<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
+<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
+<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
-<title>mod_authnz_fcgi - Apache HTTP Server</title>
+<title>mod_authnz_fcgi - Apache HTTP Server Version 2.5</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
-<script src="../style/scripts/prettify.js" type="text/javascript">
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
-<img alt="" src="../images/feather.gif" /></div>
+<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
httpd authentication and authorization</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>authnz_fcgi_module</td></tr>
-<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_authnz_fcgi.c</td></tr></table>
+<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_authnz_fcgi.c</td></tr>
+<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.4.10 and later</td></tr></table>
<h3>Summary</h3>
<p>This module allows FastCGI authorizer applications to
authenticators and authorizors which participate in one or both
phases.</p>
- <p>FastCGI authorizers can authenticate using user id and password,
+ <p>FastCGI authorizers can authenticate using user id and password,
such as for Basic authentication, or can authenticate using arbitrary
mechanisms.</p>
</div>
-<div id="quickview"><h3 class="directives">Directives</h3>
-<ul id="toc">
-<li><img alt="" src="../images/down.gif" /> <a href="#authnzfcgicheckauthnprovider">AuthnzFcgiCheckAuthnProvider</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#authnzfcgidefineprovider">AuthnzFcgiDefineProvider</a></li>
-</ul>
-<h3>Topics</h3>
+<div id="quickview"><h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#invocations">Invocation modes</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#examples">Additional examples</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#limitations">Limitations</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#logging">Logging</a></li>
-</ul><h3>See also</h3>
+</ul><h3 class="directives">Directives</h3>
+<ul id="toc">
+<li><img alt="" src="../images/down.gif" /> <a href="#authnzfcgicheckauthnprovider">AuthnzFcgiCheckAuthnProvider</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authnzfcgidefineprovider">AuthnzFcgiDefineProvider</a></li>
+</ul>
+<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_authnz_fcgi">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_authnz_fcgi">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
<li><a href="../howto/auth.html">Authentication, Authorization,
and Access Control</a></li>
<li><code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code></li>
<li><code class="program"><a href="../programs/fcgistarter.html">fcgistarter</a></code></li>
-</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
+<li><code class="module"><a href="../mod/mod_proxy_fcgi.html">mod_proxy_fcgi</a></code></li>
+<li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="invocations" id="invocations">Invocation modes</a></h2>
- <p>The invocation modes for FastCGI authorizers supported by this
+ <p>The invocation modes for FastCGI authorizers supported by this
module are distinguished by two characteristics, <em>type</em> and
auth <em>mechanism</em>.</p>
<dt><em>Type</em> <code>authn</code>, <em>mechanism</em>
<code>AuthBasicProvider</code></dt>
- <dd>In this mode,
+ <dd>In this mode,
<code>FCGI_ROLE</code> is set to <code>AUTHORIZER</code> and
<code>FCGI_APACHE_ROLE</code> is set to <code>AUTHENTICATOR</code>.
The application must be defined as provider type <em>authn</em>
- using <code class="directive"><a href="# authnzfcgidefineprovider">
+ using <code class="directive"><a href="#authnzfcgidefineprovider">
AuthnzFcgiDefineProvider</a></code> and enabled with
<code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>.
When invoked, the application is
expected to authenticate the client using the provided user id and
password. Example application:
-<pre class="prettyprint lang-perl">
-#!/usr/bin/perl
+<pre class="prettyprint lang-perl">#!/usr/bin/perl
use FCGI;
-while (FCGI::accept >= 0) {
+my $request = FCGI::Request();
+while ($request->Accept() >= 0) {
die if $ENV{'FCGI_APACHE_ROLE'} ne "AUTHENTICATOR";
die if $ENV{'FCGI_ROLE'} ne "AUTHORIZER";
die if !$ENV{'REMOTE_PASSWD'};
else {
print "Status: 401\n\n";
}
-}
-</pre>
+}</pre>
Example configuration:
-<pre class="prettyprint lang-config">
-AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10102/
-<Location /protected/>
+<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10102/
+<Location "/protected/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider FooAuthn
Require ...
-</Location>
-</pre>
+</Location></pre>
</dd>
<dd>In this mode, <code>FCGI_ROLE</code> is set to <code>
AUTHORIZER</code> and <code>FCGI_APACHE_ROLE</code> is set to
<code>AUTHORIZER</code>. The application must be defined as
- provider type <em>authz</em> using <code class="directive"><a href="# authnzfcgidefineprovider">
- AuthnzFcgiDefineProvider</a></code>. When invoked, the application
+ provider type <em>authz</em> using <code class="directive"><a href="#authnzfcgidefineprovider">
+ AuthnzFcgiDefineProvider</a></code>. When invoked, the application
is expected to authorize the client using the provided user id and other
request data. Example application:
-<pre class="prettyprint lang-perl">
-#!/usr/bin/perl
+<pre class="prettyprint lang-perl">#!/usr/bin/perl
use FCGI;
-while (FCGI::accept >= 0) {
+my $request = FCGI::Request();
+while ($request->Accept() >= 0) {
die if $ENV{'FCGI_APACHE_ROLE'} ne "AUTHORIZER";
die if $ENV{'FCGI_ROLE'} ne "AUTHORIZER";
die if $ENV{'REMOTE_PASSWD'};
else {
print "Status: 403\n\n";
}
-}
-</pre>
+}</pre>
Example configuration:
-<pre class="prettyprint lang-config">
-AuthnzFcgiDefineProvider authz FooAuthz fcgi://localhost:10103/
-<Location /protected/>
+<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authz FooAuthz fcgi://localhost:10103/
+<Location "/protected/">
AuthType ...
AuthName ...
AuthBasicProvider ...
Require FooAuthz
-</Location>
-</pre>
+</Location></pre>
</dd>
<code>AUTHORIZER</code> protocol, <code>FCGI_ROLE</code> is set to
<code>AUTHORIZER</code> and <code>FCGI_APACHE_ROLE</code> is not set.
The application must be defined as provider type <em>authnz</em>
- using <code class="directive"><a href="# authnzfcgidefineprovider">
+ using <code class="directive"><a href="#authnzfcgidefineprovider">
AuthnzFcgiDefineProvider</a></code>. The application is expected to
handle both authentication and authorization in the same invocation
- using the user id, password, and other request data. The invocation
- occurs during the Apache httpd API authentication phase. If the
+ using the user id, password, and other request data. The invocation
+ occurs during the Apache httpd API authentication phase. If the
application returns 200 and the same provider is invoked during the
authorization phase (via <code class="directive">Require</code>), mod_authnz_fcgi
will return success for the authorization phase without invoking the
application. Example application:
-<pre class="prettyprint lang-perl">
-#!/usr/bin/perl
+<pre class="prettyprint lang-perl">#!/usr/bin/perl
use FCGI;
-while (FCGI::accept >= 0) {
+my $request = FCGI::Request();
+while ($request->Accept() >= 0) {
die if $ENV{'FCGI_APACHE_ROLE'};
die if $ENV{'FCGI_ROLE'} ne "AUTHORIZER";
die if !$ENV{'REMOTE_PASSWD'};
else {
print "Status: 401\n\n";
}
-}
-</pre>
+}</pre>
Example configuration:
-<pre class="prettyprint lang-config">
-AuthnzFcgiDefineProvider authnz FooAuthnz fcgi://localhost:10103/
-<Location /protected/>
+<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authnz FooAuthnz fcgi://localhost:10103/
+<Location "/protected/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider FooAuthnz
Require FooAuthnz
-</Location>
-</pre>
+</Location></pre>
</dd>
<dd>In this mode, <code>FCGI_ROLE</code> is set to <code>
AUTHORIZER</code> and <code>FCGI_APACHE_ROLE</code> is set to
<code>AUTHENTICATOR</code>. The application must be defined as
- provider type <em>authn</em> using <code class="directive"><a href="# authnzfcgidefineprovider">
+ provider type <em>authn</em> using <code class="directive"><a href="#authnzfcgidefineprovider">
AuthnzFcgiDefineProvider</a></code>. <code class="directive"><a href="#authnzfcgicheckauthnprovider">AuthnzFcgiCheckAuthnProvider</a></code>
specifies when it is called. Example application:
-<pre class="prettyprint lang-perl">
-#!/usr/bin/perl
+<pre class="prettyprint lang-perl">#!/usr/bin/perl
use FCGI;
-while (FCGI::accept >= 0) {
+my $request = FCGI::Request();
+while ($request->Accept() >= 0) {
die if $ENV{'FCGI_APACHE_ROLE'} ne "AUTHENTICATOR";
die if $ENV{'FCGI_ROLE'} ne "AUTHORIZER";
- # This authorizer assumes that the RequireBasicAuth option of
+ # This authorizer assumes that the RequireBasicAuth option of
# AuthnzFcgiCheckAuthnProvider is On:
die if !$ENV{'REMOTE_PASSWD'};
die if !$ENV{'REMOTE_USER'};
# If a response body is written here, it will be returned to
# the client.
}
-}
-</pre>
+}</pre>
Example configuration:
-<pre class="prettyprint lang-config">
-AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10103/
-<Location /protected/>
+<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10103/
+<Location "/protected/">
AuthType ...
AuthName ...
AuthnzFcgiCheckAuthnProvider FooAuthn \
RequireBasicAuth Off \
UserExpr "%{reqenv:REMOTE_USER}"
Require ...
-</Location>
-</pre>
+</Location></pre>
</dd>
</dl>
-
+
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="examples" id="examples">Additional examples</a></h2>
<ol>
<li>If your application supports the separate authentication and
- authorization roles (<code>AUTHENTICATOR</code> and <code>AUTHORIZER</code>), define
+ authorization roles (<code>AUTHENTICATOR</code> and <code>AUTHORIZER</code>), define
separate providers as follows, even if they map to the same
application:
-<pre class="prettyprint lang-config">
-AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10102/
-AuthnzFcgiDefineProvider authz FooAuthz fcgi://localhost:10102/
-</pre>
+<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authn FooAuthn fcgi://localhost:10102/
+AuthnzFcgiDefineProvider authz FooAuthz fcgi://localhost:10102/</pre>
- Specify the authn provider on
+ Specify the authn provider on
<code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>
and the authz provider on
<code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code>:
-<pre class="prettyprint lang-config">
-AuthType Basic
+<pre class="prettyprint lang-config">AuthType Basic
AuthName "Restricted"
AuthBasicProvider FooAuthn
-Require FooAuthz
-</pre>
+Require FooAuthz</pre>
</li>
- <li>If your application supports the generic <code>AUTHORIZER</code> role
+ <li>If your application supports the generic <code>AUTHORIZER</code> role
(authentication and authorizer in one invocation), define a
single provider as follows:
-<pre class="prettyprint lang-config">
-AuthnzFcgiDefineProvider authnz FooAuthnz fcgi://localhost:10103/
-</pre>
+<pre class="prettyprint lang-config">AuthnzFcgiDefineProvider authnz FooAuthnz fcgi://localhost:10103/</pre>
Specify the authnz provider on both <code class="directive">AuthBasicProvider</code>
and <code class="directive">Require</code>:
-<pre class="prettyprint lang-config">
-AuthType Basic
+<pre class="prettyprint lang-config">AuthType Basic
AuthName "Restricted"
AuthBasicProvider FooAuthnz
-Require FooAuthnz
-</pre>
+Require FooAuthnz</pre>
</li>
</ol>
<dt>Apache httpd access checker</dt>
<dd>The Apache httpd API <em>access check</em> phase is a separate
phase from authentication and authorization. Some other FastCGI
- implementations implement this phase, which is denoted by the
+ implementations implement this phase, which is denoted by the
setting of <code>FCGI_APACHE_ROLE</code> to <code>ACCESS_CHECKER</code>.</dd>
<dt>Local (Unix) sockets or pipes</dt>
start them.</dd>
<dt>AP_AUTH_INTERNAL_PER_URI</dt>
- <dd>All providers are currently registered as
+ <dd>All providers are currently registered as
AP_AUTH_INTERNAL_PER_CONF, which means that checks are not
performed again for internal subrequests with the same
access control configuration as the initial request.</dd>
<li>General messages for debugging are logged at log level
<code>debug</code>.</li>
<li>Environment variables passed to the application are
- logged at log level <code>trace2</code>. The value of the
+ logged at log level <code>trace2</code>. The value of the
<code>REMOTE_PASSWD</code> variable will be obscured,
- but <strong>any other sensitive data will be visible in the
+ but <strong>any other sensitive data will be visible in the
log</strong>.</li>
<li>All I/O between the module and the FastCGI application,
including all environment variables, will be logged in printable
to configure a log level specific to mod_authnz_fcgi. For
example:</p>
-<pre class="prettyprint lang-config">
-LogLevel info authnz_fcgi:trace8
-</pre>
+<pre class="prettyprint lang-config">LogLevel info authnz_fcgi:trace8</pre>
</div>
<em>option</em> ...</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>FileInfo</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authnz_fcgi</td></tr>
</table>
<dt><em>option</em></dt>
<dd>The following options are supported:
-
+
<dl>
<dt>Authoritative On|Off (default On)</dt>
<dd>This controls whether or not other modules are allowed
evaluated after calling the authorizer, determines the
user. The expression follows <a href="../expr.html">
ap_expr syntax</a> and must resolve to a string. A typical
- use is to reference a <code>Variable-<em>XXX</em></code>
+ use is to reference a <code>Variable-<em>XXX</em></code>
setting returned by the authorizer using an option like
<code>UserExpr "%{reqenv:<em>XXX</em>}"</code>. If
this option is specified and the user id can't be retrieved
<dl>
<dt><em>type</em></dt>
<dd>This must be set to <em>authn</em> for authentication,
- <em>authz</em> for authentication, or <em>authnz</em> for
+ <em>authz</em> for authorization, or <em>authnz</em> for
a generic FastCGI authorizer which performs both checks.</dd>
<dt><em>provider-name</em></dt>
<dd>This is used to assign a name to the provider which is
- used in other directives such as
+ used in other directives such as
<code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>
- and
+ and
<code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code>.</dd>
<dt><em>backend-address</em></dt>
}
})(window, document);
//--><!]]></script></div><div id="footer">
-<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
prettyPrint();