<title>mod_authz_core - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
-<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
+<script src="../style/scripts/prettify.js" type="text/javascript">
+</script>
+
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
-<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_authz_core</h1>
<div class="toplang">
-<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a></p>
+<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
+<a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Core Authorization</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
</ul>
<h3>Topics</h3>
<ul id="topics">
-<li><img alt="" src="../images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#logic">Authorization Containers</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li>
-</ul></div>
+<li><img alt="" src="../images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li>
+</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
-<h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2>
-
- <p>Extended authorization providers can be created within the configuration
- file and assigned an alias name. The alias providers can then be referenced
- through the <code class="directive"><a href="#require">Require</a></code> directive
- in the same way as a base authorization provider. Besides the ability to
- create and alias an extended provider, it also allows the same extended
- authorization provider to be reference by multiple locations.
- </p>
-
- <h3><a name="example" id="example">Example</a></h3>
- <p>The example below creates two different ldap authorization provider
- aliases based on the ldap-group authorization provider. This example
- allows a single authorization location to check group membership within
- multiple ldap hosts:
- </p>
-
- <div class="example"><h3>Example</h3><p><code>
- <AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx><br />
- <span class="indent">
- AuthLDAPBindDN cn=youruser,o=ctx<br />
- AuthLDAPBindPassword yourpassword<br />
- AuthLDAPURL ldap://ldap.host/o=ctx<br />
- </span>
- </AuthzProviderAlias><br /><br />
- <AuthzProviderAlias ldap-group ldap-group-alias2
- cn=my-other-group,o=dev><br />
- <span class="indent">
- AuthLDAPBindDN cn=yourotheruser,o=dev<br />
- AuthLDAPBindPassword yourotherpassword<br />
- AuthLDAPURL ldap://other.ldap.host/o=dev?cn<br />
- </span>
- </AuthzProviderAlias><br /><br />
-
- Alias /secure /webpages/secure<br />
- <Directory /webpages/secure><br />
- <span class="indent">
- Require all granted<br /><br />
-
- AuthBasicProvider file<br /><br />
-
- AuthType Basic<br />
- AuthName LDAP_Protected_Place<br /><br />
-
- #implied OR operation<br />
- Require ldap-group-alias1<br />
- Require ldap-group-alias2<br />
- </span> </Directory><br />
- </code></p></div>
-
-
-</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="section">
<h2><a name="logic" id="logic">Authorization Containers</a></h2>
<p>The authorization container directives
not belong to either the <code>temps</code> group or the
LDAP group <code>Temporary Employees</code>.</p>
- <div class="example"><p><code>
- <Directory /www/mydocs>
- <span class="indent">
+ <pre class="prettyprint lang-config">
+<Directory /www/mydocs>
+ <RequireAll>
+ <RequireAny>
+ Require user superadmin
<RequireAll>
- <span class="indent">
+ Require group admins
+ Require ldap-group cn=Administrators,o=Airius
<RequireAny>
- <span class="indent">
- Require user superadmin<br />
- <RequireAll>
- <span class="indent">
- Require group admins<br />
- Require ldap-group cn=Administrators,o=Airius<br />
- <RequireAny>
- <span class="indent">
- Require group sales<br />
- Require ldap-attribute dept="sales"
- </span>
- </RequireAny>
- </span>
- </RequireAll>
- </span>
- </RequireAny><br />
- <RequireNone>
- <span class="indent">
- Require group temps<br />
- Require ldap-group cn=Temporary Employees,o=Airius
- </span>
- </RequireNone>
- </span>
+ Require group sales
+ Require ldap-attribute dept="sales"
+ </RequireAny>
</RequireAll>
- </span>
- </Directory>
- </code></p></div>
+ </RequireAny>
+ <RequireNone>
+ Require group temps
+ Require ldap-group cn=Temporary Employees,o=Airius
+ </RequireNone>
+ </RequireAll>
+</Directory>
+ </pre>
+
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a></h2>
<code>User-Agent</code> (browser type), <code>Referer</code>, or
other HTTP request header fields.</p>
- <div class="example"><h3>Example:</h3><p><code>
- SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in<br />
- <Directory /docroot><br />
- <span class="indent">
- Require env let_me_in<br />
- </span>
- </Directory>
- </code></p></div>
+ <pre class="prettyprint lang-config">
+SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
+<Directory /docroot>
+ Require env let_me_in
+</Directory>
+ </pre>
+
<p>In this case, browsers with a user-agent string beginning
with <code>KnockKnock/2.0</code> will be allowed access, and all
others will be denied.</p>
+ <p>When the server looks up a path via an internal
+ <a class="glossarylink" href="../glossary.html#subrequest" title="see glossary">subrequest</a> such as looking
+ for a <code class="directive"><a href="../mod/mod_dir.html#directoryindex">DirectoryIndex</a></code>
+ or generating a directory listing with <code class="module"><a href="../mod/mod_autoindex.html">mod_autoindex</a></code>,
+ per-request environment variables are <em>not</em> inherited in the
+ subrequest. Additionally,
+ <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives
+ are not separately evaluated in the subrequest due to the API phases
+ <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code>.</p>
+
+
+ <p>When the server looks up a path via an internal subrequest,
+ such as looking for a <code class="directive"><a href="../mod/mod_dir.html#directoryindex">DirectoryIndex</a></code> or generating a directory listing with
+ <code class="module"><a href="../mod/mod_autoindex.html">mod_autoindex</a></code>, per-request environment variables are
+ <em>not</em> inherited in the subrequest. Additionally, environment
+ <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives
+ are not separately evaluated in the subrequest due to the API phases
+ <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code> takes action in.</p>
+
<h3><a name="reqall" id="reqall">Require all</a></h3>
'granted' or 'denied'. The following examples will grant or deny
access to all requests.</p>
- <div class="example"><p><code>
- Require all granted<br />
- </code></p></div>
+ <pre class="prettyprint lang-config">
+ Require all granted
+ </pre>
+
+
+ <pre class="prettyprint lang-config">
+ Require all denied
+ </pre>
- <div class="example"><p><code>
- Require all denied<br />
- </code></p></div>
<p>The following example will only allow GET, HEAD, POST, and OPTIONS
requests:</p>
- <div class="example"><p><code>
- Require method GET POST OPTIONS<br />
- </code></p></div>
+ <pre class="prettyprint lang-config">
+ Require method GET POST OPTIONS
+ </pre>
+
<p>The following example will allow GET, HEAD, POST, and OPTIONS
requests without authentication, and require a valid user for all other
methods:</p>
- <div class="example"><p><code>
- <RequireAny><br />
- Require method GET POST OPTIONS<br />
- Require valid-user<br />
- </RequireAny><br />
- </code></p></div>
+ <pre class="prettyprint lang-config">
+<RequireAny>
+ Require method GET POST OPTIONS
+ Require valid-user
+</RequireAny>
+ </pre>
+
<p>The <code>expr</code> provider allows to base authorization
decisions on arbitrary expressions.</p>
- <div class="example"><p><code>
- Require expr %{TIME_HOUR} >= 9 && %{TIME_HOUR} <= 17 <br />
- </code></p></div>
+ <pre class="prettyprint lang-config">
+ Require expr "%{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17"
+ </pre>
+
<p>The syntax is described in the <a href="../expr.html">ap_expr</a>
documentation.</p>
+ <p>Normally, the expression is evaluated before authentication. However, if
+ the expression returns false and references the variable
+ <code>%{REMOTE_USER}</code>, authentication will be performed and
+ the expression will be re-evaluated.</p>
+
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2>
+
+ <p>Extended authorization providers can be created within the configuration
+ file and assigned an alias name. The alias providers can then be referenced
+ through the <code class="directive"><a href="#require">Require</a></code> directive
+ in the same way as a base authorization provider. Besides the ability to
+ create and alias an extended provider, it also allows the same extended
+ authorization provider to be reference by multiple locations.
+ </p>
+
+ <h3><a name="example" id="example">Example</a></h3>
+ <p>The example below creates two different ldap authorization provider
+ aliases based on the ldap-group authorization provider. This example
+ allows a single authorization location to check group membership within
+ multiple ldap hosts:
+ </p>
+
+ <pre class="prettyprint lang-config">
+<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
+ AuthLDAPBindDN cn=youruser,o=ctx
+ AuthLDAPBindPassword yourpassword
+ AuthLDAPURL ldap://ldap.host/o=ctx
+</AuthzProviderAlias>
+
+<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
+ AuthLDAPBindDN cn=yourotheruser,o=dev
+ AuthLDAPBindPassword yourotherpassword
+ AuthLDAPURL ldap://other.ldap.host/o=dev?cn
+</AuthzProviderAlias>
+
+Alias /secure /webpages/secure
+<Directory /webpages/secure>
+ Require all granted
+
+ AuthBasicProvider file
+
+ AuthType Basic
+ AuthName LDAP_Protected_Place
+
+ #implied OR operation
+ Require ldap-group-alias1
+ Require ldap-group-alias2
+</Directory>
+ </pre>
+
+
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthMerging" id="AuthMerging">AuthMerging</a> <a name="authmerging" id="authmerging">Directive</a></h2>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p>When authorization is enabled, it is normally inherited by each
- subsequent <a href="../sections.html#mergin">configuration section</a>,
+ subsequent <a href="../sections.html#merging">configuration section</a>,
unless a different set of authorization directives are specified.
This is the default action, which corresponds to an explicit setting
of <code>AuthMerging Off</code>.</p>
preceding sections. Thus only users belong to the group
<code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</div>
- <div class="example"><p><code>
- <Directory /www/docs>
- <span class="indent">
- AuthType Basic<br />
- AuthName Documents<br />
- AuthBasicProvider file<br />
- AuthUserFile /usr/local/apache/passwd/passwords<br />
- Require group alpha
- </span>
- </Directory><br />
- <br />
- <Directory /www/docs/ab>
- <span class="indent">
- AuthMerging Or<br />
- Require group beta
- </span>
- </Directory><br />
- <br />
- <Directory /www/docs/ab/gamma>
- <span class="indent">
- Require group gamma
- </span>
- </Directory>
- </code></p></div>
+ <pre class="prettyprint lang-config">
+<Directory /www/docs>
+ AuthType Basic
+ AuthName Documents
+ AuthBasicProvider file
+ AuthUserFile /usr/local/apache/passwd/passwords
+ Require group alpha
+</Directory>
+
+<Directory /www/docs/ab>
+ AuthMerging Or
+ Require group beta
+</Directory>
+
+<Directory /www/docs/ab/gamma>
+ Require group gamma
+</Directory>
+ </pre>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
and <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> (to
define users and groups) in order to work correctly. Example:</p>
- <div class="example"><p><code>
- AuthType Basic<br />
- AuthName "Restricted Resource"<br />
- AuthBasicProvider file<br />
- AuthUserFile /web/users<br />
- AuthGroupFile /web/groups<br />
- Require group admin
- </code></p></div>
+ <pre class="prettyprint lang-config">
+AuthType Basic
+AuthName "Restricted Resource"
+AuthBasicProvider file
+AuthUserFile /web/users
+AuthGroupFile /web/groups
+Require group admin
+ </pre>
+
<p>Access controls which are applied in this way are effective for
<strong>all</strong> methods. <strong>This is what is normally
and <code>beta</code> groups are authorized, except for those who
are also in the <code>reject</code> group.</p>
- <div class="example"><p><code>
- <Directory /www/docs>
- <span class="indent">
- <RequireAll>
- <span class="indent">
- Require group alpha beta<br />
- Require not group reject
- </span>
- </RequireAll>
- </span>
- </Directory>
- </code></p></div>
+ <pre class="prettyprint lang-config">
+<Directory /www/docs>
+ <RequireAll>
+ Require group alpha beta
+ Require not group reject
+ </RequireAll>
+</Directory>
+ </pre>
+
<p>When multiple <code class="directive">Require</code> directives are
used in a single
- <a href="../sections.html#mergin">configuration section</a>
+ <a href="../sections.html#merging">configuration section</a>
and are not contained in another authorization directive like
<code class="directive"><a href="#requireall"><RequireAll></a></code>,
they are implicitly contained within a
entire request, and subsequent <code class="directive">Require</code> directives
are ignored.</p>
+ <div class="warning"><h3>Security Warning</h3>
+ <p>Exercise caution when setting authorization directives in
+ <code class="directive"><a href="../mod/core.html#location">Location</a></code> sections
+ that overlap with content served out of the filesystem.
+ By default, these <a href="../sections.html#merging">configuration sections</a> overwrite authorization configuration
+ in <code class="directive"><a href="../mod/core.html#directory">Directory</a></code>,
+ and <code class="directive"><a href="../mod/core.html#files">Files</a></code> sections.</p>
+ <p>The <code class="directive"><a href="#authmerging">AuthMerging</a></code> directive
+ can be used to control how authorization configuration sections are
+ merged.</p>
+ </div>
+
<h3>See also</h3>
<ul>
-<li><a href="../howto/auth.html">Authentication, Authorization,
- and Access Control</a></li>
+<li><a href="../howto/access.html">Access Control howto</a></li>
<li><a href="#logic">Authorization Containers</a></li>
<li><code class="module"><a href="../mod/mod_authn_core.html">mod_authn_core</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
</div>
</div>
<div class="bottomlang">
-<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a></p>
-</div><div id="footer">
-<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
-<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
+<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
+<a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
+</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
</body></html>
\ No newline at end of file