2 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision$ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <modulesynopsis metafile="mod_authz_dbd.xml.meta">
25 <name>mod_authz_dbd</name>
26 <description>Group Authorization and Login using SQL</description>
27 <status>Extension</status>
28 <sourcefile>mod_authz_dbd.c</sourcefile>
29 <identifier>authz_dbd_module</identifier>
30 <compatibility>Available in Apache 2.4 and later</compatibility>
33 <p>This module provides authorization capabilities so that
34 authenticated users can be allowed or denied access to portions
35 of the web site by group membership. Similar functionality is
36 provided by <module>mod_authz_groupfile</module> and
37 <module>mod_authz_dbm</module>, with the exception that
38 this module queries a SQL database to determine whether a
39 user is a member of a group.</p>
40 <p>This module can also provide database-backed user login/logout
41 capabilities. These are likely to be of most value when used
42 in conjunction with <module>mod_authn_dbd</module>.</p>
43 <p>This module relies on <module>mod_dbd</module> to specify
44 the backend database driver and connection parameters, and
45 manage the database connections.</p>
48 <seealso><directive module="mod_authz_core">Require</directive></seealso>
50 <directive module="mod_authn_dbd">AuthDBDUserPWQuery</directive>
52 <seealso><directive module="mod_dbd">DBDriver</directive></seealso>
53 <seealso><directive module="mod_dbd">DBDParams</directive></seealso>
56 <title>Database Login</title>
58 In addition to the standard authorization function of checking group
59 membership, this module can also provide server-side user session
60 management via database-backed login/logout capabilities.
61 Specifically, it can update a user's session status in the database
62 whenever the user visits designated URLs (subject of course to users
63 supplying the necessary credentials).</p>
64 <p>This works by defining two special
65 <directive module="mod_authz_core">Require</directive> types:
66 <code>Require dbd-login</code> and <code>Require dbd-logout</code>.
67 For usage details, see the configuration example below.</p>
71 <title>Client Login</title>
72 <p>Some administrators may wish to implement client-side session
73 management that works in concert with the server-side login/logout
74 capabilities offered by this module, for example, by setting or unsetting
75 an HTTP cookie or other such token when a user logs in or out.
76 To support such integration, <module>mod_authz_dbd</module> exports an
77 optional hook that will be run whenever a user's status is updated in
78 the database. Other session management modules can then use the hook
79 to implement functions that start and end client-side sessions.</p>
82 <section id="example">
83 <title>Configuration example</title>
84 <highlight language="config"><pre>
85 # mod_dbd configuration
87 DBDParams "dbname=apacheauth user=apache pass=xxxxxx"
94 <Directory /usr/www/my.site/team-private/>
95 # mod_authn_core and mod_auth_basic configuration
101 # mod_authn_dbd SQL query to authenticate a logged-in user
103 "SELECT password FROM authn WHERE user = %s AND login = 'true'"
105 # mod_authz_core configuration for mod_authz_dbd
106 Require dbd-group team
108 # mod_authz_dbd configuration
109 AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"
111 # when a user fails to be authenticated or authorized,
112 # invite them to login; this page should provide a link
113 # to /team-private/login.html
114 ErrorDocument 401 /login-info.html
116 <Files login.html>
117 # don't require user to already be logged in!
119 "SELECT password FROM authn WHERE user = %s"
121 # dbd-login action executes a statement to log user in
124 "UPDATE authn SET login = 'true' WHERE user = %s"
126 # return user to referring page (if any) after
128 AuthzDBDLoginToReferer On
131 <Files logout.html>
132 # dbd-logout action executes a statement to log user out
135 "UPDATE authn SET login = 'false' WHERE user = %s"
142 <name>AuthzDBDQuery</name>
143 <description>Specify the SQL Query for the required operation</description>
144 <syntax>AuthzDBDQuery <var>query</var></syntax>
145 <contextlist><context>directory</context></contextlist>
148 <p>The <directive>AuthzDBDQuery</directive> specifies an SQL
149 query to run. The purpose of the query depends on the
150 <directive module="mod_authz_core">Require</directive> directive in
153 <li>When used with a <code>Require dbd-group</code> directive,
154 it specifies a query to look up groups for the current user. This is
155 the standard functionality of other authorization modules such as
156 <module>mod_authz_groupfile</module> and <module>mod_authz_dbm</module>.
157 The first column value of each row returned by the query statement
158 should be a string containing a group name. Zero, one, or more rows
160 <highlight language="config">
163 "SELECT group FROM groups WHERE user = %s"
166 <li>When used with a <code>Require dbd-login</code> or
167 <code>Require dbd-logout</code> directive, it will never deny access,
168 but will instead execute a SQL statement designed to log the user
169 in or out. The user must already be authenticated with
170 <module>mod_authn_dbd</module>.
171 <highlight language="config"><pre>
174 "UPDATE authn SET login = 'true' WHERE user = %s"
178 <p>In all cases, the user's ID will be passed as a single string
179 parameter when the SQL query is executed. It may be referenced within
180 the query statement using a <code>%s</code> format specifier.</p>
185 <name>AuthzDBDRedirectQuery</name>
186 <description>Specify a query to look up a login page for the user</description>
187 <syntax>AuthzDBDRedirectQuery <var>query</var></syntax>
188 <contextlist><context>directory</context></contextlist>
191 <p>Specifies an optional SQL query to use after successful login
192 (or logout) to redirect the user to a URL, which may be
193 specific to the user. The user's ID will be passed as a single string
194 parameter when the SQL query is executed. It may be referenced within
195 the query statement using a <code>%s</code> format specifier.</p>
196 <highlight language="config">
197 AuthzDBDRedirectQuery \
198 "SELECT userpage FROM userpages WHERE user = %s"
200 <p>The first column value of the first row returned by the query
201 statement should be a string containing a URL to which to redirect
202 the client. Subsequent rows will be ignored. If no rows are returned,
203 the client will not be redirected.</p>
204 <p>Note that <directive>AuthzDBDLoginToReferer</directive> takes
205 precedence if both are set.</p>
210 <name>AuthzDBDLoginToReferer</name>
211 <description>Determines whether to redirect the Client to the Referring
212 page on successful login or logout if a <code>Referer</code> request
213 header is present</description>
214 <syntax>AuthzDBDLoginToReferer On|Off</syntax>
215 <default>AuthzDBDLoginToReferer Off</default>
216 <contextlist><context>directory</context></contextlist>
219 <p>In conjunction with <code>Require dbd-login</code> or
220 <code>Require dbd-logout</code>, this provides the option to
221 redirect the client back to the Referring page (the URL in
222 the <code>Referer</code> HTTP request header, if present).
223 When there is no <code>Referer</code> header,
224 <code>AuthzDBDLoginToReferer On</code> will be ignored.</p>