they can not significantly influence
628 the result of a <code class="directive"><RequireNone></code>
629 directive. Therefore negated authorization directives
630 are not permitted within a
631 <code class="directive"><RequireNone></code> directive.</div>
635 <li><a href="#logic">Authorization Containers</a></li>
636 <li><a href="../howto/auth.html">Authentication, Authorization,
637 and Access Control</a></li>
641 <div class="bottomlang">
642 <p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
643 <a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
644 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
645 <script type="text/javascript"><!--//--><![CDATA[//><!--
646 var comments_shortname = 'httpd';
647 var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html';
649 if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
650 d.write('<div id="comments_thread"><\/div>');
651 var s = d.createElement('script');
652 s.type = 'text/javascript';
654 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
655 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
658 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
660 })(window, document);
661 //--><!]]></script></div><div id="footer">
662 <p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
663 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
664 if (typeof(prettyPrint) !== 'undefined') {