Apache > HTTP Server > Documentation > Version 2.3 > Modules

Apache Module mod_authz_core

Available Languages:  en 

Description:Core Authorization
Module Identifier:authz_core_module
Source File:mod_authz_core.c
Compatibility:Available in Apache 2.3 and later


This module provides core authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site. mod_authz_core provides the functionality to register various authorization providers. It is usually used in conjunction with an authentication provider module such as mod_authn_file and an authorization module such as mod_authz_user. It also allows for "AND" and "OR" logic to be applied to the authorization processing.




Creating Authorization Provider Aliases

Extended authorization providers can be created within the configuration file and assigned an alias name. The alias providers can then be referenced through the Require directive in the same way as a base authorization provider. Besides the ability to create and alias an extended provider, it also allows the same extended authorization provider to be reference by multiple locations.


The example below creates two different ldap authorization provider aliases based on the ldap-group authorization provider. This example allows a single authorization location to check group membership within multiple ldap hosts:


<RequireAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx

<AuthnProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
AuthLDAPBindDN cn=yourotheruser,o=dev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=dev?cn

Alias /secure /webpages/secure
<Directory /webpages/secure>
Order deny,allow
Allow from all

AuthBasicProvider file

AuthType Basic
AuthName LDAP_Protected_Place

#implied OR operation
Require alias1-ldap-group
Require alias2-ldap-group


AuthzMergeRules Directive

Description:Set to 'on' to allow the parent's <Directory> or <Location> authz rules to be merged into the current <Directory> or <Location>. Set to 'off' to disable merging. If set to 'off', only the authz rules defined in the current <Directory> or <Location> block will apply.
Syntax:AuthMergeRules on | off
Default:AuthMergeRules on
Context:directory, .htaccess

By default all of the authorization rules within a <Directory> <Location> hierarchy are merged together to form a single logical authorization operation. If AuthzMergeRules is set to 'off', then only the authorization rules that are contained with the current <Directory> or <Location> block are considered. This allows the configuration to determine exactly how authorization will be determine without having to take into consideration the authorization rules that may exist above it.


Reject Directive

Description:Rejects authenticated users or host based requests from accessing a resource
Syntax:Reject entity-name [entity-name] ...
Context:directory, .htaccess

This directive is similar to the Require directive however it rejects which authenticated users or host based requests from accessing a resource. The restrictions are processed by authorization modules. See the Require directive for details about usage.

See also


Require Directive

Description:Selects which authenticated users can access a resource
Syntax:Require entity-name [entity-name] ...
Context:directory, .htaccess

This directive selects which authenticated users can access a resource. The restrictions are processed by authorization modules. Some of the allowed syntaxes provided by mod_authz_user and mod_authz_groupfile are:

Require user userid [userid] ...
Only the named users can access the resource.
Require group group-name [group-name] ...
Only users in the named groups can access the resource.
Require valid-user
All valid users can access the resource.

Other authorization modules that implement require options include mod_authnz_ldap, mod_authz_dbm, mod_authz_dbd, mod_authz_host, and mod_authz_owner.

For a complete authentication and authorization configuration, Require must be accompanied by AuthName, AuthType and AuthBasicProvider directives, and directives such as AuthUserFile and AuthGroupFile (to define users and groups) in order to work correctly. Example:

AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider file
AuthUserFile /web/users
AuthGroupFile /web/groups
Require group admin

Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit> section.

See also


<RequireAlias> Directive

Description:Enclose a group of directives that represent an extension of a base authorization provider and referenced by the specified alias
Syntax:<RequireAlias baseProvider Alias Require-Parameters> ... </RequireAlias>
Context:server config

<RequireAlias> and </RequireAlias> are used to enclose a group of authorization directives that can be referenced by the alias name using the directive Require.


<SatisfyAll> Directive

Description:Enclose a group of authorization directives that must all be satisfied in order to grant access to a resource. This block allows for 'AND' logic to be applied to various authorization providers.
Syntax:<SatisfyAll> ... </SatisfyAll>
Context:directory, .htaccess

<SatisfyAll> and </SatisfyAll> are used to enclose a group of authorization directives that must all be satisfied in order to grant access to a resource.

The <SatisfyAll> block as well as the <SatisfyOne> block allow you to apply "AND" and "OR" logic to the authorization processing. For example the following authorization block would apply the logic:

# if ((user == "John") ||
#    ((Group == "admin")
#     && (ldap-group <ldap-object> contains auth'ed_user)
#     && ((ldap-attribute dept == "sales")
#         || (file-group contains auth'ed_user))))
# then
#   auth_granted
# else
#   auth_denied
<Directory /www/mydocs>
Authname ...
AuthBasicProvider ...
Require user John
Require Group admins
Require ldap-group cn=mygroup,o=foo
Require ldap-attribute dept="sales"
Require file-group

See also


<SatisfyOne> Directive

Description:Enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource. This block allows for 'OR' logic to be applied to various authorization providers.
Syntax:<SatisfyOne> ... </SatisfyOne>
Context:directory, .htaccess

<SatisfyOne> and </SatisfyOne> are used to enclose a group of authorization directives that must satisfy at least one in order to grant access to a resource.

See the <SatisfyAll> directive for a usage example.

See also

Available Languages:  en