<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
-<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_authz_core</h1>
<div class="toplang">
-<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a></p>
+<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
+<a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Core Authorization</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
</ul>
<h3>Topics</h3>
<ul id="topics">
-<li><img alt="" src="../images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#logic">Authorization Containers</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li>
</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
-<h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2>
-
- <p>Extended authorization providers can be created within the configuration
- file and assigned an alias name. The alias providers can then be referenced
- through the <code class="directive"><a href="#require">Require</a></code> directive
- in the same way as a base authorization provider. Besides the ability to
- create and alias an extended provider, it also allows the same extended
- authorization provider to be reference by multiple locations.
- </p>
-
- <h3><a name="example" id="example">Example</a></h3>
- <p>The example below creates two different ldap authorization provider
- aliases based on the ldap-group authorization provider. This example
- allows a single authorization location to check group membership within
- multiple ldap hosts:
- </p>
-
- <pre class="prettyprint lang-config">
-<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
- AuthLDAPBindDN cn=youruser,o=ctx
- AuthLDAPBindPassword yourpassword
- AuthLDAPURL ldap://ldap.host/o=ctx
-</AuthzProviderAlias>
-
-<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
- AuthLDAPBindDN cn=yourotheruser,o=dev
- AuthLDAPBindPassword yourotherpassword
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn
-</AuthzProviderAlias>
-
-Alias /secure /webpages/secure
-<Directory /webpages/secure>
- Require all granted
-
- AuthBasicProvider file
-
- AuthType Basic
- AuthName LDAP_Protected_Place
-
- #implied OR operation
- Require ldap-group-alias1
- Require ldap-group-alias2
-</Directory>
- </pre>
-
-
-
-</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="section">
<h2><a name="logic" id="logic">Authorization Containers</a></h2>
<p>The authorization container directives
with <code>KnockKnock/2.0</code> will be allowed access, and all
others will be denied.</p>
+ <p>When the server looks up a path via an internal
+ <a class="glossarylink" href="../glossary.html#subrequest" title="see glossary">subrequest</a> such as looking
+ for a <code class="directive"><a href="../mod/mod_dir.html#directoryindex">DirectoryIndex</a></code>
+ or generating a directory listing with <code class="module"><a href="../mod/mod_autoindex.html">mod_autoindex</a></code>,
+ per-request environment variables are <em>not</em> inherited in the
+ subrequest. Additionally,
+ <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives
+ are not separately evaluated in the subrequest due to the API phases
+ <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code>.</p>
+
+
+ <p>When the server looks up a path via an internal subrequest,
+ such as looking for a <code class="directive"><a href="../mod/mod_dir.html#directoryindex">DirectoryIndex</a></code> or generating a directory listing with
+ <code class="module"><a href="../mod/mod_autoindex.html">mod_autoindex</a></code>, per-request environment variables are
+ <em>not</em> inherited in the subrequest. Additionally, environment
+ <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives
+ are not separately evaluated in the subrequest due to the API phases
+ <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code> takes action in.</p>
+
<h3><a name="reqall" id="reqall">Require all</a></h3>
decisions on arbitrary expressions.</p>
<pre class="prettyprint lang-config">
- Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17
+ Require expr "%{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17"
</pre>
<p>The syntax is described in the <a href="../expr.html">ap_expr</a>
documentation.</p>
+ <p>Normally, the expression is evaluated before authentication. However, if
+ the expression returns false and references the variable
+ <code>%{REMOTE_USER}</code>, authentication will be performed and
+ the expression will be re-evaluated.</p>
+
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2>
+
+ <p>Extended authorization providers can be created within the configuration
+ file and assigned an alias name. The alias providers can then be referenced
+ through the <code class="directive"><a href="#require">Require</a></code> directive
+ in the same way as a base authorization provider. Besides the ability to
+ create and alias an extended provider, it also allows the same extended
+ authorization provider to be reference by multiple locations.
+ </p>
+
+ <h3><a name="example" id="example">Example</a></h3>
+ <p>The example below creates two different ldap authorization provider
+ aliases based on the ldap-group authorization provider. This example
+ allows a single authorization location to check group membership within
+ multiple ldap hosts:
+ </p>
+
+ <pre class="prettyprint lang-config">
+<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
+ AuthLDAPBindDN cn=youruser,o=ctx
+ AuthLDAPBindPassword yourpassword
+ AuthLDAPURL ldap://ldap.host/o=ctx
+</AuthzProviderAlias>
+
+<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
+ AuthLDAPBindDN cn=yourotheruser,o=dev
+ AuthLDAPBindPassword yourotherpassword
+ AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+</AuthzProviderAlias>
+
+Alias /secure /webpages/secure
+<Directory /webpages/secure>
+ Require all granted
+
+ AuthBasicProvider file
+
+ AuthType Basic
+ AuthName LDAP_Protected_Place
+
+ #implied OR operation
+ Require ldap-group-alias1
+ Require ldap-group-alias2
+</Directory>
+ </pre>
+
+
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthMerging" id="AuthMerging">AuthMerging</a> <a name="authmerging" id="authmerging">Directive</a></h2>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p>When authorization is enabled, it is normally inherited by each
- subsequent <a href="../sections.html#mergin">configuration section</a>,
+ subsequent <a href="../sections.html#merging">configuration section</a>,
unless a different set of authorization directives are specified.
This is the default action, which corresponds to an explicit setting
of <code>AuthMerging Off</code>.</p>
<p>When multiple <code class="directive">Require</code> directives are
used in a single
- <a href="../sections.html#mergin">configuration section</a>
+ <a href="../sections.html#merging">configuration section</a>
and are not contained in another authorization directive like
<code class="directive"><a href="#requireall"><RequireAll></a></code>,
they are implicitly contained within a
entire request, and subsequent <code class="directive">Require</code> directives
are ignored.</p>
+ <div class="warning"><h3>Security Warning</h3>
+ <p>Exercise caution when setting authorization directives in
+ <code class="directive"><a href="../mod/core.html#location">Location</a></code> sections
+ that overlap with content served out of the filesystem.
+ By default, these <a href="../sections.html#merging">configuration sections</a> overwrite authorization configuration
+ in <code class="directive"><a href="../mod/core.html#directory">Directory</a></code>,
+ and <code class="directive"><a href="../mod/core.html#files">Files</a></code> sections.</p>
+ <p>The <code class="directive"><a href="#authmerging">AuthMerging</a></code> directive
+ can be used to control how authorization configuration sections are
+ merged.</p>
+ </div>
+
<h3>See also</h3>
<ul>
-<li><a href="../howto/auth.html">Authentication, Authorization,
- and Access Control</a></li>
+<li><a href="../howto/access.html">Access Control howto</a></li>
<li><a href="#logic">Authorization Containers</a></li>
<li><code class="module"><a href="../mod/mod_authn_core.html">mod_authn_core</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
</div>
</div>
<div class="bottomlang">
-<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a></p>
+<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
+<a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
<script type="text/javascript"><!--//--><![CDATA[//><!--
var comments_shortname = 'httpd';
var s = d.createElement('script');
s.type = 'text/javascript';
s.async = true;
- s.src = 'https://c.apaste.info/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
}
else {
}
})(window, document);
//--><!]]></script></div><div id="footer">
-<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
-<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
prettyPrint();
}