To take authorization a little further, the directives - <SatisfyAll> and - <SatisfyOne> allow - AND/OR logic to be applied so that the order in which authorization - is handled can be completely controled through the configuration. See - these directives for a complete example on they can be applied.

To take authorization a little further, authorization container + directives such as + <MatchAll> and + <MatchAny> + allow logic to be applied so that the order in which authorization + is handled can be completely controled through the configuration. + See Authorization + Containers for an example of they may be applied.

@@ -446,75 +446,61 @@ person in than just a single check against a single data store. Ordering, logic and choosing how authorization will be done is now possible.

Applying AND/OR logic and ordering

Applying logic and ordering

Controling how and in what order authorization will be applied - has been a bit of a mystery in the past. In Apache 2.2 a provider based + has been a bit of a mystery in the past. In Apache 2.2 a provider-based authentication mechanism was introduced to decouple the actual authentication process from authorization and supporting functionality. One of the side benefits was that authentication providers could be configured and called in a specific order which didn't depend on the load order of the auth module itself. This same provider based mechanism has been brought forward into authorization as well. What this means is - that the Require directive - not only specifies which authorization methods should be used, it also + that the Require and + Match directives + not only specify which authorization methods should be used, they also specifies the order in which they are called. Multiple authorization methods are called in the same order in which the - Require directives appear - in the configuration.

- -

With the introduction of the directives - <SatisfyAll> and - <SatisfyOne>, the - configuration also has control over when the + Require + or Match directives + appear in the configuration.

+ +

With the introduction of authorization container directives + such as + <MatchAll> + and + <MatchAny>, + the configuration also has control over when the authorization methods are called and what criteria determines when - access is granted. For example the following authorization block would - apply the logic:

- -

- # if ((user == "John") || - # ((Group == "admins") - # && (ldap-group <ldap-object> contains auth'ed_user) - # && ((ldap-attribute dept == "sales") - # || (file-group contains auth'ed_user)))) - # then - # auth_granted - # else - # auth_denied - # - <Directory /www/mydocs> - - Authname ... - AuthBasicProvider ... - ... - Require user John - <SatisfyAll> - - Require Group admins - Require ldap-group cn=mygroup,o=foo - <SatisfyOne> - - Require ldap-attribute dept="sales" - Require file-group - - </SatisfyOne> - - </SatisfyAll> - - </Directory> -

- -

By default all Require - directives are handled through an OR operation. In other words, if + access is granted. See + Authorization Containers + for an example of how they may be used to express complex + authorization logic.

+ +

By default all + Require + directives are handled as though contained within a + <MatchAny> + container directive. In other words, if any of the specified authorization methods succeed, then authorization - is granted. By enclosing a set of - Require directives within - a <SatisfyAll> block, - the processing switches to an AND operation which requires all authorization - methods to succeed before authorization is granted.

+ is granted.

+ +

In contrast, by default all + Match directives + are handled as though contained within a + <MatchAll> + container directive (unless they are explicitly contained within + a different authorization container directive). + This permits + Match directives + to be usefully mixed with negated + Match not directives. To authorize the request, + none of the negated directives can match their parameters, + while all of the positive directives must match their + parameters (or else return a neutral result).

Using 'Require' or 'Reject' for access control

Using authorization providers for access control

Authentication by username and password is only part of the story. Frequently you want to let people in based on something other than who they are. Something such as where they are @@ -527,10 +513,10 @@ person in ip let you allow or deny access based other host based criteria such as host name or ip address of the machine requesting a document.

- +

The usage of these providers is specified through the Require and - Reject directives. + Match directives. These directives register the authorization providers that will be called during the authorization stage of the request processing. For example:

@@ -555,7 +541,7 @@ person in following:

- Reject ip 10.252.46.165 + Match not ip 10.252.46.165

Visitors coming from that address will not be able to see @@ -563,30 +549,30 @@ person in machine name, rather than an IP address, you can use that.

- Reject host host.example.com + Match not host host.example.com

And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:

- <SatisfyAll> + Match all granted + <MatchNotAny> - Reject ip 192.168.205 - Reject host phishers.example.com moreidiots.example Reject host ke + Match ip 192.168.205 + Match host phishers.example.com moreidiots.example + Match host ke - </SatisfyAll> + </MatchNotAny>

Using the Reject directive - inside of a <SatisfyAll> - block, will let you be sure that you are actually restricting things to - only the group that you want to let in.

- -

The above example uses the - <SatisfyAll> block to make sure that all of the - Reject directives are - satisfied before granting access.

The above example uses the <MatchNotAny> container directive + to make sure that none of the + Match directives + match their parameters before granting access. Note that + the Match all granted directive and the + <MatchNotAny> are implicitly contained + within a <MatchAll> directive.

@@ -599,23 +585,6 @@ person in Satisfy are no longer needed. However to provide backwards compatibility for older configurations, these directives have been moved to the mod_access_compat module.

- -

One of the problems with these directives was that the line between - authorization and access control was very fuzzy. The - Satisfy directive - tried to tie these two stages together by hooking itself into the - request processing itself. Now that these directive have been moved to the - mod_access_compat, mixing the new authorization directives - with the older access control directives becomes difficult. To address this - issue, the mod_authz_default module becomes very important and must - be loaded. The main purpose of the mod_authz_default module is - to handle any authorization requests that could not be handled by the - authorization providers. But when the older access control directives are used, - it also links access control with authorization and determines if access - should be granted based on the outcome of each stage. Therefore if the - older directives do not seem to be working properly, it might be because the - mod_authz_default module has not been loaded.

Description:	Authentication fallback module
Status:	Base
Module Identifier:	authn_default_module
Source File:	mod_authn_default.c
Compatibility:	Available in Apache 2.1 and later

Description:	Sets whether authentication is passed to lower level -modules
Syntax:	`AuthDefaultAuthoritative On\|Off`
Default:	`AuthDefaultAuthoritative On`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authn_default

èª¬æ:	èªè¨¼ãã©ã¼ã«ããã¯ã¢ã¸ã¥ã¼ã«
ã¹ãã¼ã¿ã¹:	Base
ã¢ã¸ã¥ã¼ã«èå¥å:	authn_default_module
ã½ã¼ã¹ãã¡ã¤ã«:	mod_authn_default.c
äºææ§:	Apache 2.1 ä»¥é

èª¬æ:	æ¬¡ã®ä½æ¬¡ã¬ãã«ã®èªè¨¼ã¢ã¸ã¥ã¼ã«ã«å¶å¾¡ãæ¸¡ããã©ããã -è¨å®ãã¾ã
æ§æ:	`AuthDefaultAuthoritative On\|Off`
ããã©ã«ã:	`AuthDefaultAuthoritative On`
ã³ã³ããã¹ã:	ãã£ã¬ã¯ããª, .htaccess
ä¸æ¸ã:	AuthConfig
ã¹ãã¼ã¿ã¹:	Base
ã¢ã¸ã¥ã¼ã«:	mod_authn_default

¼³¸í:	ÃÖÈÄ ÀÎÁõ¸ðµâ
»óÅÂ:	Base
¸ðµâ¸í:	authn_default_module
¼Ò½ºÆÄÀÏ:	mod_authn_default.c
Áö¿ø:	¾ÆÆÄÄ¡ 2.1 ÀÌÈÄºÎÅÍ

¼³¸í:	ÀÎÁõÀ» Àú¼öÁØ ¸ðµâ·Î ³Ñ°ÜÁÙÁö ¿©ºÎ
¹®¹ý:	`AuthDefaultAuthoritative On\|Off`
±âº»°ª:	`AuthDefaultAuthoritative On`
»ç¿ëÀå¼Ò:	directory, .htaccess
Override ¿É¼Ç:	AuthConfig
»óÅÂ:	Base
¸ðµâ:	mod_authn_default

<AuthzProviderAlias> Directive

+ + + + + + +

Description:	Enclose a group of directives that represent an +extension of a base authorization provider and referenced by the specified +alias
Syntax:	`<AuthzProviderAlias baseProvider Alias Require-Parameters> +... </AuthzProviderAlias> +`
Context:	server config
Status:	Base
Module:	mod_authz_core

<AuthzProviderAlias> and + </AuthzProviderAlias> are used to enclose a group of + authorization directives that can be referenced by the alias name using the + directive Require.

+ +

AuthzMergeRules Directive

Match Directive

- - - + +

Description:	Set to 'on' to allow the parent's <Directory> or <Location> -authz rules to be merged into the current <Directory> or <Location>. -Set to 'off' to disable merging. If set to 'off', only the authz rules defined in -the current <Directory> or <Location> block will apply.
Syntax:	`AuthzMergeRules on \| off`
Default:	`AuthzMergeRules on`
Description:	Tests whether an authenticated user is authorized by +an authorization provider.
Syntax:	`Match [not] entity-name +[entity-name] ...`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

By default all of the authorization rules within a <Directory> - <Location> hierarchy are merged together to form a single - logical authorization operation. If AuthzMergeRules is set to 'off', then - only the authorization rules that are contained with the current - <Directory> or <Location> block are considered. This - allows the configuration to determine exactly how authorization will - be determined without having to take into consideration the - authorization rules that may exist above it.

This directive is similar to the + Require directive; + it tests whether an authenticated user is authorized according to + a particular authorization provider and the specified restrictions.

+ +

Unlike the Require + directive, it may be used with and inside authorization container + directives such as + <MatchAll>.

+ +

Furthermore, its result may be negated through the use of the + not option. As with other negated authorization directives, + in this case the Match directive may only + either fail or return a neutral result, and can therefore never + independently authorize a request.

+ +

In the following example, all users in the alpha + and beta groups are authorized, except for those who + are also in the reject group.

+ +

+ <Directory /www/docs> + + Match group alpha beta + Match not group reject + + </Directory> +

+ +

When multiple Match directives are + used in a single + configuration section + and are not contained in another authorization directive like + <MatchAny>, + they are implicitly contained within a + <MatchAll> + directive. Thus for the user to be authorized, all such + Match directives must not fail, and + at least one must be successful.

Match directives may not be combined + with the Require + directive.

+ +

Reject Directive

<MatchAll> Directive

- - + +

Description:	Rejects authenticated users or host based -requests from accessing a resource
Syntax:	`Reject entity-name [entity-name] ...`
Description:	Enclose a group of authorization directives of which none +must fail and at least one must succeed for the enclosing directive to +succeed.
Syntax:	`<MatchAll> +... </MatchAll>`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

This directive is similar to the - Require directive however - it rejects which authenticated users or host based requests from accessing a resource. The - restrictions are processed by authorization modules. See the - Require directive for details - about usage.

<MatchAll> and + </MatchAll> are used to enclose a group of + authorization directives of which none must fail and at least one + must succeed in order for + the <MatchAll> directive to + succeed.

+ +

If none of the directives contained within the + <MatchAll> directive fails, + and at least one succeeds, then the + <MatchAll> directive + succeeds. If none succeed and none fail, then it returns a + neutral result. In all other cases, it fails.

<MatchAny> Directive

+ + + + + + + +

Description:	Enclose a group of authorization directives of which one +must succeed for the enclosing directive to succeed.
Syntax:	`<MatchAny> +... </MatchAny>`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

<MatchAny> and + </MatchAny> are used to enclose a group of + authorization directives of which one must succeed in order for + the <MatchAny> directive to + succeed.

+ +

If one or more of the directives contained within the + <MatchAny> directive succeed, + then the <MatchAny> directive + succeeds. If none succeed and none fail, then it returns a + neutral result. In all other cases, it fails.

+ +

Because negated authorization directives are unable to + return a successful result, they can not significantly influence + the result of a <MatchAny> + directive. (At most they could cause the directive to fail in + the case where they failed and all other directives returned a + neutral value.) Therefore negated authorization directives + are not permitted within a <MatchAny> + directive.

+ +

<MatchNotAll> Directive

+ + + + + + + +

Description:	Enclose a group of authorization directives of which some +must fail or none must succeed for the enclosing directive to +not fail.
Syntax:	`<MatchNotAll> +... </MatchNotAll>`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

<MatchNotAll> and + </MatchNotAll> are used to enclose a group of + authorization directives of which some must fail or none must succeed + in order for the + <MatchNotAll> directive to + not fail.

+ +

If none of the directives contained within the + <MatchNotAll> directive + fail, and one or more succeed, then the + <MatchNotAll> directive fails. + In all other cases, it returns a neutral result. Thus as with + the other negated authorization directives, it can never independently + authorize a request because it can never return a successful result. + It can be used, however, to restrict the set of users who are + authorized to access a resource.

+ +

<MatchNotAny> Directive

+ + + + + + + +

Description:	Enclose a group of authorization directives of which none +none must succeed for the enclosing directive to not fail.
Syntax:	`<MatchNotAny> +... </MatchNotAny>`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

<MatchNotAny> and + </MatchNotAny> are used to enclose a group of + authorization directives of which none must succeed + in order for the + <MatchNotAny> directive to + not fail.

+ +

If one or more of the directives contained within the + <MatchNotAny> directive succeed, + then the <MatchNotAny> directive + fails. In all other cases, it returns a neutral result. Thus as with + the other negated authorization directives, it can never independently + authorize a request because it can never return a successful result. + It can be used, however, to restrict the set of users who are + authorized to access a resource.

+ +

Because negated authorization directives are unable to + return a successful result, they can not significantly influence + the result of a <MatchNotAny> + directive. Therefore negated authorization directives + are not permitted within a + <MatchNotAny> directive.

+ +

MergeAuthz Directive

+ + + + + + + + +

Description:	Controls the manner in which each configuration section's +authorization logic is combined with that of preceding configuration +sections.
Syntax:	`MergeAuthz Off \| MatchAll \| MatchAny`
Default:	`MergeAuthz Off`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

When authorization is enabled, it is normally inherited by each + subsequent configuration section, + unless a different set of authorization directives are specified. + This is the default action, which corresponds to an explicit setting + of MergeAuthz Off.

+ +

However, there may be circumstances in which is it desirable + for a configuration section's authorization to be combined with + that of its predecessor while configuration sections are being + merged. Two options are available for this case, MatchAll + and MatchAny.

+ +

When a configuration section contains AuthzMerge MatchAll + or AuthzMerge MatchAny, + its authorization logic is combined with that of the nearest + predecessor (according to the overall order of configuration sections) + which also contains authorization logic as if the two sections + were jointly contained within a + <MatchAll> or + <MatchAny> + directive, respectively.

+ +

The setting of AuthzMerge is not + inherited outside of the configuration section in which it appears. + In the following example, only users belonging to group alpha + may access /www/docs. Users belonging to either + groups alpha or beta may access + /www/docs/ab. However, the default Off + setting of AuthzMerge applies to the + <Directory> + configuration section for /www/docs/ab/gamma, so + that section's authorization directives override those of the + preceding sections. Thus only users belong to the group + gamma may access /www/docs/ab/gamma.

+ +

+ <Directory /www/docs> + + AuthType Basic + AuthName Documents + AuthBasicProvider file + AuthUserFile /usr/local/apache/passwd/passwords + Match group alpha + + </Directory> + + <Directory /www/docs/ab> + + AuthzMerge MatchAny + Match group beta + + </Directory> + + <Directory /www/docs/ab/gamma> + + Match group gamma + + </Directory> +

Require Directive

- +

Description:	Selects which authenticated users can access -a resource
Description:	Tests whether an authenticated user is authorized by +an authorization provider.
Syntax:	`Require entity-name [entity-name] ...`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

This directive selects which authenticated users can access a - resource. The restrictions are processed by authorization - modules. Some of the allowed syntaxes provided by +

This directive tests whether an authenticated user is authorized + according to a particular authorization provider and the specified + restrictions. Some of the allowed syntaxes provided by mod_authz_user and mod_authz_groupfile are:

@@ -218,125 +537,26 @@ a resource place the Require statement into a <Limit> section.

- - -

<RequireAlias> Directive

- - - - - - -

Description:	Enclose a group of directives that represent an -extension of a base authorization provider and referenced by the specified -alias
Syntax:	`<RequireAlias baseProvider Alias Require-Parameters> -... </RequireAlias> -`
Context:	server config
Status:	Base
Module:	mod_authz_core

<RequireAlias> and - </RequireAlias> are used to enclose a group of - authorization directives that can be referenced by the alias name using the - directive Require.

- -

<SatisfyAll> Directive

- - - - - - - -

Description:	Enclose a group of authorization directives that must all -be satisfied in order to grant access to a resource. This block allows -for 'AND' logic to be applied to various authorization providers.
Syntax:	`<SatisfyAll> -... </SatisfyAll>`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

<SatisfyAll> and - </SatisfyAll> are used to enclose a group of - authorization directives that must all be satisfied in order to - grant access to a resource.

- -

The - <SatisfyAll> block as well as the - <SatisfyOne> block - allow you to apply "AND" and "OR" logic to the authorization processing. - For example the following authorization block would apply the logic:

- -

- # if ((user == "John") || - # ((Group == "admin") - # && (ldap-group <ldap-object> contains auth'ed_user) - # && ((ldap-attribute dept == "sales") - # || (file-group contains auth'ed_user)))) - # then - # auth_granted - # else - # auth_denied - # - <Directory /www/mydocs> - - Authname ... - AuthBasicProvider ... - ... - Require user John - <SatisfyAll> - - Require Group admins - Require ldap-group cn=mygroup,o=foo - <SatisfyOne> - - Require ldap-attribute dept="sales" - Require file-group - - </SatisfyOne> - - </SatisfyAll> - - </Directory> -

- -

<SatisfyOne> Directive

- - - - - - - -

Description:	Enclose a group of authorization directives that must -satisfy at least one in order to grant access to a resource. This -block allows for 'OR' logic to be applied to various authorization -providers.
Syntax:	`<SatisfyOne> -... </SatisfyOne>`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_core

<SatisfyOne> and - </SatisfyOne> are used to enclose a group of - authorization directives that must satisfy at least one in order to - grant access to a resource.

- -

See the - <SatisfyAll> directive for a usage example.

When multiple Require directives are + used in a single + configuration section, + the first one to authorize a user authorizes the entire request, + and subsequent Require directives are + ignored. In other words, all Require directives + are enclosed in an implied <MatchAny> directive.

Require directives may not be combined + with the Match directive + or any authorization container directives, such as + <MatchAll>.

Apache Module mod_authz_default

Available Languages: en | - ja | - ko

- - - - -

Description:	Authorization fallback module
Status:	Base
Module Identifier:	authz_default_module
Source File:	mod_authz_default.c
Compatibility:	Available in Apache 2.1 and later

Summary

- -

This module is designed to be the fallback module, if you don't - have configured an authorization module like - mod_authz_user or mod_authz_groupfile. - It simply rejects any authorization request.

Directives

AuthzDefaultAuthoritative

- -

AuthzDefaultAuthoritative Directive

- - - - - - - - -

Description:	Sets whether authorization is passed to lower level -modules
Syntax:	`AuthzDefaultAuthoritative On\|Off`
Default:	`AuthzDefaultAuthoritative On`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Base
Module:	mod_authz_default

Setting the AuthzDefaultAuthoritative directive - explicitly to Off allows for authorization to be passed on - to lower level modules (as defined in the modules.c - files).

- -

Note

Normally there are no lower level modules, since - mod_authz_default is defined to be already on - a very low level. Therefore you should leave the value of - AuthzDefaultAuthoritative as default - (On).

- -

Available Languages: en | - ja | - ko

mod_authz_default - Apache HTTP ãµã¼ã

Apache ã¢ã¸ã¥ã¼ã« mod_authz_default

è¨èª: en | - ja | - ko

- - - - -

èª¬æ:	æ¿èªãã©ã¼ã«ããã¯ã¢ã¸ã¥ã¼ã«
ã¹ãã¼ã¿ã¹:	Base
ã¢ã¸ã¥ã¼ã«èå¥å:	authz_default_module
ã½ã¼ã¹ãã¡ã¤ã«:	mod_authz_default.c
äºææ§:	Apache 2.1 ä»¥é

æ¦è¦

- -

ãã£ã¬ã¯ãã£ã

AuthzDefaultAuthoritative

- -

AuthzDefaultAuthoritative ãã£ã¬ã¯ãã£ã

- - - - - - - - -

èª¬æ:	æ¿èªãä½ä½ã®ã¢ã¸ã¥ã¼ã«ã«æ¸¡ããããã©ãããè¨å®ãã
æ§æ:	`AuthzDefaultAuthoritative On\|Off`
ããã©ã«ã:	`AuthzDefaultAuthoritative On`
ã³ã³ããã¹ã:	ãã£ã¬ã¯ããª, .htaccess
ä¸æ¸ã:	AuthConfig
ã¹ãã¼ã¿ã¹:	Base
ã¢ã¸ã¥ã¼ã«:	mod_authz_default

AuthzDefaultAuthoritative ãã£ã¬ã¯ãã£ãã - æç¤ºçã« Off ã«è¨å®ããã¨ - èªè¨¼ãæ¬¡ã® (modules.c ãã¡ã¤ã«ã§å®ç¾©ããã¦ãã) - ä½ä½ã®ã¢ã¸ã¥ã¼ã«ã«æ¸¡ããã¨ãè¨±å¯ãã¾ãã

- -

æ³¨æ

mod_authz_default èªä½ãã¨ã¦ãä½ã - ã¬ãã«ã¨ãã¦å®ç¾©ããã¦ãã¾ãã®ã§ãéå¸¸ã¯ãããããä½æ¬¡ã® - ã¢ã¸ã¥ã¼ã«ã¯åå¨ãã¾ãããã§ããã - AuthDefaultAuthoritative ã¯ããã©ã«ã - (On) ã®ã¾ã¾ã«ããã»ããè¯ãã§ãããã

- -

è¨èª: en | - ja | - ko

mod_authz_default - Apache HTTP Server

-Apache > HTTP Server > Documentation > Version 2.3 > ¸ðµâ

¾ÆÆÄÄ¡ ¸ðµâ mod_authz_default

°¡´ÉÇÑ ¾ð¾î: en | - ja | - ko

- - - - -

¼³¸í:	ÃÖÈÄ ±ÇÇÑºÎ¿©¸ðµâ
»óÅÂ:	Base
¸ðµâ¸í:	authz_default_module
¼Ò½ºÆÄÀÏ:	mod_authz_default.c
Áö¿ø:	¾ÆÆÄÄ¡ 2.1 ÀÌÈÄºÎÅÍ

¿ä¾à

- -

ÀÌ ¸ðµâÀº mod_authz_user³ª - mod_authz_groupfile¿Í °°Àº ±ÇÇÑºÎ¿©¸ðµâÀ» - ¼³Á¤ÇÏÁö¾ÊÀº ÃÖÈÄÀÇ °æ¿ì ´ë½Å »ç¿ëÇÑ´Ù. ÀÌ ¸ðµâÀº ¸ðµç ±ÇÇÑºÎ¿© - ¿äÃ»À» °ÅºÎÇÑ´Ù.

Áö½Ã¾îµé

AuthzDefaultAuthoritative

- -

AuthzDefaultAuthoritative Áö½Ã¾î

- - - - - - - - -

¼³¸í:	±ÇÇÑºÎ¿©¸¦ Àú¼öÁØ ¸ðµâ·Î ³Ñ°ÜÁÙÁö ¿©ºÎ
¹®¹ý:	`AuthzDefaultAuthoritative On\|Off`
±âº»°ª:	`AuthzDefaultAuthoritative On`
»ç¿ëÀå¼Ò:	directory, .htaccess
Override ¿É¼Ç:	AuthConfig
»óÅÂ:	Base
¸ðµâ:	mod_authz_default

AuthzDefaultAuthoritative Áö½Ã¾î¸¦ - Á÷Á¢ Off·Î ¼³Á¤ÇÏ¸é (modules.c - ÆÄÀÏ¿¡¼ Á¤ÀÇÇÑ) Àú¼öÁØ ¸ðµâ·Î ±ÇÇÑºÎ¿©¸¦ ³Ñ°ÜÁØ´Ù.

- -

ÁÖÀÇ

mod_authz_default°¡ ÀÌ¹Ì ¸Å¿ì - Àú¼öÁØÀ¸·Î Á¤ÀÇµÇÀÖ±â ¶§¹®¿¡ º¸Åë ´õ ³·Àº ¸ðµâÀÌ - ¾ø´Ù. ±×·¯¹Ç·Î - AuthzDefaultAuthoritative¸¦ - ±âº»°ª(On)À¸·Î ³²°ÜµÖ¾ß ÇÑ´Ù.

- -

°¡´ÉÇÑ ¾ð¾î: en | - ja | - ko

- - -AuthzDefaultAuthoritative -æ¿èªãä½ä½ã®ã¢ã¸ã¥ã¼ã«ã«æ¸¡ããããã©ãããè¨å®ãã -AuthzDefaultAuthoritative On|Off -AuthzDefaultAuthoritative On -directory.htaccess - -AuthConfig - - -

AuthzDefaultAuthoritative ãã£ã¬ã¯ãã£ãã - æç¤ºçã« Off ã«è¨å®ããã¨ - èªè¨¼ãæ¬¡ã® (modules.c ãã¡ã¤ã«ã§å®ç¾©ããã¦ãã) - ä½ä½ã®ã¢ã¸ã¥ã¼ã«ã«æ¸¡ããã¨ãè¨±å¯ãã¾ãã

- - æ³¨æ -

mod_authz_default èªä½ãã¨ã¦ãä½ã - ã¬ãã«ã¨ãã¦å®ç¾©ããã¦ãã¾ãã®ã§ãéå¸¸ã¯ãããããä½æ¬¡ã® - ã¢ã¸ã¥ã¼ã«ã¯åå¨ãã¾ãããã§ããã - AuthDefaultAuthoritative ã¯ããã©ã«ã - (On) ã®ã¾ã¾ã«ããã»ããè¯ãã§ãããã

- - - - -

ÀÌ ¸ðµâÀº mod_authz_user³ª - mod_authz_groupfile¿Í °°Àº ±ÇÇÑºÎ¿©¸ðµâÀ» - ¼³Á¤ÇÏÁö¾ÊÀº ÃÖÈÄÀÇ °æ¿ì ´ë½Å »ç¿ëÇÑ´Ù. ÀÌ ¸ðµâÀº ¸ðµç ±ÇÇÑºÎ¿© - ¿äÃ»À» °ÅºÎÇÑ´Ù.

- - -AuthzDefaultAuthoritative -±ÇÇÑºÎ¿©¸¦ Àú¼öÁØ ¸ðµâ·Î ³Ñ°ÜÁÙÁö ¿©ºÎ -AuthzDefaultAuthoritative On|Off -AuthzDefaultAuthoritative On -directory.htaccess - -AuthConfig - - -

AuthzDefaultAuthoritative Áö½Ã¾î¸¦ - Á÷Á¢ Off·Î ¼³Á¤ÇÏ¸é (modules.c - ÆÄÀÏ¿¡¼ Á¤ÀÇÇÑ) Àú¼öÁØ ¸ðµâ·Î ±ÇÇÑºÎ¿©¸¦ ³Ñ°ÜÁØ´Ù.

- - ÁÖÀÇ -

mod_authz_default°¡ ÀÌ¹Ì ¸Å¿ì - Àú¼öÁØÀ¸·Î Á¤ÀÇµÇÀÖ±â ¶§¹®¿¡ º¸Åë ´õ ³·Àº ¸ðµâÀÌ - ¾ø´Ù. ±×·¯¹Ç·Î - AuthzDefaultAuthoritative¸¦ - ±âº»°ª(On)À¸·Î ³²°ÜµÖ¾ß ÇÑ´Ù.

- - - - -

- mod_authz_default - /mod/ - .. - - - en - ja - ko - -

The authorization providers implemented by mod_authz_host are registered using the Require or - Reject directives. These + Match directives. These directives can be referenced within a <Directory>, <Files>, @@ -61,14 +61,14 @@ address)

Authentication, Authorization, and Access Control
Require
Reject
Match

The Require Directives

Apache's Require and - Reject directives are + Match directives are used during the authorization phase to ensure that a user is allowed or denied access to a resource. mod_authz_host extends the authorization types with env, ip, diff --git a/docs/manual/mod/quickreference.html.en b/docs/manual/mod/quickreference.html.en index eccc926811..b008452acf 100644 --- a/docs/manual/mod/quickreference.html.en +++ b/docs/manual/mod/quickreference.html.en @@ -145,84 +145,81 @@ of user groups for authorization store passwords AuthDBMUserFile file-pathdhESets the name of a database file containing the list of users and passwords for authentication -AuthDefaultAuthoritative On|Off On dhBSets whether authentication is passed to lower level -modules -AuthDigestAlgorithm MD5|MD5-sess MD5 dhESelects the algorithm used to calculate the challenge and +AuthDigestAlgorithm MD5|MD5-sess MD5 dhESelects the algorithm used to calculate the challenge and response hashes in digest authentication -AuthDigestDomain URI [URI] ...dhEURIs that are in the same protection space for digest +AuthDigestDomain URI [URI] ...dhEURIs that are in the same protection space for digest authentication -AuthDigestNcCheck On|Off Off sEEnables or disables checking of the nonce-count sent by the +AuthDigestNcCheck On|Off Off sEEnables or disables checking of the nonce-count sent by the server -AuthDigestNonceFormat formatdhEDetermines how the nonce is generated -AuthDigestNonceLifetime seconds 300 dhEHow long the server nonce is valid -AuthDigestProvider provider-name -[provider-name] ... file dhESets the authentication provider(s) for this location -AuthDigestQop none|auth|auth-int [auth|auth-int] auth dhEDetermines the quality-of-protection to use in digest +AuthDigestNonceFormat formatdhEDetermines how the nonce is generated +AuthDigestNonceLifetime seconds 300 dhEHow long the server nonce is valid +AuthDigestProvider provider-name +[provider-name] ... file dhESets the authentication provider(s) for this location +AuthDigestQop none|auth|auth-int [auth|auth-int] auth dhEDetermines the quality-of-protection to use in digest authentication -AuthDigestShmemSize size 1000 sEThe amount of shared memory to allocate for keeping track +AuthDigestShmemSize size 1000 sEThe amount of shared memory to allocate for keeping track of clients -AuthFormAuthoritative On|Off On dhBSets whether authorization and authentication are passed to +AuthFormAuthoritative On|Off On dhBSets whether authorization and authentication are passed to lower level modules -AuthFormBody fieldnamedBThe name of a form field carrying the body of the request to attempt on successful login -AuthFormDisableNoStore On|Off Off dBDisable the CacheControl no-store header on the login page -AuthFormFakeBasicAuth On|Off Off dBFake a Basic Authentication header -AuthFormLocation fieldnamedBThe name of a form field carrying a URL to redirect to on successful login -AuthFormLoginRequiredLocation urldBThe URL of the page to be redirected to should login be required -AuthFormLoginSuccessLocation urldBThe URL of the page to be redirected to should login be successful -AuthFormLogoutLocation uridBThe URL to redirect to after a user has logged out -AuthFormMethod fieldnamedBThe name of a form field carrying the method of the request to attempt on successful login -AuthFormMimetype fieldnamedBThe name of a form field carrying the mimetype of the body of the request to attempt on successful login -AuthFormPassword fieldnamedBThe name of a form field carrying the login password -AuthFormProvider provider-name -[provider-name] ... file dhBSets the authentication provider(s) for this location -AuthFormSitePassphrase secretdBBypass authentication checks for high traffic sites -AuthFormBody sizedBThe largest size of the form in bytes that will be parsed for the login details -AuthFormUsername fieldnamedBThe name of a form field carrying the login username -AuthGroupFile file-pathdhBSets the name of a text file containing the list +AuthFormBody fieldnamedBThe name of a form field carrying the body of the request to attempt on successful login +AuthFormDisableNoStore On|Off Off dBDisable the CacheControl no-store header on the login page +AuthFormFakeBasicAuth On|Off Off dBFake a Basic Authentication header +AuthFormLocation fieldnamedBThe name of a form field carrying a URL to redirect to on successful login +AuthFormLoginRequiredLocation urldBThe URL of the page to be redirected to should login be required +AuthFormLoginSuccessLocation urldBThe URL of the page to be redirected to should login be successful +AuthFormLogoutLocation uridBThe URL to redirect to after a user has logged out +AuthFormMethod fieldnamedBThe name of a form field carrying the method of the request to attempt on successful login +AuthFormMimetype fieldnamedBThe name of a form field carrying the mimetype of the body of the request to attempt on successful login +AuthFormPassword fieldnamedBThe name of a form field carrying the login password +AuthFormProvider provider-name +[provider-name] ... file dhBSets the authentication provider(s) for this location +AuthFormSitePassphrase secretdBBypass authentication checks for high traffic sites +AuthFormBody sizedBThe largest size of the form in bytes that will be parsed for the login details +AuthFormUsername fieldnamedBThe name of a form field carrying the login username +AuthGroupFile file-pathdhBSets the name of a text file containing the list of user groups for authorization -AuthLDAPBindDN distinguished-namedhEOptional DN to use in binding to the LDAP server -AuthLDAPBindPassword passworddhEPassword used in conjuction with the bind DN -AuthLDAPCharsetConfig file-pathsELanguage to charset conversion configuration file -AuthLDAPCompareDNOnServer on|off on dhEUse the LDAP server to compare the DNs -AuthLDAPDereferenceAliases never|searching|finding|always always dhEWhen will the module de-reference aliases -AuthLDAPGroupAttribute attributedhELDAP attributes used to identify the user members of +AuthLDAPBindDN distinguished-namedhEOptional DN to use in binding to the LDAP server +AuthLDAPBindPassword passworddhEPassword used in conjuction with the bind DN +AuthLDAPCharsetConfig file-pathsELanguage to charset conversion configuration file +AuthLDAPCompareDNOnServer on|off on dhEUse the LDAP server to compare the DNs +AuthLDAPDereferenceAliases never|searching|finding|always always dhEWhen will the module de-reference aliases +AuthLDAPGroupAttribute attributedhELDAP attributes used to identify the user members of groups. -AuthLDAPGroupAttributeIsDN on|off on dhEUse the DN of the client username when checking for +AuthLDAPGroupAttributeIsDN on|off on dhEUse the DN of the client username when checking for group membership -AuthLDAPMaxSubGroupDepth Number 10 dhESpecifies the maximum sub-group nesting depth that will be +AuthLDAPMaxSubGroupDepth Number 10 dhESpecifies the maximum sub-group nesting depth that will be evaluated before the user search is discontinued. -AuthLDAPRemoteUserAttribute uiddhEUse the value of the attribute returned during the user +AuthLDAPRemoteUserAttribute uiddhEUse the value of the attribute returned during the user query to set the REMOTE_USER environment variable -AuthLDAPRemoteUserIsDN on|off off dhEUse the DN of the client username to set the REMOTE_USER +AuthLDAPRemoteUserIsDN on|off off dhEUse the DN of the client username to set the REMOTE_USER environment variable -AuthLDAPSubGroupAttribute attributedhESpecifies the attribute labels, one value per +AuthLDAPSubGroupAttribute attributedhESpecifies the attribute labels, one value per directive line, used to distinguish the members of the current group that are groups. -AuthLDAPSubGroupClass LdapObjectClassdhESpecifies which LDAP objectClass values identify directory +AuthLDAPSubGroupClass LdapObjectClassdhESpecifies which LDAP objectClass values identify directory objects that are groups during sub-group processing. -AuthLDAPUrl url [NONE|SSL|TLS|STARTTLS]dhEURL specifying the LDAP search parameters -AuthName auth-domaindhBAuthorization realm for use in HTTP +AuthLDAPUrl url [NONE|SSL|TLS|STARTTLS]dhEURL specifying the LDAP search parameters +AuthName auth-domaindhBAuthorization realm for use in HTTP authentication -<AuthnProviderAlias baseProvider Alias> -... </AuthnProviderAlias>sBEnclose a group of directives that represent an +<AuthnProviderAlias baseProvider Alias> +... </AuthnProviderAlias>sBEnclose a group of directives that represent an extension of a base authentication provider and referenced by the specified alias -AuthType None|Basic|Digest|FormdhBType of user authentication -AuthUserFile file-pathdhBSets the name of a text file containing the list of users and +AuthType None|Basic|Digest|FormdhBType of user authentication +AuthUserFile file-pathdhBSets the name of a text file containing the list of users and passwords for authentication -AuthzDBDLoginToReferer On|Off Off dEDetermines whether to redirect the Client to the Referring +AuthzDBDLoginToReferer On|Off Off dEDetermines whether to redirect the Client to the Referring page on successful login or logout if a Referer request header is present -AuthzDBDQuery querydESpecify the SQL Query for the required operation -AuthzDBDRedirectQuery querydESpecify a query to look up a login page for the user -AuthzDBMType default|SDBM|GDBM|NDBM|DB default dhESets the type of database file that is used to +AuthzDBDQuery querydESpecify the SQL Query for the required operation +AuthzDBDRedirectQuery querydESpecify a query to look up a login page for the user +AuthzDBMType default|SDBM|GDBM|NDBM|DB default dhESets the type of database file that is used to store list of user groups -AuthzDefaultAuthoritative On|Off On dhBSets whether authorization is passed to lower level -modules -AuthzMergeRules on | off on dhBSet to 'on' to allow the parent's <Directory> or <Location> -authz rules to be merged into the current <Directory> or <Location>. -Set to 'off' to disable merging. If set to 'off', only the authz rules defined in -the current <Directory> or <Location> block will apply. +<AuthzProviderAlias baseProvider Alias Require-Parameters> +... </AuthzProviderAlias> +sBEnclose a group of directives that represent an +extension of a base authorization provider and referenced by the specified +alias BalancerMember url [key=value [key=value ...]]dEAdd a member to a load balancing group BrowserMatch regex [!]env-variable[=value] [[!]env-variable[=value]] ...svdhBSets environment variables conditional on HTTP User-Agent @@ -479,32 +476,52 @@ matching URLs LogFormat format|nickname [nickname] "%h %l %u %t \"%r\" +svBDescribes a format for use in a log file LogLevel level warn svCControls the verbosity of the ErrorLog -MaxClients numbersMMaximum number of connections that will be processed +Match [not] entity-name +[entity-name] ...dhBTests whether an authenticated user is authorized by +an authorization provider. +<MatchAll> +... </MatchAll>dhBEnclose a group of authorization directives of which none +must fail and at least one must succeed for the enclosing directive to +succeed. +<MatchAny> +... </MatchAny>dhBEnclose a group of authorization directives of which one +must succeed for the enclosing directive to succeed. +<MatchNotAll> +... </MatchNotAll>dhBEnclose a group of authorization directives of which some +must fail or none must succeed for the enclosing directive to +not fail. +<MatchNotAny> +... </MatchNotAny>dhBEnclose a group of authorization directives of which none +none must succeed for the enclosing directive to not fail. +MaxClients numbersMMaximum number of connections that will be processed simultaneously -MaxKeepAliveRequests number 100 svCNumber of requests allowed on a persistent +MaxKeepAliveRequests number 100 svCNumber of requests allowed on a persistent connection -MaxMemFree KBytes 0 sMMaximum amount of memory that the main allocator is allowed +MaxMemFree KBytes 0 sMMaximum amount of memory that the main allocator is allowed to hold without calling free() -MaxRequestsPerChild number 10000 sMLimit on the number of requests that an individual child server +MaxRequestsPerChild number 10000 sMLimit on the number of requests that an individual child server will handle during its life -MaxRequestsPerThread number 0 sMLimit on the number of requests that an individual thread +MaxRequestsPerThread number 0 sMLimit on the number of requests that an individual thread will handle during its life -MaxSpareServers number 10 sMMaximum number of idle child server processes -MaxSpareThreads numbersMMaximum number of idle threads -MaxThreads number 2048 sMSet the maximum number of worker threads -MaxThreadsPerChild number 64 sMMaximum number of threads per child process -MCacheMaxObjectCount value 1009 sEThe maximum number of objects allowed to be placed in the +MaxSpareServers number 10 sMMaximum number of idle child server processes +MaxSpareThreads numbersMMaximum number of idle threads +MaxThreads number 2048 sMSet the maximum number of worker threads +MaxThreadsPerChild number 64 sMMaximum number of threads per child process +MCacheMaxObjectCount value 1009 sEThe maximum number of objects allowed to be placed in the cache -MCacheMaxObjectSize bytes 10000 sEThe maximum size (in bytes) of a document allowed in the +MCacheMaxObjectSize bytes 10000 sEThe maximum size (in bytes) of a document allowed in the cache -MCacheMaxStreamingBuffer size_in_bytes the smaller of 1000 +sEMaximum amount of a streamed response to buffer in memory +MCacheMaxStreamingBuffer size_in_bytes the smaller of 1000 +sEMaximum amount of a streamed response to buffer in memory before declaring the response uncacheable -MCacheMinObjectSize bytes 1 sEThe minimum size (in bytes) of a document to be allowed in the +MCacheMinObjectSize bytes 1 sEThe minimum size (in bytes) of a document to be allowed in the cache -MCacheRemovalAlgorithm LRU|GDSF GDSF sEThe algorithm used to select documents for removal from the +MCacheRemovalAlgorithm LRU|GDSF GDSF sEThe algorithm used to select documents for removal from the cache -MCacheSize KBytes 100 sEThe maximum amount of memory used by the cache in +MCacheSize KBytes 100 sEThe maximum amount of memory used by the cache in KBytes +MergeAuthz Off | MatchAll | MatchAny Off dhBControls the manner in which each configuration section's +authorization logic is combined with that of preceding configuration +sections. MetaDir directory .web svdhEName of the directory to find CERN-style meta information files MetaFiles on|off off svdhEActivates CERN meta-file processing @@ -594,38 +611,31 @@ of the current URL a different URL RedirectTemp URL-path URLsvdhBSends an external temporary redirect asking the client to fetch a different URL -Reject entity-name [entity-name] ...dhBRejects authenticated users or host based -requests from accessing a resource -RemoveCharset extension [extension] -...vdhBRemoves any character set associations for a set of file +RemoveCharset extension [extension] +...vdhBRemoves any character set associations for a set of file extensions -RemoveEncoding extension [extension] -...vdhBRemoves any content encoding associations for a set of file +RemoveEncoding extension [extension] +...vdhBRemoves any content encoding associations for a set of file extensions -RemoveHandler extension [extension] -...vdhBRemoves any handler associations for a set of file +RemoveHandler extension [extension] +...vdhBRemoves any handler associations for a set of file extensions -RemoveInputFilter extension [extension] -...vdhBRemoves any input filter associations for a set of file +RemoveInputFilter extension [extension] +...vdhBRemoves any input filter associations for a set of file extensions -RemoveLanguage extension [extension] -...vdhBRemoves any language associations for a set of file +RemoveLanguage extension [extension] +...vdhBRemoves any language associations for a set of file extensions -RemoveOutputFilter extension [extension] -...vdhBRemoves any output filter associations for a set of file +RemoveOutputFilter extension [extension] +...vdhBRemoves any output filter associations for a set of file extensions -RemoveType extension [extension] -...vdhBRemoves any content type associations for a set of file +RemoveType extension [extension] +...vdhBRemoves any content type associations for a set of file extensions -RequestHeader set|append|merge|add|unset|edit header -[value] [replacement] [early|env=[!]variable]svdhEConfigure HTTP request headers -Require entity-name [entity-name] ...dhBSelects which authenticated users can access -a resource -<RequireAlias baseProvider Alias Require-Parameters> -... </RequireAlias> -sBEnclose a group of directives that represent an -extension of a base authorization provider and referenced by the specified -alias +RequestHeader set|append|merge|add|unset|edit header +[value] [replacement] [early|env=[!]variable]svdhEConfigure HTTP request headers +Require entity-name [entity-name] ...dhBTests whether an authenticated user is authorized by +an authorization provider. RewriteBase URL-pathdhESets the base URL for per-directory rewrites RewriteCond TestString CondPatternsvdhEDefines a condition under which rewriting will take place @@ -650,15 +660,6 @@ by Apache children processes launched by Apache children Satisfy Any|All All dhEInteraction between host-level access control and user authentication -<SatisfyAll> -... </SatisfyAll>dhBEnclose a group of authorization directives that must all -be satisfied in order to grant access to a resource. This block allows -for 'AND' logic to be applied to various authorization providers. -<SatisfyOne> -... </SatisfyOne>dhBEnclose a group of authorization directives that must -satisfy at least one in order to grant access to a resource. This -block allows for 'OR' logic to be applied to various authorization -providers. ScoreBoardFile file-path logs/apache_status sMLocation of the file used to store coordination data for the child processes Script method cgi-scriptsvdBActivates a CGI script for a particular request diff --git a/docs/manual/new_features_2_4.html.en b/docs/manual/new_features_2_4.html.en index fcb681fa66..f0c2323ed3 100644 --- a/docs/manual/new_features_2_4.html.en +++ b/docs/manual/new_features_2_4.html.en @@ -64,11 +64,21 @@ console. The user can thus be alerted to misconfiguration problems before the core open_logs hook function redirects console output to the error log. -

Expression Parser Added

We now have a general-purpose expression parser, whose API is - exposed in ap_expr.h. This is adapted from the - expression parser previously implemented in - mod_include.

+ +

Expression Parser Added

+ +

We now have a general-purpose expression parser, whose API is + exposed in ap_expr.h. This is adapted from the + expression parser previously implemented in + mod_include.

+ +

Authorization Logic Containers

+ +

Advanced authorization logic may now be specified using the + Match directive + and the related container directives, such as + <MatchAll>, all + provided by the mod_authz_core module.