From 90dd2bc53f0c85889ab09b8f80e86863f9d167ee Mon Sep 17 00:00:00 2001 From: Chris Darroch Date: Tue, 25 Mar 2008 19:25:02 +0000 Subject: [PATCH] Add AuthzMergeRules to example configuration, and avoid use of ISO SQL:1999 Booleans in example SQL. Revise some introductory text. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@640951 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_authz_dbd.xml | 65 ++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 23 deletions(-) diff --git a/docs/manual/mod/mod_authz_dbd.xml b/docs/manual/mod/mod_authz_dbd.xml index f3e4bf03a8..901913cac7 100644 --- a/docs/manual/mod/mod_authz_dbd.xml +++ b/docs/manual/mod/mod_authz_dbd.xml @@ -32,22 +32,38 @@

This module provides authorization capabilities so that authenticated users can be allowed or denied access to portions - of the web site by group membership. It also provides - database/backend login/logout in conjunction with - mod_authn_dbd.

+ of the web site by group membership. Similar functionality is + provided by mod_authz_groupfile and + mod_authz_dbm, with the exception that + this module queries a SQL database to determine whether a + user is a member of a group.

+

This module can also provide database-backed user login/logout + capabilities. These are likely to be of most value when used + in conjunction with mod_authn_dbd.

+

This module relies on mod_dbd to specify + the backend database driver and connection parameters, and + manage the database connections.

 Require + + AuthzMergeRules + + + AuthDBDUserPWQuery + DBDriver DBDParams
Database Login -

In addition to the standard authz function of checking group -membership, this module provides database Login/Logout capability. -Specifically, we can maintain a logged in/logged out status in -the database, and control the status via designated URLs (subject -of course to users supplying the necessary credentials).

+

+In addition to the standard authorization function of checking group +membership, this module can also provide server-side user session +management via database-backed login/logout capabilities. +Specifically, it can update a user's session status in the database +whenever the user visits designated URLs (subject of course to users +supplying the necessary credentials).

This works by defining two special Require types: Require dbd-login and Require dbd-logout. @@ -56,15 +72,14 @@ For usage details, see the configuration example below.

Client Login -

In conjunction with server login/logout, we may wish to implement -clientside login/out, for example by setting and unsetting a cookie -or other such token. Although this is not the business of an authz -module, client session management software should be able to tie its -operation in to database login/logout. To support this, -mod_authz_dbd exports an optional hook that will -be run whenever a user successfully logs into or out of the database. -Session management modules can use the hook to implement functions -to start and end a client session.

+

Some administrators may wish to implement client-side session +management that works in concert with the server-side login/logout +capabilities offered by this module, for example, by setting or unsetting +an HTTP cookie or other such token when a user logs in or out. +To support such integration, mod_authz_dbd exports an +optional hook that will be run whenever a user's status is updated in +the database. Other session management modules can then use the hook +to implement functions that start and end client-side sessions.

@@ -88,17 +103,19 @@ DBDExptime 300 # mod_authn_dbd SQL query to authenticate a logged-in user AuthDBDUserPWQuery \ - "SELECT password FROM authn WHERE user = %s AND login = true" + "SELECT password FROM authn WHERE user = %s AND login = 'true'" # mod_authz_core configuration for mod_authz_dbd + AuthzMergeRules Off Require dbd-group team # mod_authz_dbd configuration AuthzDBDQuery "SELECT group FROM authz WHERE user = %s" # when a user fails to be authenticated or authorized, - # invite them to login - ErrorDocument 401 /team-private/login-form.html + # invite them to login; this page should provide a link + # to /team-private/login.html + ErrorDocument 401 /login-info.html <Files login.html> # don't require user to already be logged in! @@ -106,9 +123,10 @@ DBDExptime 300 "SELECT password FROM authn WHERE user = %s" # dbd-login action executes a statement to log user in + AuthzMergeRules Off Require dbd-login AuthzDBDQuery \ - "UPDATE authn SET login = true WHERE user = %s" + "UPDATE authn SET login = 'true' WHERE user = %s" # return user to referring page (if any) after # successful login @@ -117,9 +135,10 @@ DBDExptime 300 <Files logout.html> # dbd-logout action executes a statement to log user out + AuthzMergeRules Off Require dbd-logout AuthzDBDQuery \ - "UPDATE authn SET login = false WHERE user = %s" + "UPDATE authn SET login = 'false' WHERE user = %s" </Files> </Directory> @@ -158,7 +177,7 @@ AuthzDBDQuery \ Example
 Require dbd-login
 AuthzDBDQuery \
-  "UPDATE authn SET login = true WHERE user = %s"
+  "UPDATE authn SET login = 'true' WHERE user = %s"
-- 2.40.0