<compatibility>Available in Apache 2.1 and later</compatibility>
<summary>
-
<p>This module allows the use of HTTP Basic Authentication to
restrict access by looking up users in the given providers.
HTTP Digest Authentication is provided by
<module>mod_auth_digest</module>.</p>
-
</summary>
<seealso><directive module="core">AuthName</directive></seealso>
<seealso><directive module="core">AuthType</directive></seealso>
<directivesynopsis>
<name>AuthBasicProvider</name>
<description>Sets the authentication provider(s) for this location</description>
-<syntax>AuthBasicProvider <em>provider-name</em></syntax>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
+<syntax>AuthBasicProvider On|Off|<var>provider-name</var>
+[<var>provider-name</var>] ...</syntax>
+<default>AuthBasicProvider On</default>
+<contextlist><context>directory</context></contextlist>
<usage>
<p>The <directive>AuthBasicProvider</directive> directive sets
- which provider is used to authenticate the users for this location.</p>
+ which provider is used to authenticate the users for this location.
+ Setting the value to <code>On</code> will choose the default provider
+ (<code>file</code>). Since the <code>file</code> provider is implemented
+ by the <module>mod_authn_file</module> module, you have to make sure,
+ that the module is present in the server.</p>
+
+ <example><title>Example</title>
+ <Location /secure><br />
+ <indent>
+ AuthBasicProvider dbm<br />
+ AuthDBMType SDBM<br />
+ AuthDBMUserFile /www/etc/dbmpasswd<br />
+ Require valid-user<br />
+ </indent>
+ </Location>
+ </example>
- <p>See <module>mod_authn_dbm</module>, <module>mod_authn_file</module>
+ <p>See <module>mod_authn_dbm</module> and <module>mod_authn_file</module>
for providers.</p>
+ <p>The value <code>Off</code> clears the provider list and sets it back
+ to the default.</p>
</usage>
</directivesynopsis>
<directivesynopsis>
<name>AuthBasicAuthoritative</name>
-<description>Sets whether authorization and authentication are
-passed to lower level modules</description>
-<syntax>AuthBasicAuthoritative on|off</syntax>
-<default>AuthBasicAuthoritative on</default>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
+<description>Sets whether authorization and authentication are passed to
+lower level modules</description>
+<syntax>AuthBasicAuthoritative On|Off</syntax>
+<default>AuthBasicAuthoritative On</default>
+<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
<p>Setting the <directive>AuthBasicAuthoritative</directive> directive
- explicitly to <strong>'off'</strong> allows for both
+ explicitly to <code>Off</code> allows for both
authentication and authorization to be passed on to lower level
- modules (as defined in the <code>Configuration</code> and
- <code>modules.c</code> files) if there is <strong>no
- userID</strong> or <strong>rule</strong> matching the supplied
- userID. If there is a userID and/or rule specified; the usual
+ modules (as defined in the <code>modules.c</code> files) if there is
+ <strong>no userID</strong> or <strong>rule</strong> matching the
+ supplied userID. If there is a userID and/or rule specified, the usual
password and access checks will be applied and a failure will give
an Authorization Required reply.</p>
will verify the credentials; and no access is passed on;
regardless of the AuthAuthoritative setting.</p>
- <p>By default; control is not passed on; and an unknown userID or
+ <p>By default control is not passed on and an unknown userID or
rule will result in an Authorization Required reply. Not setting
- it thus keeps the system secure; and forces an NCSA compliant
+ it thus keeps the system secure and forces an NCSA compliant
behaviour.</p>
-
</usage>
</directivesynopsis>
<identifier>auth_digest_module</identifier>
<summary>
- <p>This module implements HTTP Digest Authentication. However, it
+ <p>This module implements HTTP Digest Authentication. However, it
has not been extensively tested and is therefore marked
experimental.</p>
</summary>
<section id="using"><title>Using Digest Authentication</title>
<p>Using MD5 Digest authentication is very simple. Simply set
- up authentication normally, using "AuthType Digest" and
- "AuthDigestFile" instead of the normal "AuthType Basic" and
- "AuthUserFile"; also, replace any "AuthGroupFile" with
- "AuthDigestGroupFile". Then add a "AuthDigestDomain" directive
- containing at least the root URI(s) for this protection space.
- Example:</p>
-
- <example>
+ up authentication normally, using <code>AuthType Digest</code> and
+ <directive module="mod_auth_digest">AuthDigestProvider</directive>
+ instead of the normal <code>AuthType Basic</code> and
+ <directive module="mod_auth_basic">AuthBasicProvider</directive>.
+ Then add a <directive module="mod_auth_digest"
+ >AuthDigestDomain</directive> directive containing at least the root
+ URI(s) for this protection space.</p>
+
+ <p>Appropriate user (text) files can be created using the
+ <a href="../programs/htdigest.html">htdigest</a> tool.</p>
+
+ <example><title>Example:</title>
<Location /private/><br />
<indent>
AuthType Digest<br />
AuthName "private area"<br />
AuthDigestDomain /private/ http://mirror.my.dom/private2/<br />
- AuthDigestFile /web/auth/.digest_pw<br />
+ <br />
+ AuthDigestProvider file<br />
+ AuthUserFile /web/auth/.digest_pw<br />
Require valid-user<br />
</indent>
</Location>
<note><title>Note</title>
<p>Digest authentication provides a more secure password system
than Basic authentication, but only works with supporting
- browsers. As of July 2002, the major browsers that support digest
+ browsers. As of November 2002, the major browsers that support digest
authentication are <a href="http://www.opera.com/">Opera</a>, <a
href="http://www.microsoft.com/windows/ie/">MS Internet
Explorer</a> (fails when used with a query string), <a
- href="http://www.w3.org/Amaya/">Amaya</a> and <a
- href="http://www.mozilla.org">Mozilla</a>. Since digest
+ href="http://www.w3.org/Amaya/">Amaya</a>, <a
+ href="http://www.mozilla.org">Mozilla</a> and <a
+ href="http://channels.netscape.com/ns/browsers/download.jsp"
+ >Netscape</a> since version 7. Since digest
authentication is not as widely implemented as basic
- authentication, you should use it only in controlled settings.</p>
+ authentication, you should use it only in controlled environments.</p>
</note>
</section>
<directivesynopsis>
-<name>AuthDigestFile</name>
-<description>Location of the text file containing the list
-of users and encoded passwords for digest authentication</description>
-<syntax>AuthDigestFile <var>file-path</var></syntax>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
+<name>AuthDigestProvider</name>
+<description>Sets the authentication provider(s) for this location</description>
+<syntax>AuthDigestProvider On|Off|<var>provider-name</var>
+[<var>provider-name</var>] ...</syntax>
+<default>AuthBasicProvider On</default>
+<contextlist><context>directory</context></contextlist>
<usage>
- <p>The <directive>AuthDigestFile</directive> directive sets the
- name of a textual file containing the list of users and encoded
- passwords for digest authentication. <var>File-path</var> is the
- absolute path to the user file.</p>
-
- <p>The digest file uses a special format. Files in this format
- can be created using the <a
- href="../programs/htdigest.html">htdigest</a> utility found in
- the support/ subdirectory of the Apache distribution.</p>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>AuthDigestGroupFile</name>
-<description>Name of the text file containing the list of groups
-for digest authentication</description>
-<syntax>AuthDigestGroupFile <var>file-path</var></syntax>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>The <directive>AuthDigestGroupFile</directive> directive sets
- the name of a textual file containing the list of groups and their
- members (user names). <var>File-path</var> is the absolute path to
- the group file.</p>
-
- <p>Each line of the group file contains a groupname followed by
- a colon, followed by the member usernames separated by spaces.
- Example:</p>
-
- <example>mygroup: bob joe anne</example>
-
- <p>Note that searching large text files is <em>very</em>
- inefficient.</p>
-
- <p>Security: make sure that the AuthGroupFile is stored outside
- the document tree of the web-server; do <em>not</em> put it in
- the directory that it protects. Otherwise, clients will be able
- to download the AuthGroupFile.</p>
+ <p>The <directive>AuthDigestProvider</directive> directive sets
+ which provider is used to authenticate the users for this location.
+ Setting the value to <code>On</code> will choose the default provider
+ (<code>file</code>). Since the <code>file</code> provider is implemented
+ by the <module>mod_authn_file</module> module, you have to make sure,
+ that the module is present in the server.</p>
+
+ <p>See <module>mod_authn_dbm</module> and <module>mod_authn_file</module>
+ for providers.</p>
+
+ <p>The value <code>Off</code> clears the provider list and sets it back
+ to the default.</p>
</usage>
</directivesynopsis>
<usage>
<p>The <directive>AuthDigestQop</directive> directive determines
- the quality-of-protection to use. <code>auth</code> will only do
- authentication (username/password); <code>auth-int</code> is
+ the <dfn>quality-of-protection</dfn> to use. <code>auth</code> will
+ only do authentication (username/password); <code>auth-int</code> is
authentication plus integrity checking (an MD5 hash of the entity
is also computed and checked); <code>none</code> will cause the module
to use the old RFC-2069 digest algorithm (which does not include
greater than 0 then it specifies the amount of time for which the
nonce is valid; this should probably never be set to less than 10
seconds. If <var>seconds</var> is less than 0 then the nonce never
- expires. <!-- Not implemented yet If <var>seconds</var> is 0 then
+ expires. <!-- Not implemented yet: If <var>seconds</var> is 0 then
the nonce may be used exactly once by the client. Note that while
one-time-nonces provide higher security against replay attacks,
they also have significant performance implications, as the
<override>AuthConfig</override>
<usage>
- <p><strong>Not implemented yet.</strong> <!--
- <P>The AuthDigestNonceFormat directive determines how the nonce is
- generated.
- -->
- </p>
+ <note>Not implemented yet.</note>
+ <!-- The AuthDigestNonceFormat directive determines how the nonce is
+ generated. -->
</usage>
</directivesynopsis>
Not implemented yet.
</note>
<!--
- <P>The AuthDigestNcCheck directive enables or disables the checking of the
- nonce-count sent by the server.
-
- <P>While recommended from a security standpoint, turning this directive
- On has one important performance implication. To check the nonce-count
- *all* requests (which have an Authorization header, irrespective of
- whether they require digest authentication) must be serialized through
- a critical section. If the server is handling a large number of
- requests which contain the Authorization header then this may noticeably
- impact performance.
+ <p>The AuthDigestNcCheck directive enables or disables the checking of the
+ nonce-count sent by the server.</p>
+
+ <p>While recommended from a security standpoint, turning this directive
+ On has one important performance implication. To check the nonce-count
+ *all* requests (which have an Authorization header, irrespective of
+ whether they require digest authentication) must be serialized through
+ a critical section. If the server is handling a large number of
+ requests which contain the Authorization header then this may noticeably
+ impact performance.</p>
-->
</usage>
</directivesynopsis>
<code>MD5-sess</code> is not correctly implemented yet.
</note>
<!--
- <P>To use <EM>MD5-sess</EM> you must first code up the
- <VAR>get_userpw_hash()</VAR> function in <VAR>mod_auth_digest.c</VAR> .
+ <p>To use <code>MD5-sess</code> you must first code up the
+ <code>get_userpw_hash()</code> function in
+ <code>mod_auth_digest.c</code>.</p>
-->
</usage>
</directivesynopsis>
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>AuthDigestShmemSize</name>
+<description>The amount of shared memory to allocate for keeping track
+of clients</description>
+<syntax>AuthDigestShmemSize <var>size</var></syntax>
+<default>AuthDigestShmemSize 1000</default>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+ <p>The <directive>AuthDigestShmemSize</directive> directive defines
+ the amount of shared memory, that will be allocated at the server
+ startup for keeping track of clients. Note that the shared memory
+ segment cannot be set less than the space that is neccessary for
+ tracking at least <em>one</em> client. This value is dependant on your
+ system. If you want to find out the exact value, you may simply
+ set <directive>AuthDigestShmemSize</directive> to the value of
+ <code>0</code> and read the error message after trying to start the
+ server.</p>
+
+ <p>The <var>size</var> is normally expressed in Bytes, but you
+ may let the number follow a <code>K</code> or an <code>M</code> to
+ express your value as KBytes or MBytes. For example, the following
+ directives are all equivalent:</p>
+
+ <example>
+ AuthDigestShmemSize 1048576<br />
+ AuthDigestShmemSize 1024K<br />
+ AuthDigestShmemSize 1M<br />
+ </example>
+</usage>
+</directivesynopsis>
+
</modulesynopsis>
<compatibility>Available in Apache 2.1 and later</compatibility>
<summary>
- <p>This module does access control in a manner similar to
- anonymous-ftp sites; <em>i.e.</em> have a 'magic' user id
+ <p>This module provides authentication front-ends such as
+ <module>mod_auth_basic</module> to authenticate users similar
+ to anonymous-ftp sites, <em>i.e.</em> have a 'magic' user id
'anonymous' and the email address as a password. These email
addresses can be logged.</p>
tracking is that, unlike magic-cookies and funny URL
pre/postfixes, it is completely browser independent and it
allows users to share URLs.</p>
-</summary>
-<section><title>Example</title>
+ <p>When using <module>mod_auth_basic</module>, this module is invoked
+ via the <directive module="mod_auth_basic">AuthBasicProvider</directive>
+ directive with the <code>anon</code> value.</p>
+</summary>
- <p>The example below (when combined with the Auth directives of a
- htpasswd-file based (or GDM, mSQL <em>etc.</em>) base access
- control system allows users in as 'guests' with the following
- properties:</p>
+<section id="example"><title>Example</title>
+ <p>The example below is combined with "normal" htpasswd-file based
+ authentication and allows users in additionally as 'guests' with the
+ following properties:</p>
<ul>
<li>It insists that the user enters a userId.
- (<code>Anonymous_NoUserId</code>)</li>
+ (<directive module="mod_authn_anon"
+ >Anonymous_NoUserId</directive>)</li>
<li>It insists that the user enters a password.
- (<code>Anonymous_MustGiveEmail</code>)</li>
+ (<directive module="mod_authn_anon"
+ >Anonymous_MustGiveEmail</directive>)</li>
- <li>The password entered must be a valid email address, ie.
+ <li>The password entered must be a valid email address, <em>i.e.</em>
contain at least one '@' and a '.'.
- (<code>Anonymous_VerifyEmail</code>)</li>
+ (<directive module="mod_authn_anon"
+ >Anonymous_VerifyEmail</directive>)</li>
<li>The userID must be one of <code>anonymous guest www test
welcome</code> and comparison is <strong>not</strong> case
<li>And the Email addresses entered in the passwd field are
logged to the error log file
- (<code>Anonymous_LogEmail</code>)</li>
+ (<directive module="mod_authn_anon"
+ >Anonymous_LogEmail</directive>)</li>
</ul>
- <p>Excerpt of httpd.conf:</p>
-
-<example>
- Anonymous_NoUserId off<br />
- Anonymous_MustGiveEmail on<br />
- Anonymous_VerifyEmail on<br />
- Anonymous_LogEmail on<br />
- Anonymous anonymous guest www test welcome<br />
-<br />
- AuthName "Use 'anonymous' & Email address for
- guest entry"<br />
- AuthType basic<br />
-<br />
- # An
- AuthUserFile/AuthDBMUserFile<br />
- # directive must be specified, or use<br />
- # Anonymous_Authoritative for public access.<br />
- # In the .htaccess for the public directory, add:<br />
- <Files *><br />
- Order Deny,Allow<br />
- Allow from all<br />
-<br />
- Require valid-user<br />
- </Files><br />
-</example>
+ <example><title>Example</title>
+ <Directory /foo>
+ <indent>
+ AuthName "Use 'anonymous' & Email address for guest entry"<br />
+ AuthType Basic<br />
+ AuthBasicProvider file anon<br />
+ AuthUserFile /path/to/your/.htpasswd<br />
+ <br />
+ Anonymous_NoUserId off<br />
+ Anonymous_MustGiveEmail on<br />
+ Anonymous_VerifyEmail on<br />
+ Anonymous_LogEmail on<br />
+ Anonymous anonymous guest www test welcome<br />
+ <br />
+ Order Deny,Allow<br />
+ Allow from all<br />
+ <br />
+ Require valid-user<br />
+ </indent>
+ </Directory>
+ </example>
</section>
<directivesynopsis>
<name>Anonymous</name>
<description>Specifies userIDs that areallowed access without
password verification</description>
-<syntax>Anonymous <em>user</em> [<em>user</em>] ...</syntax>
+<syntax>Anonymous <var>user</var> [<var>user</var>] ...</syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<p>Please note that the comparison is
<strong>case-IN-sensitive</strong>.<br />
- I strongly suggest that the magic username
+ It's strongly recommended that the magic username
'<code>anonymous</code>' is always one of the allowed
userIDs.</p>
- <p>Example:</p>
-<example>Anonymous anonymous "Not Registered" 'I don\'t know'</example>
+ <example><title>Example:</title>
+ Anonymous anonymous "Not Registered" "I don't know"
+ </example>
<p>This would allow the user to enter without password
- verification by using the userId's 'anonymous',
- 'AnonyMous','Not Registered' and 'I Don't Know'.</p>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>Anonymous_Authoritative</name>
-<description>Configures if authorization will fall-through
-to other methods</description>
-<syntax>Anonymous_Authoritative on|off</syntax>
-<default>Anonymous_Authoritative off</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>When set 'on', there is no fall-through to other authorization
- methods. So if a userID does not match the values specified in the
- <directive module="mod_authn_anon">Anonymous</directive> directive,
- access is denied.</p>
-
- <p>Be sure you know what you are doing when you decide to
- switch it on. And remember that it is the linking order of the
- modules (in the Configuration / Make file) which details the
- order in which the Authorization modules are queried.</p>
+ verification by using the userIDs "anonymous",
+ "AnonyMous", "Not Registered" and "I Don't Know".</p>
</usage>
</directivesynopsis>
<name>Anonymous_LogEmail</name>
<description>Sets whether the password entered will be logged in the
error log</description>
-<syntax>Anonymous_LogEmail on|off</syntax>
-<default>Anonymous_LogEmail on</default>
+<syntax>Anonymous_LogEmail On|Off</syntax>
+<default>Anonymous_LogEmail On</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
- <p>When set <code>on</code>, the default, the 'password' entered
+ <p>When set <code>On</code>, the default, the 'password' entered
(which hopefully contains a sensible email address) is logged in
the error log.</p>
</usage>
<directivesynopsis>
<name>Anonymous_MustGiveEmail</name>
<description>Specifies whether blank passwords are allowed</description>
-<syntax>Anonymous_MustGiveEmail on|off</syntax>
-<default>Anonymous_MustGiveEmail on</default>
+<syntax>Anonymous_MustGiveEmail On|Off</syntax>
+<default>Anonymous_MustGiveEmail On</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<directivesynopsis>
<name>Anonymous_NoUserID</name>
<description>Sets whether the userID field may be empty</description>
-<syntax>Anonymous_NoUserID on|off</syntax>
-<default>Anonymous_NoUserID off</default>
+<syntax>Anonymous_NoUserID On|Off</syntax>
+<default>Anonymous_NoUserID Off</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
- <p>When set <code>on</code>, users can leave the userID (and
+ <p>When set <code>On</code>, users can leave the userID (and
perhaps the password field) empty. This can be very convenient for
MS-Explorer users who can just hit return or click directly on the
OK button; which seems a natural reaction.</p>
<name>Anonymous_VerifyEmail</name>
<description>Sets whether to check the password field for a correctly
formatted email address</description>
-<syntax>Anonymous_VerifyEmail on|off</syntax>
-<default>Anonymous_VerifyEmail off</default>
+<syntax>Anonymous_VerifyEmail On|Off</syntax>
+<default>Anonymous_VerifyEmail Off</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
- <p>When set <code>on</code> the 'password' entered is checked for
+ <p>When set <code>On</code> the 'password' entered is checked for
at least one '@' and a '.' to encourage users to enter valid email
addresses (see the above <directive
- module="mod_authn_anon">Auth_LogEmail</directive>).</p>
+ module="mod_authn_anon">Anonymous_LogEmail</directive>).</p>
</usage>
</directivesynopsis>
<summary>
<p>This module provides authentication front-ends such as
<module>mod_auth_digest</module> and <module>mod_auth_basic</module>
- to authenticate users by looking up users in plain text password files.
- Similar functionality is provided by <module>mod_authn_file</module>.</p>
+ to authenticate users by looking up users in <dfn>dbm</dfn> password
+ files. Similar functionality is provided by
+ <module>mod_authn_file</module>.</p>
<p>When using <module>mod_auth_basic</module> or
<module>mod_auth_digest</module>, this module is invoked via the
<directive module="mod_auth_basic">AuthBasicProvider</directive> or
<directive module="mod_auth_digest">AuthDigestProvider</directive>
- with the 'dbm' value.</p>
+ with the <code>dbm</code> value.</p>
</summary>
<seealso><directive module="core">AuthName</directive></seealso>
<name>AuthDBMUserFile</name>
<description>Sets the name of a database file containing the list of users and
passwords for authentication</description>
-<syntax>AuthDBMUserFile <em>file-path</em></syntax>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
+<syntax>AuthDBMUserFile <var>file-path</var></syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
<p>The <directive>AuthDBMUserFile</directive> directive sets the
name of a DBM file containing the list of users and passwords for
- user authentication. <em>File-path</em> is the absolute path to
+ user authentication. <var>File-path</var> is the absolute path to
the user file.</p>
<p>The user file is keyed on the username. The value for a user is
download the <directive>AuthDBMUserFile</directive>.</p>
<p>Important compatibility note: The implementation of
- "dbmopen" in the apache modules reads the string length of the
- hashed values from the DBM data structures, rather than relying
+ <code>dbmopen</code> in the apache modules reads the string length of
+ the hashed values from the DBM data structures, rather than relying
upon the string being NULL-appended. Some applications, such as
the Netscape web server, rely upon the string being
NULL-appended, so if you are having trouble using DBM files
store passwords</description>
<syntax>AuthDBMType default|SDBM|GDBM|NDBM|DB</syntax>
<default>AuthDBMType default</default>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
+<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
-<compatibility>Available in version 2.0.30 and later.</compatibility>
<usage>
+ <p>Sets the type of database file that is used to store the passwords.
+ The default database type is determined at compile time. The
+ availability of other types of database files also depends on
+ <a href="../install.html#dbm">compile-time settings</a>.</p>
-<p>Sets the type of database file that is used to store the passwords.
-The default database type is determined at compile time. The
-availability of other types of database files also depends on
-<a href="../install.html#dbm">compile-time settings</a>.</p>
-
-<p>It is crucial that whatever program you use to create your password
-files is configured to use the same type of database.</p>
+ <p>It is crucial that whatever program you use to create your password
+ files is configured to use the same type of database.</p>
</usage>
</directivesynopsis>
--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<modulesynopsis>
+
+<name>mod_authn_default</name>
+<description>Authentication fallback module</description>
+<status>Base</status>
+<sourcefile>mod_authn_default.c</sourcefile>
+<identifier>authn_default_module</identifier>
+<compatibility>Available in Apache 2.1 and later</compatibility>
+
+<summary>
+ <p>This module is designed to be the fallback module, if you don't
+ have configured an authentication module like
+ <module>mod_auth_basic</module>. It simply rejects any
+ credentials supplied by the user.</p>
+</summary>
+
+<directivesynopsis>
+<name>AuthDefaultAuthoritative</name>
+<description>Sets whether authentication is passed to lower level
+modules</description>
+<syntax>AuthDefaultAuthoritative On|Off</syntax>
+<default>AuthDefaultAuthoritative On</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>Setting the <directive>AuthDefaultAuthoritative</directive> directive
+ explicitly to <code>Off</code> allows for authentication to be passed on
+ to lower level modules (as defined in the <code>modules.c</code>
+ files).</p>
+
+ <note><title>Note</title>
+ <p>Normally there are no lower level modules, since
+ <module>mod_authn_default</module> is defined to be already on
+ a <em>very low</em> level. Therefore you should leave the value of
+ <directive>AuthDefaultAuthoritative</directive> as default
+ (<code>On</code>).</p>
+ </note>
+</usage>
+</directivesynopsis>
+
+</modulesynopsis>
<compatibility>Available in Apache 2.1 and later</compatibility>
<summary>
-
<p>This module provides authentication front-ends such as
<module>mod_auth_digest</module> and <module>mod_auth_basic</module>
to authenticate users by looking up users in plain text password files.
<module>mod_auth_digest</module>, this module is invoked via the
<directive module="mod_auth_basic">AuthBasicProvider</directive> or
<directive module="mod_auth_digest">AuthDigestProvider</directive>
- with the 'file' value.</p>
-
+ with the <code>file</code> value.</p>
</summary>
-<seealso><directive module="core">AuthName</directive></seealso>
-<seealso><directive module="core">AuthType</directive></seealso>
<seealso>
<directive module="mod_auth_basic">AuthBasicProvider</directive>
</seealso>
<seealso>
<directive module="mod_auth_digest">AuthDigestProvider</directive>
</seealso>
+<seealso><a href="../programs/htpasswd.html">htpasswd</a></seealso>
+<seealso><a href="../programs/htdigest.html">htdigest</a></seealso>
<directivesynopsis>
<name>AuthUserFile</name>
<description>Sets the name of a text file containing the list of users and
passwords for authentication</description>
-<syntax>AuthUserFile <em>file-path</em></syntax>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
+<syntax>AuthUserFile <var>file-path</var></syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
<p>The <directive>AuthUserFile</directive> directive sets the name
of a textual file containing the list of users and passwords for
- user authentication. <em>File-path</em> is the path to the user
- file. If it is not absolute (<em>i.e.</em>, if it doesn't begin
- with a slash), it is treated as relative to the <directive
- module="core">ServerRoot</directive>.</p>
+ user authentication. <var>File-path</var> is the path to the user
+ file. If it is not absolute, it is treated as relative to the
+ <directive module="core">ServerRoot</directive>.</p>
<p>Each line of the user file contains a username followed by
- a colon, followed by the <code>crypt()</code> encrypted
- password. The behavior of multiple occurrences of the same user is
- undefined.</p>
+ a colon, followed by the encrypted password. If the same user
+ ID is defined multiple times, <module>mod_authn_file</module> will
+ use the first occurrence to verify the password.</p>
<p>The utility <a href="../programs/htpasswd.html">htpasswd</a>
which is installed as part of the binary distribution, or which
can be found in <code>src/support</code>, is used to maintain
- this password file. See the <code>man</code> page for more
- details. In short:</p>
+ the password file for <em>HTTP Basic Authentication</em>. See the
+ <a href="../programs/htpasswd.html">man page</a> for more details.
+ In short:</p>
+
+ <p>Create a password file <code>Filename</code> with
+ <code>username</code> as the initial ID. It will prompt for
+ the password:</p>
- <p>Create a password file 'Filename' with 'username' as the
- initial ID. It will prompt for the password:</p>
- <example>htpasswd -c Filename username</example>
+ <example>
+ htpasswd -c Filename username
+ </example>
- <p>Add or modify 'username2' in the password file 'Filename':</p>
- <example>htpasswd Filename username2</example>
+ <p>Add or modify <code>username2</code> in the password file
+ <code>Filename</code>:</p>
+
+ <example>
+ htpasswd Filename username2
+ </example>
<p>Note that searching large text files is <em>very</em>
inefficient; <directive
module="mod_authn_dbm">AuthDBMUserFile</directive> should be used
instead.</p>
- <note><title>Security</title>
- <p>Make sure that the <directive>AuthUserFile</directive> is
- stored outside the document tree of the web-server; do <em>not</em>
- put it in the directory that it protects. Otherwise, clients will
- be able to download the <directive>AuthUserFile</directive>.</p>
+ <p>If you are using <em>HTTP Digest Authentication</em>, the <a
+ href="../programs/htpasswd.html">htpasswd</a> tool is not sufficient.
+ You have to use <a href="../programs/htdigest.html">htdigest</a>
+ instead. Note that you cannot mix user data for Digest Authentication
+ and Basic Authentication within the same file.</p>
+
+ <note type="warning"><title>Security</title>
+ <p>Make sure that the <directive>AuthUserFile</directive> is
+ stored outside the document tree of the web-server. Do
+ <strong>not</strong> put it in the directory that it protects.
+ Otherwise, clients may be able to download the
+ <directive>AuthUserFile</directive>.</p>
</note>
</usage>
</directivesynopsis>
<name>AuthDBMGroupFile</name>
<description>Sets the name of the database file containing the list
of user groups for authentication</description>
-<syntax>AuthDBMGroupFile <em>file-path</em></syntax>
+<syntax>AuthDBMGroupFile <var>file-path</var></syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
<p>The <directive>AuthDBMGroupFile</directive> directive sets the
name of a DBM file containing the list of user groups for user
- authentication. <em>File-path</em> is the absolute path to the
+ authentication. <var>File-path</var> is the absolute path to the
group file.</p>
<p>The group file is keyed on the username. The value for a
belongs. There must be no whitespace within the value, and it
must never contain any colons.</p>
- <p>Security: make sure that the
- <directive>AuthDBMGroupFile</directive> is stored outside the
- document tree of the web-server; do <em>not</em> put it in the
- directory that it protects. Otherwise, clients will be able to
- download the <directive>AuthDBMGroupFile</directive> unless
- otherwise protected.</p>
+ <note type="warning"><title>Security</title>
+ <p>Make sure that the <directive>AuthDBMGroupFile</directive> is
+ stored outside the document tree of the web-server. Do
+ <strong>not</strong> put it in the directory that it protects.
+ Otherwise, clients will be able to download the
+ <directive>AuthDBMGroupFile</directive> unless otherwise
+ protected.</p>
+ </note>
<p>Combining Group and Password DBM files: In some cases it is
easier to manage a single database which contains both the
accomplished by first setting the group and password files to
point to the same DBM:</p>
-<example>
-AuthDBMGroupFile /www/userbase<br />
-AuthDBMUserFile /www/userbase
-</example>
+ <example>
+ AuthDBMGroupFile /www/userbase<br />
+ AuthDBMUserFile /www/userbase
+ </example>
<p>The key for the single DBM is the username. The value consists
of</p>
-<example>Unix Crypt-ed Password : List of Groups [ : (ignored)
- ]</example>
+ <example>
+ Encrypted Password : List of Groups [ : (ignored) ]
+ </example>
- <p>The password section contains the Unix <code>crypt()</code>
+ <p>The password section contains the encrypted
password as before. This is followed by a colon and the comma
separated list of groups. Other data may optionally be left in the
DBM file after another colon; it is ignored by the authentication
store passwords</description>
<syntax>AuthzDBMType default|SDBM|GDBM|NDBM|DB</syntax>
<default>AuthzDBMType default</default>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
+<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
-<compatibility>Available in version 2.0.30 and later.</compatibility>
<usage>
+ <p>Sets the type of database file that is used to store the passwords.
+ The default database type is determined at compile time. The
+ availability of other types of database files also depends on
+ <a href="../install.html#dbm">compile-time settings</a>.</p>
-<p>Sets the type of database file that is used to store the passwords.
-The default database type is determined at compile time. The
-availability of other types of database files also depends on
-<a href="../install.html#dbm">compile-time settings</a>.</p>
-
-<p>It is crucial that whatever program you use to create your password
-files is configured to use the same type of database.</p>
+ <p>It is crucial that whatever program you use to create your password
+ files is configured to use the same type of database.</p>
</usage>
</directivesynopsis>
<directivesynopsis>
<name>AuthzDBMAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level modules</description>
-<syntax>AuthzDBMAuthoritative on|off</syntax>
-<default>AuthzDBMAuthoritative on</default>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
+<description>Sets whether authorization will be passed on to lower level
+modules</description>
+<syntax>AuthzDBMAuthoritative On|Off</syntax>
+<default>AuthzDBMAuthoritative On</default>
+<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
-
<p>Setting the <directive>AuthzDBMAuthoritative</directive>
- directive explicitly to <strong>'off'</strong> allows for both
- authentication and authorization to be passed on to lower level
- modules (as defined in the <code>Configuration</code> and
- <code>modules.c</code> file if there is <strong>no userID</strong>
- or <strong>rule</strong> matching the supplied userID. If there is
- a userID and/or rule specified; the usual password and access
- checks will be applied and a failure will give an Authorization
- Required reply.</p>
+ directive explicitly to <code>Off</code> allows group authorization
+ to be passed on to lower level modules (as defined in the
+ <code>modules.c</code> file) if there is no group found
+ for the the supplied userID. If there are any groups
+ specified, the usual checks will be applied and a failure will
+ give an Authentication Required reply.</p>
<p>So if a userID appears in the database of more than one module;
or if a valid <directive module="core">Require</directive>
regardless of the <directive>AuthAuthoritative</directive> setting.</p>
<p>A common use for this is in conjunction with one of the
- auth providers; such as <module>mod_authn_file</module>. Whereas this
- DBM module supplies the bulk of the user credential checking; a
- few (administrator) related accesses fall through to a lower
- level with a well protected .htpasswd file.</p>
-
- <p>By default, control is not passed on and an unknown userID
- or rule will result in an Authorization Required reply. Not
+ auth providers; such as <module>mod_authn_dbm</module> or
+ <module>mod_authn_file</module>. Whereas this DBM module supplies
+ the bulk of the user credential checking; a few (administrator) related
+ accesses fall through to a lower level with a well protected
+ <code>.htpasswd</code> file.</p>
+
+ <p>By default, control is not passed on and an unknown group
+ will result in an Authentication Required reply. Not
setting it thus keeps the system secure and forces an NCSA
compliant behaviour.</p>
- <p>Security: Do consider the implications of allowing a user to
- allow fall-through in his .htaccess file; and verify that this
- is really what you want; Generally it is easier to just secure
- a single .htpasswd file, than it is to secure a database which
- might have more access interfaces.</p>
+ <note type="warning"><title>Security</title>
+ <p>Do consider the implications of allowing a user to
+ allow fall-through in his .htaccess file; and verify that this
+ is really what you want; Generally it is easier to just secure
+ a single <code>.htpasswd</code> file, than it is to secure a
+ database which might have more access interfaces.</p>
+ </note>
</usage>
</directivesynopsis>
--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<modulesynopsis>
+
+<name>mod_authz_default</name>
+<description>Authorization fallback module</description>
+<status>Base</status>
+<sourcefile>mod_authz_default.c</sourcefile>
+<identifier>authz_default_module</identifier>
+<compatibility>Available in Apache 2.1 and later</compatibility>
+
+<summary>
+ <p>This module is designed to be the fallback module, if you don't
+ have configured an authorization module like
+ <module>mod_authz_user</module> or <module>mod_authz_groupfile</module>.
+ It simply rejects any authorization request.</p>
+</summary>
+
+<directivesynopsis>
+<name>AuthzDefaultAuthoritative</name>
+<description>Sets whether authorization is passed to lower level
+modules</description>
+<syntax>AuthzDefaultAuthoritative On|Off</syntax>
+<default>AuthzDefaultAuthoritative On</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>Setting the <directive>AuthzDefaultAuthoritative</directive> directive
+ explicitly to <code>Off</code> allows for authorization to be passed on
+ to lower level modules (as defined in the <code>modules.c</code>
+ files).</p>
+
+ <note><title>Note</title>
+ <p>Normally there are no lower level modules, since
+ <module>mod_authz_default</module> is defined to be already on
+ a <em>very low</em> level. Therefore you should leave the value of
+ <directive>AuthzDefaultAuthoritative</directive> as default
+ (<code>On</code>).</p>
+ </note>
+</usage>
+</directivesynopsis>
+
+</modulesynopsis>
<name>mod_authz_groupfile</name>
<description>Group authorization using plaintext files</description>
-<status>Extension</status>
+<status>Base</status>
<sourcefile>mod_authz_groupfile.c</sourcefile>
<identifier>authz_groupfile_module</identifier>
<compatibility>Available in Apache 2.1 and later</compatibility>
<summary>
<p>This module provides authorization capabilities so that
- authenticated users can be allowed or denied access to portions
- of the web site by group membership. Similar functionality is
- provided by <module>mod_authz_dbm</module>.</p>
+ authenticated users can be allowed or denied access to portions
+ of the web site by group membership. Similar functionality is
+ provided by <module>mod_authz_dbm</module>.</p>
</summary>
<seealso><directive module="core">Require</directive></seealso>
<name>AuthGroupFile</name>
<description>Sets the name of a text file containing the list
of user groups for authentication</description>
-<syntax>AuthGroupFile <em>file-path</em></syntax>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
+<syntax>AuthGroupFile <var>file-path</var></syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
<p>The <directive>AuthGroupFile</directive> directive sets the
name of a textual file containing the list of user groups for user
- authentication. <em>File-path</em> is the path to the group
- file. If it is not absolute (<em>i.e.</em>, if it doesn't begin
- with a slash), it is treated as relative to the <directive
+ authentication. <var>File-path</var> is the path to the group
+ file. If it is not absolute, it is treated as relative to the <directive
module="core">ServerRoot</directive>.</p>
<p>Each line of the group file contains a groupname followed by a
- colon, followed by the member usernames separated by spaces.
- Example:</p>
+ colon, followed by the member usernames separated by spaces.</p>
- <example>mygroup: bob joe anne</example>
+ <example><title>Example:</title>
+ mygroup: bob joe anne
+ </example>
<p>Note that searching large text files is <em>very</em>
- inefficient; <directive
- module="mod_authz_dbm">AuthDBMGroupFile</directive> should be used
- instead.</p>
-
- <note><title>Security</title>
- <p>Make sure that the <directive>AuthGroupFile</directive> is
- stored outside the document tree of the web-server; do <em>not</em>
- put it in the directory that it protects. Otherwise, clients will
- be able to download the <directive>AuthGroupFile</directive>.</p>
+ inefficient; <directive module="mod_authz_dbm"
+ >AuthDBMGroupFile</directive> provides a much better performance.</p>
+
+ <note type="warning"><title>Security</title>
+ <p>Make sure that the <directive>AuthGroupFile</directive> is
+ stored outside the document tree of the web-server; do <em>not</em>
+ put it in the directory that it protects. Otherwise, clients may
+ be able to download the <directive>AuthGroupFile</directive>.</p>
</note>
</usage>
</directivesynopsis>
<directivesynopsis>
<name>AuthzGroupFileAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level modules</description>
-<syntax>AuthzGroupFileAuthoritative on|off</syntax>
-<default>AuthzGroupFileAuthoritative on</default>
-<contextlist>
- <context>directory</context>
- <context>.htaccess</context>
+<description>Sets whether authorization will be passed on to lower level
+modules</description>
+<syntax>AuthzGroupFileAuthoritative On|Off</syntax>
+<default>AuthzGroupFileAuthoritative On</default>
+<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
-
<p>Setting the <directive>AuthzGroupFileAuthoritative</directive>
- directive explicitly to <strong>'off'</strong> allows for
- authorization to be passed on to lower level modules (as defined in
- the <code>Configuration</code> and <code>modules.c</code> file if
- there is <strong>no userID</strong> or <strong>rule</strong> matching
- the supplied userID. If there is a userID and/or rule specified; the
- usual password and access checks will be applied and a failure will
- give an Authorization Required reply.</p>
+ directive explicitly to <code>Off</code> allows for
+ group authorization to be passed on to lower level modules (as defined
+ in the <code>modules.c</code> files) if there is <strong>no
+ group</strong> matching the supplied userID.</p>
- <p>So if a valid <directive module="core">Require</directive>
- directive applies to more than one module; then the first module
- will verify the credentials; and no access is passed on;
- regardless of the <directive>AuthzGroupFileAuthoritative</directive>
- setting.</p>
-
- <p>By default, control is not passed on and an unknown userID
- or rule will result in an Authorization Required reply. Not
+ <p>By default, control is not passed on and an unknown group
+ will result in an Authentication Required reply. Not
setting it thus keeps the system secure and forces an NCSA
compliant behaviour.</p>
- <p>Security: Do consider the implications of allowing a user to
- allow fall-through in his .htaccess file; and verify that this
- is really what you want; Generally it is easier to just secure
- a single .htpasswd file, than it is to secure a database which
- might have more access interfaces.</p>
+ <note type="warning"><title>Security</title>
+ <p>Do consider the implications of allowing a user to
+ allow fall-through in his <code>.htaccess</code> file; and verify
+ that this is really what you want; Generally it is easier to just
+ secure a single <code>.htpasswd</code> file, than it is to secure
+ a database which might have more access interfaces.</p>
+ </note>
</usage>
</directivesynopsis>
<modulesynopsis>
<name>mod_authz_host</name>
-
<description>Group authorizations based on host (name or IP
address)</description>
-
<status>Base</status>
<sourcefile>mod_authz_host.c</sourcefile>
<identifier>authz_host_module</identifier>
<directivesynopsis>
<name>Allow</name>
-
<description>Controls which hosts can access an area of the
server</description>
-<syntax> Allow from
- all|<em>host</em>|env=<em>env-variable</em>
- [<em>host</em>|env=<em>env-variable</em>] ...</syntax>
+<syntax> Allow from all|<var>host</var>|env=<var>env-variable</var>
+[<var>host</var>|env=<var>env-variable</var>] ...</syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>Limit</override>
<usage>
-
<p>The <directive>Allow</directive> directive affects which hosts can
access an area of the server. Access can be controlled by
hostname, IP Address, IP Address range, or by other
<dl>
<dt>A (partial) domain-name</dt>
- <dd>Example: <code>Allow from apache.org</code><br />
- Hosts whose names match, or end in, this string are allowed
+ <dd>
+ <example><title>Example:</title>
+ Allow from apache.org
+ </example>
+ <p>Hosts whose names match, or end in, this string are allowed
access. Only complete components are matched, so the above
example will match <code>foo.apache.org</code> but it will
not match <code>fooapache.org</code>. This configuration will
cause the server to perform a reverse DNS lookup on the
client IP address, regardless of the setting of the <directive
module="core">HostnameLookups</directive>
- directive.</dd>
+ directive.</p></dd>
<dt>A full IP address</dt>
- <dd>Example: <code>Allow from 10.1.2.3</code><br />
- An IP address of a host allowed access</dd>
+ <dd>
+ <example><title>Example:</title>
+ Allow from 10.1.2.3
+ </example>
+ <p>An IP address of a host allowed access</p></dd>
<dt>A partial IP address</dt>
- <dd>Example: <code>Allow from 10.1</code><br />
- The first 1 to 3 bytes of an IP address, for subnet
- restriction.</dd>
+ <dd>
+ <example><title>Example:</title>
+ Allow from 10.1
+ </example>
+ <p>The first 1 to 3 bytes of an IP address, for subnet
+ restriction.</p></dd>
<dt>A network/netmask pair</dt>
- <dd>Example: <code>Allow from
- 10.1.0.0/255.255.0.0</code><br />
- A network a.b.c.d, and a netmask w.x.y.z. For more
- fine-grained subnet restriction.</dd>
+ <dd>
+ <example><title>Example:</title>
+ Allow from 10.1.0.0/255.255.0.0
+ </example>
+ <p>A network a.b.c.d, and a netmask w.x.y.z. For more
+ fine-grained subnet restriction.</p></dd>
<dt>A network/nnn CIDR specification</dt>
- <dd>Example: <code>Allow from 10.1.0.0/16</code><br />
- Similar to the previous case, except the netmask consists of
- nnn high-order 1 bits.</dd>
+ <dd>
+ <example><title>Example:</title>
+ Allow from 10.1.0.0/16
+ </example>
+ <p>Similar to the previous case, except the netmask consists of
+ nnn high-order 1 bits.</p></dd>
</dl>
<p>Note that the last three examples above match exactly the
<directive>Allow</directive> directive allows access to the server
to be controlled based on the existence of an <a
href="../env.html">environment variable</a>. When <code>Allow from
- env=</code><em>env-variable</em> is specified, then the request is
- allowed access if the environment variable <em>env-variable</em>
+ env=<var>env-variable</var></code> is specified, then the request is
+ allowed access if the environment variable <var>env-variable</var>
exists. The server provides the ability to set environment
variables in a flexible way based on characteristics of the client
request using the directives provided by
- <module>mod_setenvif</module>. Therefore, this directive can be
+ <module>mod_setenvif</module>. Therefore, this directive can be
used to allow access based on such factors as the clients
<code>User-Agent</code> (browser type), <code>Referer</code>, or
other HTTP request header fields.</p>
-<example>
-<title>Example:</title>
-SetEnvIf User-Agent ^KnockKnock/2.0 let_me_in<br />
-<Directory /docroot><br />
- Order Deny,Allow<br />
- Deny from all<br />
- Allow from env=let_me_in<br />
-</Directory>
-</example>
+ <example><title>Example:</title>
+ SetEnvIf User-Agent ^KnockKnock/2.0 let_me_in<br />
+ <Directory /docroot><br />
+ <indent>
+ Order Deny,Allow<br />
+ Deny from all<br />
+ Allow from env=let_me_in<br />
+ </indent>
+ </Directory>
+ </example>
<p>In this case, browsers with a user-agent string beginning
with <code>KnockKnock/2.0</code> will be allowed access, and all
others will be denied.</p>
</usage>
-
</directivesynopsis>
<directivesynopsis>
-
<name>Deny</name>
-
<description>Controls which hosts are denied access to the
server</description>
-
-<syntax> Deny from
- all|<em>host</em>|env=<em>env-variable</em>
- [<em>host</em>|env=<em>env-variable</em>] ...</syntax>
+<syntax> Deny from all|<var>host</var>|env=<var>env-variable</var>
+[<var>host</var>|env=<var>env-variable</var>] ...</syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>Limit</override>
identical to the arguments for the <directive
module="mod_authz_host">Allow</directive> directive.</p>
</usage>
-
</directivesynopsis>
<directivesynopsis>
-
<name>Order</name>
-
<description>Controls the default access state and the order in which
<directive>Allow</directive> and <directive>Deny</directive> are
evaluated.</description>
-
-<syntax> Order <em>ordering</em></syntax>
+<syntax> Order <var>ordering</var></syntax>
<default>Order Deny,Allow</default>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>Limit</override>
<usage>
-
<p>The <directive>Order</directive> directive controls the default
access state and the order in which <directive
module="mod_authz_host">Allow</directive> and <directive
module="mod_authz_host">Deny</directive> directives are evaluated.
- <em>Ordering</em> is one of</p>
+ <var>Ordering</var> is one of</p>
<dl>
- <dt>Deny,Allow</dt>
+ <dt><code>Deny,Allow</code></dt>
<dd>The <directive module="mod_authz_host">Deny</directive> directives
are evaluated before the <directive
module="mod_authz_host">Allow</directive> directives. Access is
- allowed by default. Any client which does not match a
+ allowed by default. Any client which does not match a
<directive module="mod_authz_host">Deny</directive> directive or does
match an <directive module="mod_authz_host">Allow</directive>
directive will be allowed access to the server.</dd>
- <dt>Allow,Deny</dt>
+ <dt><code>Allow,Deny</code></dt>
<dd>The <directive module="mod_authz_host">Allow</directive>
directives are evaluated before the <directive
<directive module="mod_authz_host">Deny</directive> directive will be
denied access to the server.</dd>
- <dt>Mutual-failure</dt>
+ <dt><code>Mutual-failure</code></dt>
<dd>Only those hosts which appear on the <directive
module="mod_authz_host">Allow</directive> list and do not appear on
configuration.</dd>
</dl>
- <p>Keywords may only be separated by a comma; no whitespace is
+ <p>Keywords may only be separated by a comma; <em>no whitespace</em> is
allowed between them. Note that in all cases every <directive
module="mod_authz_host">Allow</directive> and <directive
module="mod_authz_host">Deny</directive> statement is evaluated.</p>
<p>In the following example, all hosts in the apache.org domain
are allowed access; all other hosts are denied access.</p>
-<example>
+ <example>
Order Deny,Allow<br />
Deny from all<br />
- Allow from apache.org<br />
-</example>
+ Allow from apache.org
+ </example>
<p>In the next example, all hosts in the apache.org domain are
allowed access, except for the hosts which are in the
in the apache.org domain are denied access because the default
state is to deny access to the server.</p>
-<example>
- Order Allow,Deny<br />
- Allow from apache.org<br />
- Deny from foo.apache.org<br />
-</example>
+ <example>
+ Order Allow,Deny<br />
+ Allow from apache.org<br />
+ Deny from foo.apache.org
+ </example>
<p>On the other hand, if the <directive>Order</directive> in the last
example is changed to <code>Deny,Allow</code>, all hosts will
access to a part of the server even in the absence of accompanying
<directive module="mod_authz_host">Allow</directive> and <directive
module="mod_authz_host">Deny</directive> directives because of its effect
- on the default access state. For example,</p>
+ on the default access state. For example,</p>
-<example>
+ <example>
<Directory /www><br />
- Order Allow,Deny<br />
+ <indent>
+ Order Allow,Deny<br />
+ </indent>
</Directory>
-</example>
+ </example>
<p>will deny all access to the <code>/www</code> directory
because the default access state will be set to
href="../sections.html">How Directory, Location and Files sections
work</a>.</p>
</usage>
-
</directivesynopsis>
</modulesynopsis>
--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<modulesynopsis>
+
+<name>mod_authz_user</name>
+<description>User Authorization</description>
+<status>Base</status>
+<sourcefile>mod_authz_user.c</sourcefile>
+<identifier>authz_user_module</identifier>
+<compatibility>Available in Apache 2.1 and later</compatibility>
+
+<summary>
+ <p>This module provides authorization capabilities so that
+ authenticated users can be allowed or denied access to portions
+ of the web site. <module>mod_authz_user</module> grants
+ access if the authenticated user is listed in a <code>Require user</code>
+ directive. Alternatively <code>require valid-user</code> can be used to
+ grant access to all successfully authenticated users.</p>
+</summary>
+<seealso><directive module="core">Require</directive></seealso>
+<seealso><directive module="core">Satisfy</directive></seealso>
+
+<directivesynopsis>
+<name>AuthzUserAuthoritative</name>
+<description>Sets whether authorization will be passed on to lower level
+modules</description>
+<syntax>AuthzUserAuthoritative On|Off</syntax>
+<default>AuthzUserAuthoritative On</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+ <p>Setting the <directive>AuthzUserAuthoritative</directive>
+ directive explicitly to <code>Off</code> allows for
+ user authorization to be passed on to lower level modules (as defined
+ in the <code>modules.c</code> files) if there is <strong>no
+ user</strong> matching the supplied userID.</p>
+
+ <p>By default, control is not passed on and an unknown user
+ will result in an Authentication Required reply. Not
+ setting it to <code>Off</code> thus keeps the system secure and forces
+ an NCSA compliant behaviour.</p>
+</usage>
+</directivesynopsis>
+
+</modulesynopsis>
<modulefile>mod_authn_anon.xml</modulefile>
<modulefile>mod_authn_dbm.xml</modulefile>
<modulefile>mod_authn_file.xml</modulefile>
+ <modulefile>mod_authn_default.xml</modulefile>
<modulefile>mod_authz_dbm.xml</modulefile>
+ <modulefile>mod_authz_default.xml</modulefile>
<modulefile>mod_authz_groupfile.xml</modulefile>
<modulefile>mod_authz_host.xml</modulefile>
+ <modulefile>mod_authz_user.xml</modulefile>
<modulefile>mod_auth_ldap.xml</modulefile>
<modulefile>mod_autoindex.xml</modulefile>
<modulefile>mod_cache.xml</modulefile>