1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
4 <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 This file is generated from xml source: DO NOT EDIT
8 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
10 <title>mod_authz_core - Apache HTTP Server Version 2.5</title>
11 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
12 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
13 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
14 <script src="../style/scripts/prettify.min.js" type="text/javascript">
17 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
19 <div id="page-header">
20 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
21 <p class="apache">Apache HTTP Server Version 2.5</p>
22 <img alt="" src="../images/feather.png" /></div>
23 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
25 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
26 <div id="page-content">
27 <div id="preamble"><h1>Apache Module mod_authz_core</h1>
29 <p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
30 <a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
32 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Core Authorization</td></tr>
33 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
34 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>authz_core_module</td></tr>
35 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_authz_core.c</td></tr>
36 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTPD 2.3 and later</td></tr></table>
39 <p>This module provides core authorization capabilities so that
40 authenticated users can be allowed or denied access to portions
41 of the web site. <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides the
42 functionality to register various authorization providers. It is
43 usually used in conjunction with an authentication
44 provider module such as <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> and an
45 authorization module such as <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>. It
46 also allows for advanced logic to be applied to the
47 authorization processing.</p>
49 <div id="quickview"><h3>Topics</h3>
51 <li><img alt="" src="../images/down.gif" /> <a href="#logic">Authorization Containers</a></li>
52 <li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li>
53 <li><img alt="" src="../images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li>
54 </ul><h3 class="directives">Directives</h3>
56 <li><img alt="" src="../images/down.gif" /> <a href="#authmerging">AuthMerging</a></li>
57 <li><img alt="" src="../images/down.gif" /> <a href="#authzprovideralias"><AuthzProviderAlias></a></li>
58 <li><img alt="" src="../images/down.gif" /> <a href="#authzsendforbiddenonfailure">AuthzSendForbiddenOnFailure</a></li>
59 <li><img alt="" src="../images/down.gif" /> <a href="#require">Require</a></li>
60 <li><img alt="" src="../images/down.gif" /> <a href="#requireall"><RequireAll></a></li>
61 <li><img alt="" src="../images/down.gif" /> <a href="#requireany"><RequireAny></a></li>
62 <li><img alt="" src="../images/down.gif" /> <a href="#requirenone"><RequireNone></a></li>
64 <h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_authz_core">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_authz_core">Report a bug</a></li></ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
65 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
67 <h2><a name="logic" id="logic">Authorization Containers</a></h2>
69 <p>The authorization container directives
70 <code class="directive"><a href="#requireall"><RequireAll></a></code>,
71 <code class="directive"><a href="#requireany"><RequireAny></a></code>
73 <code class="directive"><a href="#requirenone"><RequireNone></a></code>
74 may be combined with each other and with the
75 <code class="directive"><a href="#require">Require</a></code>
76 directive to express complex authorization logic.</p>
78 <p>The example below expresses the following authorization logic.
79 In order to access the resource, the user must either be the
80 <code>superadmin</code> user, or belong to both the
81 <code>admins</code> group and the <code>Administrators</code> LDAP
82 group and either belong to the <code>sales</code> group or
83 have the LDAP <code>dept</code> attribute <code>sales</code>.
84 Furthermore, in order to access the resource, the user must
85 not belong to either the <code>temps</code> group or the
86 LDAP group <code>Temporary Employees</code>.</p>
88 <pre class="prettyprint lang-config"><Directory "/www/mydocs">
91 Require user superadmin
94 Require ldap-group "cn=Administrators,o=Airius"
97 Require ldap-attribute dept="sales"
103 Require ldap-group "cn=Temporary Employees,o=Airius"
106 </Directory></pre>
108 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
109 <div class="section">
110 <h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a></h2>
112 <p><code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides some generic authorization
113 providers which can be used with the
114 <code class="directive"><a href="#require">Require</a></code> directive.</p>
116 <h3><a name="reqenv" id="reqenv">Require env</a></h3>
118 <p>The <code>env</code> provider allows access to the server
119 to be controlled based on the existence of an <a href="../env.html">environment variable</a>. When <code>Require
120 env <var>env-variable</var></code> is specified, then the request is
121 allowed access if the environment variable <var>env-variable</var>
122 exists. The server provides the ability to set environment
123 variables in a flexible way based on characteristics of the client
124 request using the directives provided by
125 <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code>. Therefore, this directive can be
126 used to allow access based on such factors as the clients
127 <code>User-Agent</code> (browser type), <code>Referer</code>, or
128 other HTTP request header fields.</p>
130 <pre class="prettyprint lang-config">SetEnvIf User-Agent "^KnockKnock/2\.0" let_me_in
131 <Directory "/docroot">
132 Require env let_me_in
133 </Directory></pre>
136 <p>In this case, browsers with a user-agent string beginning
137 with <code>KnockKnock/2.0</code> will be allowed access, and all
138 others will be denied.</p>
140 <p>When the server looks up a path via an internal
141 <a class="glossarylink" href="../glossary.html#subrequest" title="see glossary">subrequest</a> such as looking
142 for a <code class="directive"><a href="../mod/mod_dir.html#directoryindex">DirectoryIndex</a></code>
143 or generating a directory listing with <code class="module"><a href="../mod/mod_autoindex.html">mod_autoindex</a></code>,
144 per-request environment variables are <em>not</em> inherited in the
145 subrequest. Additionally,
146 <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives
147 are not separately evaluated in the subrequest due to the API phases
148 <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code> takes action in.</p>
152 <h3><a name="reqall" id="reqall">Require all</a></h3>
154 <p>The <code>all</code> provider mimics the functionality that
155 was previously provided by the 'Allow from all' and 'Deny from all'
156 directives. This provider can take one of two arguments which are
157 'granted' or 'denied'. The following examples will grant or deny
158 access to all requests.</p>
160 <pre class="prettyprint lang-config">Require all granted</pre>
163 <pre class="prettyprint lang-config">Require all denied</pre>
168 <h3><a name="reqmethod" id="reqmethod">Require method</a></h3>
170 <p>The <code>method</code> provider allows using the HTTP method in
171 authorization decisions. The GET and HEAD methods are treated as
172 equivalent. The TRACE method is not available to this provider,
173 use <code class="directive"><a href="../mod/core.html#traceenable">TraceEnable</a></code> instead.</p>
175 <p>The following example will only allow GET, HEAD, POST, and OPTIONS
178 <pre class="prettyprint lang-config">Require method GET POST OPTIONS</pre>
181 <p>The following example will allow GET, HEAD, POST, and OPTIONS
182 requests without authentication, and require a valid user for all other
185 <pre class="prettyprint lang-config"><RequireAny>
186 Require method GET POST OPTIONS
188 </RequireAny></pre>
193 <h3><a name="reqexpr" id="reqexpr">Require expr</a></h3>
195 <p>The <code>expr</code> provider allows basing authorization
196 decisions on arbitrary expressions.</p>
198 <pre class="prettyprint lang-config">Require expr %{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17</pre>
201 <pre class="prettyprint lang-config"><RequireAll>
202 Require expr "!(%{QUERY_STRING} =~ /secret/)"
203 Require expr "%{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"
204 </RequireAll></pre>
207 <pre class="prettyprint lang-config">Require expr "!(%{QUERY_STRING} =~ /secret/) && %{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"</pre>
210 <p>The syntax is described in the <a href="../expr.html">ap_expr</a>
213 <p>Normally, the expression is evaluated before authentication. However, if
214 the expression returns false and references the variable
215 <code>%{REMOTE_USER}</code>, authentication will be performed and
216 the expression will be re-evaluated.</p>
221 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
222 <div class="section">
223 <h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2>
225 <p>Extended authorization providers can be created within the configuration
226 file and assigned an alias name. The alias providers can then be referenced
227 through the <code class="directive"><a href="#require">Require</a></code> directive
228 in the same way as a base authorization provider. Besides the ability to
229 create and alias an extended provider, it also allows the same extended
230 authorization provider to be referenced by multiple locations.
233 <h3><a name="example" id="example">Example</a></h3>
234 <p>The example below creates two different ldap authorization provider
235 aliases based on the ldap-group authorization provider. This example
236 allows a single authorization location to check group membership within
240 <pre class="prettyprint lang-config"><AuthzProviderAlias ldap-group ldap-group-alias1 "cn=my-group,o=ctx">
241 AuthLDAPBindDN "cn=youruser,o=ctx"
242 AuthLDAPBindPassword yourpassword
243 AuthLDAPURL "ldap://ldap.host/o=ctx"
244 </AuthzProviderAlias>
246 <AuthzProviderAlias ldap-group ldap-group-alias2 "cn=my-other-group,o=dev">
247 AuthLDAPBindDN "cn=yourotheruser,o=dev"
248 AuthLDAPBindPassword yourotherpassword
249 AuthLDAPURL "ldap://other.ldap.host/o=dev?cn"
250 </AuthzProviderAlias>
252 Alias "/secure" "/webpages/secure"
253 <Directory "/webpages/secure">
256 AuthBasicProvider file
259 AuthName LDAP_Protected_Place
261 #implied OR operation
262 Require ldap-group-alias1
263 Require ldap-group-alias2
264 </Directory></pre>
269 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
270 <div class="directive-section"><h2><a name="AuthMerging" id="AuthMerging">AuthMerging</a> <a name="authmerging" id="authmerging">Directive</a></h2>
271 <table class="directive">
272 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls the manner in which each configuration section's
273 authorization logic is combined with that of preceding configuration
275 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthMerging Off | And | Or</code></td></tr>
276 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthMerging Off</code></td></tr>
277 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
278 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
279 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
280 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
282 <p>When authorization is enabled, it is normally inherited by each
283 subsequent <a href="../sections.html#merging">configuration section</a>,
284 unless a different set of authorization directives is specified.
285 This is the default action, which corresponds to an explicit setting
286 of <code>AuthMerging Off</code>.</p>
288 <p>However, there may be circumstances in which it is desirable
289 for a configuration section's authorization to be combined with
290 that of its predecessor while configuration sections are being
291 merged. Two options are available for this case, <code>And</code>
292 and <code>Or</code>.</p>
294 <p>When a configuration section contains <code>AuthMerging And</code>
295 or <code>AuthMerging Or</code>,
296 its authorization logic is combined with that of the nearest
297 predecessor (according to the overall order of configuration sections)
298 which also contains authorization logic as if the two sections
299 were jointly contained within a
300 <code class="directive"><a href="#requireall"><RequireAll></a></code> or
301 <code class="directive"><a href="#requireany"><RequireAny></a></code>
302 directive, respectively.</p>
304 <div class="note">The setting of <code class="directive">AuthMerging</code> is not
305 inherited outside of the configuration section in which it appears.
306 In the following example, only users belonging to group <code>alpha</code>
307 may access <code>/www/docs</code>. Users belonging to either
308 groups <code>alpha</code> or <code>beta</code> may access
309 <code>/www/docs/ab</code>. However, the default <code>Off</code>
310 setting of <code class="directive">AuthMerging</code> applies to the
311 <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code>
312 configuration section for <code>/www/docs/ab/gamma</code>, so
313 that section's authorization directives override those of the
314 preceding sections. Thus only users belong to the group
315 <code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</div>
317 <pre class="prettyprint lang-config"><Directory "/www/docs">
320 AuthBasicProvider file
321 AuthUserFile "/usr/local/apache/passwd/passwords"
325 <Directory "/www/docs/ab">
330 <Directory "/www/docs/ab/gamma">
332 </Directory></pre>
336 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
337 <div class="directive-section"><h2><a name="AuthzProviderAlias" id="AuthzProviderAlias"><AuthzProviderAlias></a> <a name="authzprovideralias" id="authzprovideralias">Directive</a></h2>
338 <table class="directive">
339 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of directives that represent an
340 extension of a base authorization provider and referenced by the specified
342 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><AuthzProviderAlias <var>baseProvider Alias Require-Parameters</var>>
343 ... </AuthzProviderAlias>
345 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
346 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
347 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
349 <p><code class="directive"><AuthzProviderAlias></code> and
350 <code></AuthzProviderAlias></code> are used to enclose a group of
351 authorization directives that can be referenced by the alias name using the
352 directive <code class="directive"><a href="#require">Require</a></code>.</p>
356 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
357 <div class="directive-section"><h2><a name="AuthzSendForbiddenOnFailure" id="AuthzSendForbiddenOnFailure">AuthzSendForbiddenOnFailure</a> <a name="authzsendforbiddenonfailure" id="authzsendforbiddenonfailure">Directive</a></h2>
358 <table class="directive">
359 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Send '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if
360 authentication succeeds but authorization fails
362 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthzSendForbiddenOnFailure On|Off</code></td></tr>
363 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthzSendForbiddenOnFailure Off</code></td></tr>
364 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
365 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
366 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
367 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTPD 2.3.11 and later</td></tr>
369 <p>If authentication succeeds but authorization fails, Apache HTTPD will
370 respond with an HTTP response code of '401 UNAUTHORIZED' by default. This
371 usually causes browsers to display the password dialogue to the user
372 again, which is not wanted in all situations.
373 <code class="directive">AuthzSendForbiddenOnFailure</code> allows to change the
374 response code to '403 FORBIDDEN'.</p>
376 <div class="warning"><h3>Security Warning</h3>
377 <p>Modifying the response in case of missing authorization weakens the
378 security of the password, because it reveals to a possible attacker, that
379 his guessed password was right.</p>
383 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
384 <div class="directive-section"><h2><a name="Require" id="Require">Require</a> <a name="require" id="require">Directive</a></h2>
385 <table class="directive">
386 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Tests whether an authenticated user is authorized by
387 an authorization provider.</td></tr>
388 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Require [not] <var>entity-name</var>
389 [<var>entity-name</var>] ...</code></td></tr>
390 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
391 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
392 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
393 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
395 <p>This directive tests whether an authenticated user is authorized
396 according to a particular authorization provider and the specified
397 restrictions. <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides the following
398 generic authorization providers:</p>
401 <dt><code>Require all granted</code></dt>
402 <dd>Access is allowed unconditionally.</dd>
404 <dt><code>Require all denied</code></dt>
405 <dd>Access is denied unconditionally.</dd>
407 <dt><code>Require env <var>env-var</var> [<var>env-var</var>]
409 <dd>Access is allowed only if one of the given environment variables is
412 <dt><code>Require method <var>http-method</var> [<var>http-method</var>]
414 <dd>Access is allowed only for the given HTTP methods.</dd>
416 <dt><code>Require expr <var>expression</var> </code></dt>
417 <dd>Access is allowed if <var>expression</var> evaluates to true.</dd>
420 <p>Some of the allowed syntaxes provided by <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>,
421 <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>,
422 and <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> are:</p>
425 <dt><code>Require user <var>userid</var> [<var>userid</var>]
427 <dd>Only the named users can access the resource.</dd>
429 <dt><code>Require group <var>group-name</var> [<var>group-name</var>]
431 <dd>Only users in the named groups can access the resource.</dd>
433 <dt><code>Require valid-user</code></dt>
434 <dd>All valid users can access the resource.</dd>
436 <dt><code>Require ip 10 172.20 192.168.2</code></dt>
437 <dd>Clients in the specified IP address ranges can access the
441 <p>Other authorization modules that implement require options
442 include <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>,
443 <code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, <code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code>,
444 <code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code> and <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
446 <p>In most cases, for a complete authentication and authorization
447 configuration, <code class="directive">Require</code> must be accompanied by
448 <code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code>, <code class="directive"><a href="../mod/mod_authn_core.html#authtype">AuthType</a></code> and
449 <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> or
450 <code class="directive"><a href="../mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code>
451 directives, and directives such as
452 <code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code>
453 and <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> (to
454 define users and groups) in order to work correctly. Example:</p>
456 <pre class="prettyprint lang-config">AuthType Basic
457 AuthName "Restricted Resource"
458 AuthBasicProvider file
459 AuthUserFile "/web/users"
460 AuthGroupFile "/web/groups"
461 Require group admin</pre>
464 <p>Access controls which are applied in this way are effective for
465 <strong>all</strong> methods. <strong>This is what is normally
466 desired.</strong> If you wish to apply access controls only to
467 specific methods, while leaving other methods unprotected, then
468 place the <code class="directive">Require</code> statement into a
469 <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code>
472 <p>The result of the <code class="directive">Require</code> directive
473 may be negated through the use of the
474 <code>not</code> option. As with the other negated authorization
475 directive <code class="directive"><RequireNone></code>,
476 when the <code class="directive">Require</code> directive is negated it can
477 only fail or return a neutral result, and therefore may never
478 independently authorize a request.</p>
480 <p>In the following example, all users in the <code>alpha</code>
481 and <code>beta</code> groups are authorized, except for those who
482 are also in the <code>reject</code> group.</p>
484 <pre class="prettyprint lang-config"><Directory "/www/docs">
486 Require group alpha beta
487 Require not group reject
489 </Directory></pre>
492 <p>When multiple <code class="directive">Require</code> directives are
494 <a href="../sections.html#merging">configuration section</a>
495 and are not contained in another authorization directive like
496 <code class="directive"><a href="#requireall"><RequireAll></a></code>,
497 they are implicitly contained within a
498 <code class="directive"><a href="#requireany"><RequireAny></a></code>
499 directive. Thus the first one to authorize a user authorizes the
500 entire request, and subsequent <code class="directive">Require</code> directives
503 <div class="warning"><h3>Security Warning</h3>
504 <p>Exercise caution when setting authorization directives in
505 <code class="directive"><a href="../mod/core.html#location">Location</a></code> sections
506 that overlap with content served out of the filesystem.
507 By default, these <a href="../sections.html#merging">configuration sections</a> overwrite authorization configuration
508 in <code class="directive"><a href="../mod/core.html#directory">Directory</a></code>,
509 and <code class="directive"><a href="../mod/core.html#files">Files</a></code> sections.</p>
510 <p>The <code class="directive"><a href="#authmerging">AuthMerging</a></code> directive
511 can be used to control how authorization configuration sections are
517 <li><a href="../howto/access.html">Access Control howto</a></li>
518 <li><a href="#logic">Authorization Containers</a></li>
519 <li><code class="module"><a href="../mod/mod_authn_core.html">mod_authn_core</a></code></li>
520 <li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
523 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
524 <div class="directive-section"><h2><a name="RequireAll" id="RequireAll"><RequireAll></a> <a name="requireall" id="requireall">Directive</a></h2>
525 <table class="directive">
526 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which none
527 must fail and at least one must succeed for the enclosing directive to
529 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireAll> ... </RequireAll></code></td></tr>
530 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
531 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
532 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
533 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
535 <p><code class="directive"><RequireAll></code> and
536 <code></RequireAll></code> are used to enclose a group of
537 authorization directives of which none must fail and at least one
538 must succeed in order for
539 the <code class="directive"><RequireAll></code> directive to
542 <p>If none of the directives contained within the
543 <code class="directive"><RequireAll></code> directive fails,
544 and at least one succeeds, then the
545 <code class="directive"><RequireAll></code> directive
546 succeeds. If none succeed and none fail, then it returns a
547 neutral result. In all other cases, it fails.</p>
551 <li><a href="#logic">Authorization Containers</a></li>
552 <li><a href="../howto/auth.html">Authentication, Authorization,
553 and Access Control</a></li>
556 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
557 <div class="directive-section"><h2><a name="RequireAny" id="RequireAny"><RequireAny></a> <a name="requireany" id="requireany">Directive</a></h2>
558 <table class="directive">
559 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which one
560 must succeed for the enclosing directive to succeed.</td></tr>
561 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireAny> ... </RequireAny></code></td></tr>
562 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
563 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
564 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
565 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
567 <p><code class="directive"><RequireAny></code> and
568 <code></RequireAny></code> are used to enclose a group of
569 authorization directives of which one must succeed in order for
570 the <code class="directive"><RequireAny></code> directive to
573 <p>If one or more of the directives contained within the
574 <code class="directive"><RequireAny></code> directive succeed,
575 then the <code class="directive"><RequireAny></code> directive
576 succeeds. If none succeed and none fail, then it returns a
577 neutral result. In all other cases, it fails.</p>
579 <div class="note">Because negated authorization directives are unable to
580 return a successful result, they can not significantly influence
581 the result of a <code class="directive"><RequireAny></code>
582 directive. (At most they could cause the directive to fail in
583 the case where they failed and all other directives returned a
584 neutral value.) Therefore negated authorization directives
585 are not permitted within a <code class="directive"><RequireAny></code>
590 <li><a href="#logic">Authorization Containers</a></li>
591 <li><a href="../howto/auth.html">Authentication, Authorization,
592 and Access Control</a></li>
595 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
596 <div class="directive-section"><h2><a name="RequireNone" id="RequireNone"><RequireNone></a> <a name="requirenone" id="requirenone">Directive</a></h2>
597 <table class="directive">
598 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which none
599 must succeed for the enclosing directive to not fail.</td></tr>
600 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireNone> ... </RequireNone></code></td></tr>
601 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
602 <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
603 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
604 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
606 <p><code class="directive"><RequireNone></code> and
607 <code></RequireNone></code> are used to enclose a group of
608 authorization directives of which none must succeed
610 <code class="directive"><RequireNone></code> directive to
613 <p>If one or more of the directives contained within the
614 <code class="directive"><RequireNone></code> directive succeed,
615 then the <code class="directive"><RequireNone></code> directive
616 fails. In all other cases, it returns a neutral result. Thus as with
617 the other negated authorization directive <code>Require not</code>,
618 it can never independently
619 authorize a request because it can never return a successful result.
620 It can be used, however, to restrict the set of users who are
621 authorized to access a resource.</p>
623 <div class="note">Because negated authorization directives are unable to
624 return a successful result, they can not significantly influence
625 the result of a <code class="directive"><RequireNone></code>
626 directive. Therefore negated authorization directives
627 are not permitted within a
628 <code class="directive"><RequireNone></code> directive.</div>
632 <li><a href="#logic">Authorization Containers</a></li>
633 <li><a href="../howto/auth.html">Authentication, Authorization,
634 and Access Control</a></li>
638 <div class="bottomlang">
639 <p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
640 <a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
641 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
642 <script type="text/javascript"><!--//--><![CDATA[//><!--
643 var comments_shortname = 'httpd';
644 var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html';
646 if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
647 d.write('<div id="comments_thread"><\/div>');
648 var s = d.createElement('script');
649 s.type = 'text/javascript';
651 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
652 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
655 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
657 })(window, document);
658 //--><!]]></script></div><div id="footer">
659 <p class="apache">Copyright 2016 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
660 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
661 if (typeof(prettyPrint) !== 'undefined') {