Apache HTTP Server Version 2.3
Available Languages: en
Description: | Core Authorization |
---|---|
Status: | Base |
Module Identifier: | authz_core_module |
Source File: | mod_authz_core.c |
Compatibility: | Available in Apache 2.3 and later |
This module provides core authorization capabilities so that
authenticated users can be allowed or denied access to portions
of the web site. mod_authz_core
provides the
functionality to register various authorization providers. It is
usually used in conjunction with an authentication
provider module such as mod_authn_file
and an
authorization module such as mod_authz_user
. It
also allows for "AND" and "OR" logic to be applied to the
authorization processing.
Description: | Set to 'on' to allow the parent's <Directory> or <Location> authz rules to be merged into the current <Directory> or <Location>. Set to 'off' to disable merging. If set to 'off', only the authz rules defined in the current <Directory> or <Location> block will apply. |
---|---|
Syntax: | AuthMergeRules on | off |
Default: | AuthMergeRules on |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
By default all of the authorization rules within a <Directory> <Location> hierarchy are merged together to form a single logical authorization operation. If AuthzMergeRules is set to 'off', then only the authorization rules that are contained with the current <Directory> or <Location> block are considered. This allows the configuration to determine exactly how authorization will be determine without having to take into consideration the authorization rules that may exist above it.
Description: | Rejects authenticated users or host based requests from accessing a resource |
---|---|
Syntax: | Reject entity-name [entity-name] ... |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
This directive is similar to the
Require
directive however
it rejects which authenticated users or host based requests from accessing a resource. The
restrictions are processed by authorization modules. See the
Require
directive for details
about usage.
Description: | Selects which authenticated users can access a resource |
---|---|
Syntax: | Require entity-name [entity-name] ... |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
This directive selects which authenticated users can access a
resource. The restrictions are processed by authorization
modules. Some of the allowed syntaxes provided by
mod_authz_user
and
mod_authz_groupfile
are:
Require user userid [userid]
...
Require group group-name [group-name]
...
Require valid-user
Other authorization modules that implement require options
include mod_authnz_ldap
,
mod_authz_dbm
, mod_authz_dbd
,
mod_authz_host
, and
mod_authz_owner
.
For a complete authentication and authorization configuration,
Require
must be accompanied by
AuthName
, AuthType
and
AuthBasicProvider
directives, and directives such as
AuthUserFile
and AuthGroupFile
(to
define users and groups) in order to work correctly. Example:
AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider file
AuthUserFile /web/users
AuthGroupFile /web/groups
Require group admin
Access controls which are applied in this way are effective for
all methods. This is what is normally
desired. If you wish to apply access controls only to
specific methods, while leaving other methods unprotected, then
place the Require
statement into a
<Limit>
section.
Description: | Enclose a group of authorization directives that must all be satisfied in order to grant access to a resource. This block allows for 'AND' logic to be applied to various authorization providers. |
---|---|
Syntax: | <SatisfyAll>
... </SatisfyAll> |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
<SatisfyAll>
and
</SatisfyAll>
are used to enclose a group of
authorization directives that must all be satisfied in order to
grant access to a resource.
The
<SatisfyAll>
block as well as the
<SatisfyOne>
block
allow you to apply "AND" and "OR" logic to the authorization processing.
For example the following authorization block would apply the logic:
# if ((user == "John") ||
# ((Group == "admin")
# && (ldap-group <ldap-object> contains auth'ed_user)
# && ((ldap-attribute dept == "sales")
# || (file-group contains auth'ed_user))))
# then
# auth_granted
# else
# auth_denied
#
<Directory /www/mydocs>
Authname ...
AuthBasicProvider ...
...
Require user John
<SatisfyAll>
Require Group admins
Require ldap-group cn=mygroup,o=foo
<SatisfyOne>
Require ldap-attribute dept="sales"
Require file-group
</SatisfyOne>
</SatisfyAll>
</Directory>
Description: | Enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource. This block allows for 'OR' logic to be applied to various authorization providers. |
---|---|
Syntax: | <SatisfyOne>
... </SatisfyOne> |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_authz_core |
<SatisfyOne>
and
</SatisfyOne>
are used to enclose a group of
authorization directives that must satisfy at least one in order to
grant access to a resource.
See the
<SatisfyAll>
directive for a usage example.
Available Languages: en