1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>Authentication and Authorization - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body id="manual-page"><div id="page-header"> 17<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 18<p class="apache">Apache HTTP Server Version 2.4</p> 19<img alt="" src="/images/feather.gif" /></div> 20<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 21<div id="path"> 22<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">How-To / Tutorials</a></div><div id="page-content"><div id="preamble"><h1>Authentication and Authorization</h1> 23<div class="toplang"> 24<p><span>Available Languages: </span><a href="/en/howto/auth.html" title="English"> en </a> | 25<a href="/fr/howto/auth.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> | 26<a href="/ja/howto/auth.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | 27<a href="/ko/howto/auth.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | 28<a href="/tr/howto/auth.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p> 29</div> 30 31 <p>Authentication is any process by which you verify that 32 someone is who they claim they are. Authorization is any 33 process by which someone is allowed to be where they want to 34 go, or to have information that they want to have.</p> 35 36 <p>For general access control, see the <a href="access.html">Access 37 Control How-To</a>.</p> 38</div> 39<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#related">Related Modules and Directives</a></li> 40<li><img alt="" src="/images/down.gif" /> <a href="#introduction">Introduction</a></li> 41<li><img alt="" src="/images/down.gif" /> <a href="#theprerequisites">The Prerequisites</a></li> 42<li><img alt="" src="/images/down.gif" /> <a href="#gettingitworking">Getting it working</a></li> 43<li><img alt="" src="/images/down.gif" /> <a href="#lettingmorethanonepersonin">Letting more than one 44person in</a></li> 45<li><img alt="" src="/images/down.gif" /> <a href="#possibleproblems">Possible problems</a></li> 46<li><img alt="" src="/images/down.gif" /> <a href="#dbmdbd">Alternate password storage</a></li> 47<li><img alt="" src="/images/down.gif" /> <a href="#multprovider">Using multiple providers</a></li> 48<li><img alt="" src="/images/down.gif" /> <a href="#beyond">Beyond just authorization</a></li> 49<li><img alt="" src="/images/down.gif" /> <a href="#socache">Authentication Cacheing</a></li> 50<li><img alt="" src="/images/down.gif" /> <a href="#moreinformation">More information</a></li> 51</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 52<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 53<div class="section"> 54<h2><a name="related" id="related">Related Modules and Directives</a></h2> 55 56<p>There are three types of modules involved in the authentication and 57authorization process. You will usually need to choose at least one 58module from each group.</p> 59 60<ul> 61 <li>Authentication type (see the 62 <code class="directive"><a href="/mod/mod_authn_core.html#authtype">AuthType</a></code> directive) 63 <ul> 64 <li><code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code></li> 65 <li><code class="module"><a href="/mod/mod_auth_digest.html">mod_auth_digest</a></code></li> 66 </ul> 67 </li> 68 <li>Authentication provider (see the 69 <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> and 70 <code class="directive"><a href="/mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code> directives) 71 72 <ul> 73 <li><code class="module"><a href="/mod/mod_authn_anon.html">mod_authn_anon</a></code></li> 74 <li><code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code></li> 75 <li><code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code></li> 76 <li><code class="module"><a href="/mod/mod_authn_file.html">mod_authn_file</a></code></li> 77 <li><code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></li> 78 <li><code class="module"><a href="/mod/mod_authn_socache.html">mod_authn_socache</a></code></li> 79 </ul> 80 </li> 81 <li>Authorization (see the 82 <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive) 83 <ul> 84 <li><code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></li> 85 <li><code class="module"><a href="/mod/mod_authz_dbd.html">mod_authz_dbd</a></code></li> 86 <li><code class="module"><a href="/mod/mod_authz_dbm.html">mod_authz_dbm</a></code></li> 87 <li><code class="module"><a href="/mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code></li> 88 <li><code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code></li> 89 <li><code class="module"><a href="/mod/mod_authz_owner.html">mod_authz_owner</a></code></li> 90 <li><code class="module"><a href="/mod/mod_authz_user.html">mod_authz_user</a></code></li> 91 </ul> 92 </li> 93</ul> 94 95 <p>In addition to these modules, there are also 96 <code class="module"><a href="/mod/mod_authn_core.html">mod_authn_core</a></code> and 97 <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code>. These module implement core 98 directives that are core to all auth modules.</p> 99 100 <p>The module <code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> is both an 101 authentication and authorization provider. The module 102 <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code> provides authorization 103 and access control based on hostname, IP address or characteristics 104 of the request, but is not part of the authentication provider 105 system. For backwards compatibility with the mod_access, there is 106 a new module <code class="module"><a href="/mod/mod_access_compat.html">mod_access_compat</a></code>.</p> 107 108 <p>You probably also want to take a look at the <a href="access.html">Access Control</a> howto, which discusses the 109 various ways to control access to your server.</p> 110 111</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 112<div class="section"> 113<h2><a name="introduction" id="introduction">Introduction</a></h2> 114 <p>If you have information on your web site that is sensitive 115 or intended for only a small group of people, the techniques in 116 this article will help you make sure that the people that see 117 those pages are the people that you wanted to see them.</p> 118 119 <p>This article covers the "standard" way of protecting parts 120 of your web site that most of you are going to use.</p> 121 122 <div class="note"><h3>Note:</h3> 123 <p>If your data really needs to be secure, consider using 124 <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> in addition to any authentication.</p> 125 </div> 126</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 127<div class="section"> 128<h2><a name="theprerequisites" id="theprerequisites">The Prerequisites</a></h2> 129 <p>The directives discussed in this article will need to go 130 either in your main server configuration file (typically in a 131 <code class="directive"><a href="/mod/core.html#directory"><Directory></a></code> section), or 132 in per-directory configuration files (<code>.htaccess</code> files).</p> 133 134 <p>If you plan to use <code>.htaccess</code> files, you will 135 need to have a server configuration that permits putting 136 authentication directives in these files. This is done with the 137 <code class="directive"><a href="/mod/core.html#allowoverride">AllowOverride</a></code> directive, which 138 specifies which directives, if any, may be put in per-directory 139 configuration files.</p> 140 141 <p>Since we're talking here about authentication, you will need 142 an <code class="directive"><a href="/mod/core.html#allowoverride">AllowOverride</a></code> directive like the 143 following:</p> 144 145 <pre class="prettyprint lang-config">AllowOverride AuthConfig</pre> 146 147 148 <p>Or, if you are just going to put the directives directly in 149 your main server configuration file, you will of course need to 150 have write permission to that file.</p> 151 152 <p>And you'll need to know a little bit about the directory 153 structure of your server, in order to know where some files are 154 kept. This should not be terribly difficult, and I'll try to 155 make this clear when we come to that point.</p> 156 157 <p>You will also need to make sure that the modules 158 <code class="module"><a href="/mod/mod_authn_core.html">mod_authn_core</a></code> and <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code> 159 have either been built into the httpd binary or loaded by the 160 httpd.conf configuration file. Both of these modules provide core 161 directives and functionality that are critical to the configuration 162 and use of authentication and authorization in the web server.</p> 163</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 164<div class="section"> 165<h2><a name="gettingitworking" id="gettingitworking">Getting it working</a></h2> 166 <p>Here's the basics of password protecting a directory on your 167 server.</p> 168 169 <p>First, you need to create a password file. Exactly how you do 170 this will vary depending on what authentication provider you have 171 chosen. More on that later. To start with, we'll use a text password 172 file.</p> 173 174 <p>This file should be 175 placed somewhere not accessible from the web. This is so that 176 folks cannot download the password file. For example, if your 177 documents are served out of <code>/usr/local/apache/htdocs</code> you 178 might want to put the password file(s) in 179 <code>/usr/local/apache/passwd</code>.</p> 180 181 <p>To create the file, use the <code class="program"><a href="/programs/htpasswd.html">htpasswd</a></code> utility that 182 came with Apache. This will be located in the <code>bin</code> directory 183 of wherever you installed Apache. If you have installed Apache from 184 a third-party package, it may be in your execution path.</p> 185 186 <p>To create the file, type:</p> 187 188 <div class="example"><p><code> 189 htpasswd -c /usr/local/apache/passwd/passwords rbowen 190 </code></p></div> 191 192 <p><code class="program"><a href="/programs/htpasswd.html">htpasswd</a></code> will ask you for the password, and 193 then ask you to type it again to confirm it:</p> 194 195 <div class="example"><p><code> 196 # htpasswd -c /usr/local/apache/passwd/passwords rbowen<br /> 197 New password: mypassword<br /> 198 Re-type new password: mypassword<br /> 199 Adding password for user rbowen 200 </code></p></div> 201 202 <p>If <code class="program"><a href="/programs/htpasswd.html">htpasswd</a></code> is not in your path, of course 203 you'll have to type the full path to the file to get it to run. 204 With a default installation, it's located at 205 <code>/usr/local/apache2/bin/htpasswd</code></p> 206 207 <p>Next, you'll need to configure the server to request a 208 password and tell the server which users are allowed access. 209 You can do this either by editing the <code>httpd.conf</code> 210 file or using an <code>.htaccess</code> file. For example, if 211 you wish to protect the directory 212 <code>/usr/local/apache/htdocs/secret</code>, you can use the 213 following directives, either placed in the file 214 <code>/usr/local/apache/htdocs/secret/.htaccess</code>, or 215 placed in <code>httpd.conf</code> inside a <Directory 216 /usr/local/apache/htdocs/secret> section.</p> 217 218 <pre class="prettyprint lang-config">AuthType Basic 219AuthName "Restricted Files" 220# (Following line optional) 221AuthBasicProvider file 222AuthUserFile /usr/local/apache/passwd/passwords 223Require user rbowen</pre> 224 225 226 <p>Let's examine each of those directives individually. The <code class="directive"><a href="/mod/mod_authn_core.html#authtype">AuthType</a></code> directive selects 227 that method that is used to authenticate the user. The most 228 common method is <code>Basic</code>, and this is the method 229 implemented by <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code>. It is important to be aware, 230 however, that Basic authentication sends the password from the client to 231 the server unencrypted. This method should therefore not be used for 232 highly sensitive data, unless accompanied by <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code>. 233 Apache supports one other authentication method: 234 <code>AuthType Digest</code>. This method is implemented by <code class="module"><a href="/mod/mod_auth_digest.html">mod_auth_digest</a></code> and was intended to be more secure. This is no 235 longer the case and the connection should be encrypted with <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> instead.</p> 236 237 <p>The <code class="directive"><a href="/mod/mod_authn_core.html#authname">AuthName</a></code> directive sets 238 the <dfn>Realm</dfn> to be used in the authentication. The realm serves 239 two major functions. First, the client often presents this information to 240 the user as part of the password dialog box. Second, it is used by the 241 client to determine what password to send for a given authenticated 242 area.</p> 243 244 <p>So, for example, once a client has authenticated in the 245 <code>"Restricted Files"</code> area, it will automatically 246 retry the same password for any area on the same server that is 247 marked with the <code>"Restricted Files"</code> Realm. 248 Therefore, you can prevent a user from being prompted more than 249 once for a password by letting multiple restricted areas share 250 the same realm. Of course, for security reasons, the client 251 will always need to ask again for the password whenever the 252 hostname of the server changes.</p> 253 254 <p>The <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> is, 255 in this case, optional, since <code>file</code> is the default value 256 for this directive. You'll need to use this directive if you are 257 choosing a different source for authentication, such as 258 <code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code> or <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code>.</p> 259 260 <p>The <code class="directive"><a href="/mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code> 261 directive sets the path to the password file that we just 262 created with <code class="program"><a href="/programs/htpasswd.html">htpasswd</a></code>. If you have a large number 263 of users, it can be quite slow to search through a plain text 264 file to authenticate the user on each request. Apache also has 265 the ability to store user information in fast database files. 266 The <code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code> module provides the <code class="directive"><a href="/mod/mod_authn_dbm.html#authdbmuserfile">AuthDBMUserFile</a></code> directive. These 267 files can be created and manipulated with the <code class="program"><a href="/programs/dbmmanage.html">dbmmanage</a></code> and <code class="program"><a href="/programs/htdbm.html">htdbm</a></code> programs. Many 268 other types of authentication options are available from third 269 party modules in the <a href="http://modules.apache.org/">Apache Modules 270 Database</a>.</p> 271 272 <p>Finally, the <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> 273 directive provides the authorization part of the process by 274 setting the user that is allowed to access this region of the 275 server. In the next section, we discuss various ways to use the 276 <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive.</p> 277</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 278<div class="section"> 279<h2><a name="lettingmorethanonepersonin" id="lettingmorethanonepersonin">Letting more than one 280person in</a></h2> 281 <p>The directives above only let one person (specifically 282 someone with a username of <code>rbowen</code>) into the 283 directory. In most cases, you'll want to let more than one 284 person in. This is where the <code class="directive"><a href="/mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> comes in.</p> 285 286 <p>If you want to let more than one person in, you'll need to 287 create a group file that associates group names with a list of 288 users in that group. The format of this file is pretty simple, 289 and you can create it with your favorite editor. The contents 290 of the file will look like this:</p> 291 292 <div class="example"><p><code> 293 GroupName: rbowen dpitts sungo rshersey 294 </code></p></div> 295 296 <p>That's just a list of the members of the group in a long 297 line separated by spaces.</p> 298 299 <p>To add a user to your already existing password file, 300 type:</p> 301 302 <div class="example"><p><code> 303 htpasswd /usr/local/apache/passwd/passwords dpitts 304 </code></p></div> 305 306 <p>You'll get the same response as before, but it will be 307 appended to the existing file, rather than creating a new file. 308 (It's the <code>-c</code> that makes it create a new password 309 file).</p> 310 311 <p>Now, you need to modify your <code>.htaccess</code> file or 312 <code class="directive"><a href="/mod/core.html#directory"><Directory></a></code> block 313 to look like the following:</p> 314 315 <pre class="prettyprint lang-config">AuthType Basic 316AuthName "By Invitation Only" 317# Optional line: 318AuthBasicProvider file 319AuthUserFile /usr/local/apache/passwd/passwords 320AuthGroupFile /usr/local/apache/passwd/groups 321Require group GroupName</pre> 322 323 324 <p>Now, anyone that is listed in the group <code>GroupName</code>, 325 and has an entry in the <code>password</code> file, will be let in, if 326 they type the correct password.</p> 327 328 <p>There's another way to let multiple users in that is less 329 specific. Rather than creating a group file, you can just use 330 the following directive:</p> 331 332 <pre class="prettyprint lang-config">Require valid-user</pre> 333 334 335 <p>Using that rather than the <code>Require user rbowen</code> 336 line will allow anyone in that is listed in the password file, 337 and who correctly enters their password.</p> 338</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 339<div class="section"> 340<h2><a name="possibleproblems" id="possibleproblems">Possible problems</a></h2> 341 <p>Because of the way that Basic authentication is specified, 342 your username and password must be verified every time you 343 request a document from the server. This is even if you're 344 reloading the same page, and for every image on the page (if 345 they come from a protected directory). As you can imagine, this 346 slows things down a little. The amount that it slows things 347 down is proportional to the size of the password file, because 348 it has to open up that file, and go down the list of users 349 until it gets to your name. And it has to do this every time a 350 page is loaded.</p> 351 352 <p>A consequence of this is that there's a practical limit to 353 how many users you can put in one password file. This limit 354 will vary depending on the performance of your particular 355 server machine, but you can expect to see slowdowns once you 356 get above a few hundred entries, and may wish to consider a 357 different authentication method at that time.</p> 358</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 359<div class="section"> 360<h2><a name="dbmdbd" id="dbmdbd">Alternate password storage</a></h2> 361 362 <p>Because storing passwords in plain text files has the above 363 problems, you may wish to store your passwords somewhere else, such 364 as in a database.</p> 365 366 <p><code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code> and <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code> are two 367 modules which make this possible. Rather than selecting <code><code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> file</code>, instead 368 you can choose <code>dbm</code> or <code>dbd</code> as your storage 369 format.</p> 370 371 <p>To select a dbm file rather than a text file, for example:</p> 372 373 <pre class="prettyprint lang-config"><Directory /www/docs/private> 374 AuthName "Private" 375 AuthType Basic 376 AuthBasicProvider dbm 377 AuthDBMUserFile /www/passwords/passwd.dbm 378 Require valid-user 379</Directory></pre> 380 381 382 <p>Other options are available. Consult the 383 <code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code> documentation for more details.</p> 384</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 385<div class="section"> 386<h2><a name="multprovider" id="multprovider">Using multiple providers</a></h2> 387 388 <p>With the introduction of the new provider based authentication and 389 authorization architecture, you are no longer locked into a single 390 authentication or authorization method. In fact any number of the 391 providers can be mixed and matched to provide you with exactly the 392 scheme that meets your needs. In the following example, both the 393 file and LDAP based authentication providers are being used.</p> 394 395 <pre class="prettyprint lang-config"><Directory /www/docs/private> 396 AuthName "Private" 397 AuthType Basic 398 AuthBasicProvider file ldap 399 AuthUserFile /usr/local/apache/passwd/passwords 400 AuthLDAPURL ldap://ldaphost/o=yourorg 401 Require valid-user 402</Directory></pre> 403 404 405 <p>In this example the file provider will attempt to authenticate 406 the user first. If it is unable to authenticate the user, the LDAP 407 provider will be called. This allows the scope of authentication 408 to be broadened if your organization implements more than 409 one type of authentication store. Other authentication and authorization 410 scenarios may include mixing one type of authentication with a 411 different type of authorization. For example, authenticating against 412 a password file yet authorizing against an LDAP directory.</p> 413 414 <p>Just as multiple authentication providers can be implemented, multiple 415 authorization methods can also be used. In this example both file group 416 authorization as well as LDAP group authorization is being used.</p> 417 418 <pre class="prettyprint lang-config"><Directory /www/docs/private> 419 AuthName "Private" 420 AuthType Basic 421 AuthBasicProvider file 422 AuthUserFile /usr/local/apache/passwd/passwords 423 AuthLDAPURL ldap://ldaphost/o=yourorg 424 AuthGroupFile /usr/local/apache/passwd/groups 425 Require group GroupName 426 Require ldap-group cn=mygroup,o=yourorg 427</Directory></pre> 428 429 430 <p>To take authorization a little further, authorization container 431 directives such as 432 <code class="directive"><a href="/mod/mod_authz_core.html#requireall"><RequireAll></a></code> 433 and 434 <code class="directive"><a href="/mod/mod_authz_core.html#requireany"><RequireAny></a></code> 435 allow logic to be applied so that the order in which authorization 436 is handled can be completely controled through the configuration. 437 See <a href="/mod/mod_authz_core.html#logic">Authorization 438 Containers</a> for an example of they may be applied.</p> 439 440</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 441<div class="section"> 442<h2><a name="beyond" id="beyond">Beyond just authorization</a></h2> 443 444 <p>The way that authorization can be apply is now much more flexible 445 than just a single check against a single data store. Ordering, logic 446 and choosing how authorization will be done is now possible.</p> 447 448 <h3><a name="authandororder" id="authandororder">Applying logic and ordering</a></h3> 449 <p>Controling how and in what order authorization will be applied 450 has been a bit of a mystery in the past. In Apache 2.2 a provider-based 451 authentication mechanism was introduced to decouple the actual 452 authentication process from authorization and supporting functionality. 453 One of the side benefits was that authentication providers could be 454 configured and called in a specific order which didn't depend on the 455 load order of the auth module itself. This same provider based mechanism 456 has been brought forward into authorization as well. What this means is 457 that the <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive 458 not only specifies which authorization methods should be used, it also 459 specifies the order in which they are called. Multiple authorization 460 methods are called in the same order in which the 461 <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directives 462 appear in the configuration.</p> 463 464 <p>With the introduction of authorization container directives 465 such as 466 <code class="directive"><a href="/mod/mod_authz_core.html#requireall"><RequireAll></a></code> 467 and 468 <code class="directive"><a href="/mod/mod_authz_core.html#requireany"><RequireAny></a></code>, 469 the configuration also has control over when the 470 authorization methods are called and what criteria determines when 471 access is granted. See 472 <a href="/mod/mod_authz_core.html#logic">Authorization Containers</a> 473 for an example of how they may be used to express complex 474 authorization logic.</p> 475 476 <p>By default all 477 <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> 478 directives are handled as though contained within a 479 <code class="directive"><a href="/mod/mod_authz_core.html#requireany"><RequireAny></a></code> 480 container directive. In other words, if 481 any of the specified authorization methods succeed, then authorization 482 is granted.</p> 483 484 485 486 <h3><a name="reqaccessctrl" id="reqaccessctrl">Using authorization providers for access control</a></h3> 487 <p>Authentication by username and password is only part of the 488 story. Frequently you want to let people in based on something 489 other than who they are. Something such as where they are 490 coming from.</p> 491 492 <p>The authorization providers <code>all</code>, 493 <code>env</code>, <code>host</code> and <code>ip</code> let you 494 allow or deny access based other host based criteria such as 495 host name or ip address of the machine requesting a 496 document.</p> 497 498 <p>The usage of these providers is specified through the 499 <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive. 500 This directive registers the authorization providers 501 that will be called during the authorization stage of the request 502 processing. For example:</p> 503 504 <pre class="prettyprint lang-config">Require ip <var>address</var></pre> 505 506 507 <p>where <var>address</var> is an IP address (or a partial IP 508 address) or:</p> 509 510 <pre class="prettyprint lang-config">Require host <var>domain_name</var></pre> 511 512 513 <p>where <var>domain_name</var> is a fully qualified domain name 514 (or a partial domain name); you may provide multiple addresses or 515 domain names, if desired.</p> 516 517 <p>For example, if you have someone spamming your message 518 board, and you want to keep them out, you could do the 519 following:</p> 520 521 <pre class="prettyprint lang-config"><RequireAll> 522 Require all granted 523 Require not ip 10.252.46.165 524</RequireAll></pre> 525 526 527 <p>Visitors coming from that address will not be able to see 528 the content covered by this directive. If, instead, you have a 529 machine name, rather than an IP address, you can use that.</p> 530 531 <pre class="prettyprint lang-config"><RequireAll> 532 Require all granted 533 Require not host host.example.com 534</RequireAll></pre> 535 536 537 <p>And, if you'd like to block access from an entire domain, 538 you can specify just part of an address or domain name:</p> 539 540 <pre class="prettyprint lang-config"><RequireAll> 541 Require all granted 542 Require not ip 192.168.205 543 Require not host phishers.example.com moreidiots.example 544 Require not host ke 545</RequireAll></pre> 546 547 548 <p>Using <code class="directive"><a href="/mod/mod_authz_core.html#requireall"><RequireAll></a></code> 549 with multiple <code class="directive"><a href="/mod/mod_authz_core.html#require"><Require></a></code> directives, each negated with <code>not</code>, 550 will only allow access, if all of negated conditions are true. In other words, 551 access will be blocked, if any of the negated conditions fails.</p> 552 553 554 555 <h3><a name="filesystem" id="filesystem">Access Control backwards compatibility</a></h3> 556 <p>One of the side effects of adopting a provider based mechanism for 557 authentication is that the need for the previous access control directives 558 <code class="directive"><a href="/mod/mod_access_compat.html#order">Order</a></code>, 559 <code class="directive"><a href="/mod/mod_access_compat.html#allow">Allow</a></code>, 560 <code class="directive"><a href="/mod/mod_access_compat.html#deny">Deny</a></code> and 561 <code class="directive"><a href="/mod/mod_access_compat.html#satisfy">Satisfy</a></code> are no longer needed. 562 However to provide backwards compatibility for older configurations, these 563 directives have been moved to the <code class="module"><a href="/mod/mod_access_compat.html">mod_access_compat</a></code> module.</p> 564 565 566</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 567<div class="section"> 568<h2><a name="socache" id="socache">Authentication Cacheing</a></h2> 569 <p>There may be times when authentication puts an unacceptable load 570 on a provider or on your network. This is most likely to affect users 571 of <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code> (or third-party/custom providers). 572 To deal with this, HTTPD 2.3/2.4 introduces a new cacheing provider 573 <code class="module"><a href="/mod/mod_authn_socache.html">mod_authn_socache</a></code> to cache credentials and reduce 574 the load on the origin provider(s).</p> 575 <p>This may offer a substantial performance boost to some users.</p> 576</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 577<div class="section"> 578<h2><a name="moreinformation" id="moreinformation">More information</a></h2> 579 <p>You should also read the documentation for 580 <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code> and <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code> 581 which contain some more information about how this all works. The 582 directive <code class="directive"><a href="/mod/mod_authn_core.html#authnprovideralias"><AuthnProviderAlias></a></code> can also help 583 in simplifying certain authentication configurations.</p> 584 585 <p>The various ciphers supported by Apache for authentication data are 586 explained in <a href="/misc/password_encryptions.html">Password 587 Encryptions</a>.</p> 588 589 <p>And you may want to look at the <a href="access.html">Access 590 Control</a> howto, which discusses a number of related topics.</p> 591 592</div></div> 593<div class="bottomlang"> 594<p><span>Available Languages: </span><a href="/en/howto/auth.html" title="English"> en </a> | 595<a href="/fr/howto/auth.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> | 596<a href="/ja/howto/auth.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | 597<a href="/ko/howto/auth.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | 598<a href="/tr/howto/auth.html" hreflang="tr" rel="alternate" title="T�rk�e"> tr </a></p> 599</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 600<script type="text/javascript"><!--//--><![CDATA[//><!-- 601var comments_shortname = 'httpd'; 602var comments_identifier = 'http://httpd.apache.org/docs/2.4/howto/auth.html'; 603(function(w, d) { 604 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 605 d.write('<div id="comments_thread"><\/div>'); 606 var s = d.createElement('script'); 607 s.type = 'text/javascript'; 608 s.async = true; 609 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 610 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 611 } 612 else { 613 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 614 } 615})(window, document); 616//--><!]]></script></div><div id="footer"> 617<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 618<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 619if (typeof(prettyPrint) !== 'undefined') { 620 prettyPrint(); 621} 622//--><!]]></script> 623</body></html>