1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>mod_authz_core - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body> 17<div id="page-header"> 18<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 19<p class="apache">Apache HTTP Server Version 2.4</p> 20<img alt="" src="/images/feather.gif" /></div> 21<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 22<div id="path"> 23<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Modules</a></div> 24<div id="page-content"> 25<div id="preamble"><h1>Apache Module mod_authz_core</h1> 26<div class="toplang"> 27<p><span>Available Languages: </span><a href="/en/mod/mod_authz_core.html" title="English"> en </a> | 28<a href="/fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 29</div> 30<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Core Authorization</td></tr> 31<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr> 32<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>authz_core_module</td></tr> 33<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_authz_core.c</td></tr> 34<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTPD 2.3 and later</td></tr></table> 35<h3>Summary</h3> 36 37 <p>This module provides core authorization capabilities so that 38 authenticated users can be allowed or denied access to portions 39 of the web site. <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code> provides the 40 functionality to register various authorization providers. It is 41 usually used in conjunction with an authentication 42 provider module such as <code class="module"><a href="/mod/mod_authn_file.html">mod_authn_file</a></code> and an 43 authorization module such as <code class="module"><a href="/mod/mod_authz_user.html">mod_authz_user</a></code>. It 44 also allows for advanced logic to be applied to the 45 authorization processing.</p> 46</div> 47<div id="quickview"><h3 class="directives">Directives</h3> 48<ul id="toc"> 49<li><img alt="" src="/images/down.gif" /> <a href="#authmerging">AuthMerging</a></li> 50<li><img alt="" src="/images/down.gif" /> <a href="#authzprovideralias"><AuthzProviderAlias></a></li> 51<li><img alt="" src="/images/down.gif" /> <a href="#authzsendforbiddenonfailure">AuthzSendForbiddenOnFailure</a></li> 52<li><img alt="" src="/images/down.gif" /> <a href="#require">Require</a></li> 53<li><img alt="" src="/images/down.gif" /> <a href="#requireall"><RequireAll></a></li> 54<li><img alt="" src="/images/down.gif" /> <a href="#requireany"><RequireAny></a></li> 55<li><img alt="" src="/images/down.gif" /> <a href="#requirenone"><RequireNone></a></li> 56</ul> 57<h3>Topics</h3> 58<ul id="topics"> 59<li><img alt="" src="/images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li> 60<li><img alt="" src="/images/down.gif" /> <a href="#logic">Authorization Containers</a></li> 61<li><img alt="" src="/images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li> 62</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 63<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 64<div class="section"> 65<h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2> 66 67 <p>Extended authorization providers can be created within the configuration 68 file and assigned an alias name. The alias providers can then be referenced 69 through the <code class="directive"><a href="#require">Require</a></code> directive 70 in the same way as a base authorization provider. Besides the ability to 71 create and alias an extended provider, it also allows the same extended 72 authorization provider to be reference by multiple locations. 73 </p> 74 75 <h3><a name="example" id="example">Example</a></h3> 76 <p>The example below creates two different ldap authorization provider 77 aliases based on the ldap-group authorization provider. This example 78 allows a single authorization location to check group membership within 79 multiple ldap hosts: 80 </p> 81 82 <pre class="prettyprint lang-config"><AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx> 83 AuthLDAPBindDN cn=youruser,o=ctx 84 AuthLDAPBindPassword yourpassword 85 AuthLDAPURL ldap://ldap.host/o=ctx 86</AuthzProviderAlias> 87 88<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev> 89 AuthLDAPBindDN cn=yourotheruser,o=dev 90 AuthLDAPBindPassword yourotherpassword 91 AuthLDAPURL ldap://other.ldap.host/o=dev?cn 92</AuthzProviderAlias> 93 94Alias /secure /webpages/secure 95<Directory /webpages/secure> 96 Require all granted 97 98 AuthBasicProvider file 99 100 AuthType Basic 101 AuthName LDAP_Protected_Place 102 103 #implied OR operation 104 Require ldap-group-alias1 105 Require ldap-group-alias2 106</Directory></pre> 107 108 109 110</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 111<div class="section"> 112<h2><a name="logic" id="logic">Authorization Containers</a></h2> 113 114 <p>The authorization container directives 115 <code class="directive"><a href="#requireall"><RequireAll></a></code>, 116 <code class="directive"><a href="#requireany"><RequireAny></a></code> 117 and 118 <code class="directive"><a href="#requirenone"><RequireNone></a></code> 119 may be combined with each other and with the 120 <code class="directive"><a href="#require">Require</a></code> 121 directive to express complex authorization logic.</p> 122 123 <p>The example below expresses the following authorization logic. 124 In order to access the resource, the user must either be the 125 <code>superadmin</code> user, or belong to both the 126 <code>admins</code> group and the <code>Administrators</code> LDAP 127 group and either belong to the <code>sales</code> group or 128 have the LDAP <code>dept</code> attribute <code>sales</code>. 129 Furthermore, in order to access the resource, the user must 130 not belong to either the <code>temps</code> group or the 131 LDAP group <code>Temporary Employees</code>.</p> 132 133 <pre class="prettyprint lang-config"><Directory /www/mydocs> 134 <RequireAll> 135 <RequireAny> 136 Require user superadmin 137 <RequireAll> 138 Require group admins 139 Require ldap-group cn=Administrators,o=Airius 140 <RequireAny> 141 Require group sales 142 Require ldap-attribute dept="sales" 143 </RequireAny> 144 </RequireAll> 145 </RequireAny> 146 <RequireNone> 147 Require group temps 148 Require ldap-group cn=Temporary Employees,o=Airius 149 </RequireNone> 150 </RequireAll> 151</Directory></pre> 152 153</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 154<div class="section"> 155<h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a></h2> 156 157 <p><code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code> provides some generic authorization 158 providers which can be used with the 159 <code class="directive"><a href="#require">Require</a></code> directive.</p> 160 161 <h3><a name="reqenv" id="reqenv">Require env</a></h3> 162 163 <p>The <code>env</code> provider allows access to the server 164 to be controlled based on the existence of an <a href="/env.html">environment variable</a>. When <code>Require 165 env <var>env-variable</var></code> is specified, then the request is 166 allowed access if the environment variable <var>env-variable</var> 167 exists. The server provides the ability to set environment 168 variables in a flexible way based on characteristics of the client 169 request using the directives provided by 170 <code class="module"><a href="/mod/mod_setenvif.html">mod_setenvif</a></code>. Therefore, this directive can be 171 used to allow access based on such factors as the clients 172 <code>User-Agent</code> (browser type), <code>Referer</code>, or 173 other HTTP request header fields.</p> 174 175 <pre class="prettyprint lang-config">SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in 176<Directory /docroot> 177 Require env let_me_in 178</Directory></pre> 179 180 181 <p>In this case, browsers with a user-agent string beginning 182 with <code>KnockKnock/2.0</code> will be allowed access, and all 183 others will be denied.</p> 184 185 <p>When the server looks up a path via an internal 186 <a class="glossarylink" href="/glossary.html#subrequest" title="see glossary">subrequest</a> such as looking 187 for a <code class="directive"><a href="/mod/mod_dir.html#directoryindex">DirectoryIndex</a></code> 188 or generating a directory listing with <code class="module"><a href="/mod/mod_autoindex.html">mod_autoindex</a></code>, 189 per-request environment variables are <em>not</em> inherited in the 190 subrequest. Additionally, 191 <code class="directive"><a href="/mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives 192 are not separately evaluated in the subrequest due to the API phases 193 <code class="module"><a href="/mod/mod_setenvif.html">mod_setenvif</a></code>.</p> 194 195 196 <p>When the server looks up a path via an internal subrequest, 197 such as looking for a <code class="directive"><a href="/mod/mod_dir.html#directoryindex">DirectoryIndex</a></code> or generating a directory listing with 198 <code class="module"><a href="/mod/mod_autoindex.html">mod_autoindex</a></code>, per-request environment variables are 199 <em>not</em> inherited in the subrequest. Additionally, environment 200 <code class="directive"><a href="/mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives 201 are not separately evaluated in the subrequest due to the API phases 202 <code class="module"><a href="/mod/mod_setenvif.html">mod_setenvif</a></code> takes action in.</p> 203 204 205 206 <h3><a name="reqall" id="reqall">Require all</a></h3> 207 208 <p>The <code>all</code> provider mimics the functionality the 209 was previously provided by the 'Allow from all' and 'Deny from all' 210 directives. This provider can take one of two arguments which are 211 'granted' or 'denied'. The following examples will grant or deny 212 access to all requests.</p> 213 214 <pre class="prettyprint lang-config">Require all granted</pre> 215 216 217 <pre class="prettyprint lang-config">Require all denied</pre> 218 219 220 221 222 <h3><a name="reqmethod" id="reqmethod">Require method</a></h3> 223 224 <p>The <code>method</code> provider allows to use the HTTP method in 225 authorization decisions. The GET and HEAD methods are treated as 226 equivalent. The TRACE method is not available to this provider, 227 use <code class="directive"><a href="/mod/core.html#traceenable">TraceEnable</a></code> instead.</p> 228 229 <p>The following example will only allow GET, HEAD, POST, and OPTIONS 230 requests:</p> 231 232 <pre class="prettyprint lang-config">Require method GET POST OPTIONS</pre> 233 234 235 <p>The following example will allow GET, HEAD, POST, and OPTIONS 236 requests without authentication, and require a valid user for all other 237 methods:</p> 238 239 <pre class="prettyprint lang-config"><RequireAny> 240 �Require method GET POST OPTIONS 241 �Require valid-user 242</RequireAny></pre> 243 244 245 246 247 <h3><a name="reqexpr" id="reqexpr">Require expr</a></h3> 248 249 <p>The <code>expr</code> provider allows to base authorization 250 decisions on arbitrary expressions.</p> 251 252 <pre class="prettyprint lang-config">Require expr "%{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17"</pre> 253 254 255 <p>The syntax is described in the <a href="/expr.html">ap_expr</a> 256 documentation.</p> 257 258 <p>Normally, the expression is evaluated before authentication. However, if 259 the expression returns false and references the variable 260 <code>%{REMOTE_USER}</code>, authentication will be performed and 261 the expression will be re-evaluated.</p> 262 263 264 265 266</div> 267<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 268<div class="directive-section"><h2><a name="AuthMerging" id="AuthMerging">AuthMerging</a> <a name="authmerging" id="authmerging">Directive</a></h2> 269<table class="directive"> 270<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls the manner in which each configuration section's 271authorization logic is combined with that of preceding configuration 272sections.</td></tr> 273<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthMerging Off | And | Or</code></td></tr> 274<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthMerging Off</code></td></tr> 275<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 276<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 277<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 278<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr> 279</table> 280 <p>When authorization is enabled, it is normally inherited by each 281 subsequent <a href="/sections.html#merging">configuration section</a>, 282 unless a different set of authorization directives are specified. 283 This is the default action, which corresponds to an explicit setting 284 of <code>AuthMerging Off</code>.</p> 285 286 <p>However, there may be circumstances in which is it desirable 287 for a configuration section's authorization to be combined with 288 that of its predecessor while configuration sections are being 289 merged. Two options are available for this case, <code>And</code> 290 and <code>Or</code>.</p> 291 292 <p>When a configuration section contains <code>AuthMerging And</code> 293 or <code>AuthMerging Or</code>, 294 its authorization logic is combined with that of the nearest 295 predecessor (according to the overall order of configuration sections) 296 which also contains authorization logic as if the two sections 297 were jointly contained within a 298 <code class="directive"><a href="#requireall"><RequireAll></a></code> or 299 <code class="directive"><a href="#requireany"><RequireAny></a></code> 300 directive, respectively.</p> 301 302 <div class="note">The setting of <code class="directive">AuthMerging</code> is not 303 inherited outside of the configuration section in which it appears. 304 In the following example, only users belonging to group <code>alpha</code> 305 may access <code>/www/docs</code>. Users belonging to either 306 groups <code>alpha</code> or <code>beta</code> may access 307 <code>/www/docs/ab</code>. However, the default <code>Off</code> 308 setting of <code class="directive">AuthMerging</code> applies to the 309 <code class="directive"><a href="/mod/core.html#directory"><Directory></a></code> 310 configuration section for <code>/www/docs/ab/gamma</code>, so 311 that section's authorization directives override those of the 312 preceding sections. Thus only users belong to the group 313 <code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</div> 314 315 <pre class="prettyprint lang-config"><Directory /www/docs> 316 AuthType Basic 317 AuthName Documents 318 AuthBasicProvider file 319 AuthUserFile /usr/local/apache/passwd/passwords 320 Require group alpha 321</Directory> 322 323<Directory /www/docs/ab> 324 AuthMerging Or 325 Require group beta 326</Directory> 327 328<Directory /www/docs/ab/gamma> 329 Require group gamma 330</Directory></pre> 331 332 333</div> 334<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 335<div class="directive-section"><h2><a name="AuthzProviderAlias" id="AuthzProviderAlias"><AuthzProviderAlias></a> <a name="authzprovideralias" id="authzprovideralias">Directive</a></h2> 336<table class="directive"> 337<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of directives that represent an 338extension of a base authorization provider and referenced by the specified 339alias</td></tr> 340<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><AuthzProviderAlias <var>baseProvider Alias Require-Parameters</var>> 341... </AuthzProviderAlias> 342</code></td></tr> 343<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 344<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 345<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr> 346</table> 347 <p><code class="directive"><AuthzProviderAlias></code> and 348 <code></AuthzProviderAlias></code> are used to enclose a group of 349 authorization directives that can be referenced by the alias name using the 350 directive <code class="directive"><a href="#require">Require</a></code>.</p> 351 352 353</div> 354<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 355<div class="directive-section"><h2><a name="AuthzSendForbiddenOnFailure" id="AuthzSendForbiddenOnFailure">AuthzSendForbiddenOnFailure</a> <a name="authzsendforbiddenonfailure" id="authzsendforbiddenonfailure">Directive</a></h2> 356<table class="directive"> 357<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Send '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if 358authentication succeeds but authorization fails 359</td></tr> 360<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthzSendForbiddenOnFailure On|Off</code></td></tr> 361<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthzSendForbiddenOnFailure Off</code></td></tr> 362<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 363<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 364<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr> 365<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTPD 2.3.11 and later</td></tr> 366</table> 367 <p>If authentication succeeds but authorization fails, Apache HTTPD will 368 respond with an HTTP response code of '401 UNAUTHORIZED' by default. This 369 usually causes browsers to display the password dialogue to the user 370 again, which is not wanted in all situations. 371 <code class="directive">AuthzSendForbiddenOnFailure</code> allows to change the 372 response code to '403 FORBIDDEN'.</p> 373 374 <div class="warning"><h3>Security Warning</h3> 375 <p>Modifying the response in case of missing authorization weakens the 376 security of the password, because it reveals to a possible attacker, that 377 his guessed password was right.</p> 378 </div> 379 380</div> 381<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 382<div class="directive-section"><h2><a name="Require" id="Require">Require</a> <a name="require" id="require">Directive</a></h2> 383<table class="directive"> 384<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Tests whether an authenticated user is authorized by 385an authorization provider.</td></tr> 386<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Require [not] <var>entity-name</var> 387 [<var>entity-name</var>] ...</code></td></tr> 388<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 389<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 390<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 391<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr> 392</table> 393 <p>This directive tests whether an authenticated user is authorized 394 according to a particular authorization provider and the specified 395 restrictions. <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code> provides the following 396 generic authorization providers:</p> 397 398 <dl> 399 <dt><code>Require all granted</code></dt> 400 <dd>Access is allowed unconditionally.</dd> 401 402 <dt><code>Require all denied</code></dt> 403 <dd>Access is denied unconditionally.</dd> 404 405 <dt><code>Require env <var>env-var</var> [<var>env-var</var>] 406 ...</code></dt> 407 <dd>Access is allowed only if one of the given environment variables is 408 set.</dd> 409 410 <dt><code>Require method <var>http-method</var> [<var>http-method</var>] 411 ...</code></dt> 412 <dd>Access is allowed only for the given HTTP methods.</dd> 413 414 <dt><code>Require expr <var>expression</var> </code></dt> 415 <dd>Access is allowed if <var>expression</var> evaluates to true.</dd> 416 </dl> 417 418 <p>Some of the allowed syntaxes provided by <code class="module"><a href="/mod/mod_authz_user.html">mod_authz_user</a></code>, 419 <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code>, 420 and <code class="module"><a href="/mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> are:</p> 421 422 <dl> 423 <dt><code>Require user <var>userid</var> [<var>userid</var>] 424 ...</code></dt> 425 <dd>Only the named users can access the resource.</dd> 426 427 <dt><code>Require group <var>group-name</var> [<var>group-name</var>] 428 ...</code></dt> 429 <dd>Only users in the named groups can access the resource.</dd> 430 431 <dt><code>Require valid-user</code></dt> 432 <dd>All valid users can access the resource.</dd> 433 434 <dt><code>Require ip 10 172.20 192.168.2</code></dt> 435 <dd>Clients in the specified IP address ranges can access the 436 resource.</dd> 437 </dl> 438 439 <p>Other authorization modules that implement require options 440 include <code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>, 441 <code class="module"><a href="/mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, <code class="module"><a href="/mod/mod_authz_dbd.html">mod_authz_dbd</a></code>, 442 <code class="module"><a href="/mod/mod_authz_owner.html">mod_authz_owner</a></code> and <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code>.</p> 443 444 <p>In most cases, for a complete authentication and authorization 445 configuration, <code class="directive">Require</code> must be accompanied by 446 <code class="directive"><a href="/mod/mod_authn_core.html#authname">AuthName</a></code>, <code class="directive"><a href="/mod/mod_authn_core.html#authtype">AuthType</a></code> and 447 <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> or 448 <code class="directive"><a href="/mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code> 449 directives, and directives such as 450 <code class="directive"><a href="/mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code> 451 and <code class="directive"><a href="/mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> (to 452 define users and groups) in order to work correctly. Example:</p> 453 454 <pre class="prettyprint lang-config">AuthType Basic 455AuthName "Restricted Resource" 456AuthBasicProvider file 457AuthUserFile /web/users 458AuthGroupFile /web/groups 459Require group admin</pre> 460 461 462 <p>Access controls which are applied in this way are effective for 463 <strong>all</strong> methods. <strong>This is what is normally 464 desired.</strong> If you wish to apply access controls only to 465 specific methods, while leaving other methods unprotected, then 466 place the <code class="directive">Require</code> statement into a 467 <code class="directive"><a href="/mod/core.html#limit"><Limit></a></code> 468 section.</p> 469 470 <p>The result of the <code class="directive">Require</code> directive 471 may be negated through the use of the 472 <code>not</code> option. As with the other negated authorization 473 directive <code class="directive"><RequireNone></code>, 474 when the <code class="directive">Require</code> directive is negated it can 475 only fail or return a neutral result, and therefore may never 476 independently authorize a request.</p> 477 478 <p>In the following example, all users in the <code>alpha</code> 479 and <code>beta</code> groups are authorized, except for those who 480 are also in the <code>reject</code> group.</p> 481 482 <pre class="prettyprint lang-config"><Directory /www/docs> 483 <RequireAll> 484 Require group alpha beta 485 Require not group reject 486 </RequireAll> 487</Directory></pre> 488 489 490 <p>When multiple <code class="directive">Require</code> directives are 491 used in a single 492 <a href="/sections.html#merging">configuration section</a> 493 and are not contained in another authorization directive like 494 <code class="directive"><a href="#requireall"><RequireAll></a></code>, 495 they are implicitly contained within a 496 <code class="directive"><a href="#requireany"><RequireAny></a></code> 497 directive. Thus the first one to authorize a user authorizes the 498 entire request, and subsequent <code class="directive">Require</code> directives 499 are ignored.</p> 500 501 <div class="warning"><h3>Security Warning</h3> 502 <p>Exercise caution when setting authorization directives in 503 <code class="directive"><a href="/mod/core.html#location">Location</a></code> sections 504 that overlap with content served out of the filesystem. 505 By default, these <a href="/sections.html#merging">configuration sections</a> overwrite authorization configuration 506 in <code class="directive"><a href="/mod/core.html#directory">Directory</a></code>, 507 and <code class="directive"><a href="/mod/core.html#files">Files</a></code> sections.</p> 508 <p>The <code class="directive"><a href="#authmerging">AuthMerging</a></code> directive 509 can be used to control how authorization configuration sections are 510 merged.</p> 511 </div> 512 513<h3>See also</h3> 514<ul> 515<li><a href="/howto/access.html">Access control howto</a></li> 516<li><a href="#logic">Authorization Containers</a></li> 517<li><code class="module"><a href="/mod/mod_authn_core.html">mod_authn_core</a></code></li> 518<li><code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code></li> 519</ul> 520</div> 521<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 522<div class="directive-section"><h2><a name="RequireAll" id="RequireAll"><RequireAll></a> <a name="requireall" id="requireall">Directive</a></h2> 523<table class="directive"> 524<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which none 525must fail and at least one must succeed for the enclosing directive to 526succeed.</td></tr> 527<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireAll> ... </RequireAll></code></td></tr> 528<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 529<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 530<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 531<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr> 532</table> 533 <p><code class="directive"><RequireAll></code> and 534 <code></RequireAll></code> are used to enclose a group of 535 authorization directives of which none must fail and at least one 536 must succeed in order for 537 the <code class="directive"><RequireAll></code> directive to 538 succeed.</p> 539 540 <p>If none of the directives contained within the 541 <code class="directive"><RequireAll></code> directive fails, 542 and at least one succeeds, then the 543 <code class="directive"><RequireAll></code> directive 544 succeeds. If none succeed and none fail, then it returns a 545 neutral result. In all other cases, it fails.</p> 546 547<h3>See also</h3> 548<ul> 549<li><a href="#logic">Authorization Containers</a></li> 550<li><a href="/howto/auth.html">Authentication, Authorization, 551 and Access Control</a></li> 552</ul> 553</div> 554<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 555<div class="directive-section"><h2><a name="RequireAny" id="RequireAny"><RequireAny></a> <a name="requireany" id="requireany">Directive</a></h2> 556<table class="directive"> 557<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which one 558must succeed for the enclosing directive to succeed.</td></tr> 559<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireAny> ... </RequireAny></code></td></tr> 560<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 561<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 562<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 563<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr> 564</table> 565 <p><code class="directive"><RequireAny></code> and 566 <code></RequireAny></code> are used to enclose a group of 567 authorization directives of which one must succeed in order for 568 the <code class="directive"><RequireAny></code> directive to 569 succeed.</p> 570 571 <p>If one or more of the directives contained within the 572 <code class="directive"><RequireAny></code> directive succeed, 573 then the <code class="directive"><RequireAny></code> directive 574 succeeds. If none succeed and none fail, then it returns a 575 neutral result. In all other cases, it fails.</p> 576 577 <div class="note">Because negated authorization directives are unable to 578 return a successful result, they can not significantly influence 579 the result of a <code class="directive"><RequireAny></code> 580 directive. (At most they could cause the directive to fail in 581 the case where they failed and all other directives returned a 582 neutral value.) Therefore negated authorization directives 583 are not permitted within a <code class="directive"><RequireAny></code> 584 directive.</div> 585 586<h3>See also</h3> 587<ul> 588<li><a href="#logic">Authorization Containers</a></li> 589<li><a href="/howto/auth.html">Authentication, Authorization, 590 and Access Control</a></li> 591</ul> 592</div> 593<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 594<div class="directive-section"><h2><a name="RequireNone" id="RequireNone"><RequireNone></a> <a name="requirenone" id="requirenone">Directive</a></h2> 595<table class="directive"> 596<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which none 597must succeed for the enclosing directive to not fail.</td></tr> 598<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireNone> ... </RequireNone></code></td></tr> 599<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 600<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 601<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 602<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr> 603</table> 604 <p><code class="directive"><RequireNone></code> and 605 <code></RequireNone></code> are used to enclose a group of 606 authorization directives of which none must succeed 607 in order for the 608 <code class="directive"><RequireNone></code> directive to 609 not fail.</p> 610 611 <p>If one or more of the directives contained within the 612 <code class="directive"><RequireNone></code> directive succeed, 613 then the <code class="directive"><RequireNone></code> directive 614 fails. In all other cases, it returns a neutral result. Thus as with 615 the other negated authorization directive <code>Require not</code>, 616 it can never independently 617 authorize a request because it can never return a successful result. 618 It can be used, however, to restrict the set of users who are 619 authorized to access a resource.</p> 620 621 <div class="note">Because negated authorization directives are unable to 622 return a successful result, they can not significantly influence 623 the result of a <code class="directive"><RequireNone></code> 624 directive. Therefore negated authorization directives 625 are not permitted within a 626 <code class="directive"><RequireNone></code> directive.</div> 627 628<h3>See also</h3> 629<ul> 630<li><a href="#logic">Authorization Containers</a></li> 631<li><a href="/howto/auth.html">Authentication, Authorization, 632 and Access Control</a></li> 633</ul> 634</div> 635</div> 636<div class="bottomlang"> 637<p><span>Available Languages: </span><a href="/en/mod/mod_authz_core.html" title="English"> en </a> | 638<a href="/fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 639</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 640<script type="text/javascript"><!--//--><![CDATA[//><!-- 641var comments_shortname = 'httpd'; 642var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html'; 643(function(w, d) { 644 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 645 d.write('<div id="comments_thread"><\/div>'); 646 var s = d.createElement('script'); 647 s.type = 'text/javascript'; 648 s.async = true; 649 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 650 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 651 } 652 else { 653 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 654 } 655})(window, document); 656//--><!]]></script></div><div id="footer"> 657<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 658<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 659if (typeof(prettyPrint) !== 'undefined') { 660 prettyPrint(); 661} 662//--><!]]></script> 663</body></html>