Apache HTTP Server Version 2.4
Apache HTTP Server Version 2.4
| Description: | Core Authorization |
|---|---|
| Status: | Base |
| Module Identifier: | authz_core_module |
| Source File: | mod_authz_core.c |
| Compatibility: | Available in Apache HTTPD 2.3 and later |
This module provides core authorization capabilities so that
authenticated users can be allowed or denied access to portions
of the web site. mod_authz_core provides the
functionality to register various authorization providers. It is
usually used in conjunction with an authentication
provider module such as mod_authn_file and an
authorization module such as mod_authz_user. It
also allows for advanced logic to be applied to the
authorization processing.
AuthMerging <AuthzProviderAlias> AuthzSendForbiddenOnFailure Require <RequireAll> <RequireAny> <RequireNone>
The authorization container directives
<RequireAll>,
<RequireAny>
and
<RequireNone>
may be combined with each other and with the
Require
directive to express complex authorization logic.
The example below expresses the following authorization logic.
In order to access the resource, the user must either be the
superadmin user, or belong to both the
admins group and the Administrators LDAP
group and either belong to the sales group or
have the LDAP dept attribute sales.
Furthermore, in order to access the resource, the user must
not belong to either the temps group or the
LDAP group Temporary Employees.
<Directory "/www/mydocs">
<RequireAll>
<RequireAny>
Require user superadmin
<RequireAll>
Require group admins
Require ldap-group "cn=Administrators,o=Airius"
<RequireAny>
Require group sales
Require ldap-attribute dept="sales"
</RequireAny>
</RequireAll>
</RequireAny>
<RequireNone>
Require group temps
Require ldap-group "cn=Temporary Employees,o=Airius"
</RequireNone>
</RequireAll>
</Directory>
mod_authz_core provides some generic authorization
providers which can be used with the
Require directive.
The env provider allows access to the server
to be controlled based on the existence of an environment variable. When Require
env env-variable is specified, then the request is
allowed access if the environment variable env-variable
exists. The server provides the ability to set environment
variables in a flexible way based on characteristics of the client
request using the directives provided by
mod_setenvif. Therefore, this directive can be
used to allow access based on such factors as the clients
User-Agent (browser type), Referer, or
other HTTP request header fields.
SetEnvIf User-Agent "^KnockKnock/2\.0" let_me_in
<Directory "/docroot">
Require env let_me_in
</Directory>
In this case, browsers with a user-agent string beginning
with KnockKnock/2.0 will be allowed access, and all
others will be denied.
When the server looks up a path via an internal
subrequest such as looking
for a DirectoryIndex
or generating a directory listing with mod_autoindex,
per-request environment variables are not inherited in the
subrequest. Additionally,
SetEnvIf directives
are not separately evaluated in the subrequest due to the API phases
mod_setenvif takes action in.
The all provider mimics the functionality that
was previously provided by the 'Allow from all' and 'Deny from all'
directives. This provider can take one of two arguments which are
'granted' or 'denied'. The following examples will grant or deny
access to all requests.
Require all granted
Require all denied
The method provider allows using the HTTP method in
authorization decisions. The GET and HEAD methods are treated as
equivalent. The TRACE method is not available to this provider,
use TraceEnable instead.
The following example will only allow GET, HEAD, POST, and OPTIONS requests:
Require method GET POST OPTIONS
The following example will allow GET, HEAD, POST, and OPTIONS requests without authentication, and require a valid user for all other methods:
<RequireAny>
Require method GET POST OPTIONS
Require valid-user
</RequireAny>
The expr provider allows basing authorization
decisions on arbitrary expressions.
Require expr "%{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17"
<RequireAll>
Require expr "!(%{QUERY_STRING} =~ /secret/)"
Require expr "%{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"
</RequireAll>
Require expr "!(%{QUERY_STRING} =~ /secret/) && %{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"
The syntax is described in the ap_expr documentation. Before httpd 2.4.16, the surrounding double-quotes MUST be omitted.
Normally, the expression is evaluated before authentication. However, if
the expression returns false and references the variable
%{REMOTE_USER}, authentication will be performed and
the expression will be re-evaluated.
Extended authorization providers can be created within the configuration
file and assigned an alias name. The alias providers can then be referenced
through the Require directive
in the same way as a base authorization provider. Besides the ability to
create and alias an extended provider, it also allows the same extended
authorization provider to be referenced by multiple locations.
The example below creates two different ldap authorization provider aliases based on the ldap-group authorization provider. This example allows a single authorization location to check group membership within multiple ldap hosts:
<AuthzProviderAlias ldap-group ldap-group-alias1 "cn=my-group,o=ctx">
AuthLDAPBindDN "cn=youruser,o=ctx"
AuthLDAPBindPassword yourpassword
AuthLDAPUrl "ldap://ldap.host/o=ctx"
</AuthzProviderAlias>
<AuthzProviderAlias ldap-group ldap-group-alias2 "cn=my-other-group,o=dev">
AuthLDAPBindDN "cn=yourotheruser,o=dev"
AuthLDAPBindPassword yourotherpassword
AuthLDAPUrl "ldap://other.ldap.host/o=dev?cn"
</AuthzProviderAlias>
Alias "/secure" "/webpages/secure"
<Directory "/webpages/secure">
Require all granted
AuthBasicProvider file
AuthType Basic
AuthName LDAP_Protected_Place
#implied OR operation
Require ldap-group-alias1
Require ldap-group-alias2
</Directory>
| Description: | Controls the manner in which each configuration section's authorization logic is combined with that of preceding configuration sections. |
|---|---|
| Syntax: | AuthMerging Off | And | Or |
| Default: | AuthMerging Off |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Base |
| Module: | mod_authz_core |
When authorization is enabled, it is normally inherited by each
subsequent configuration section,
unless a different set of authorization directives is specified.
This is the default action, which corresponds to an explicit setting
of AuthMerging Off.
However, there may be circumstances in which it is desirable
for a configuration section's authorization to be combined with
that of its predecessor while configuration sections are being
merged. Two options are available for this case, And
and Or.
When a configuration section contains AuthMerging And
or AuthMerging Or,
its authorization logic is combined with that of the nearest
predecessor (according to the overall order of configuration sections)
which also contains authorization logic as if the two sections
were jointly contained within a
<RequireAll> or
<RequireAny>
directive, respectively.
AuthMerging is not
inherited outside of the configuration section in which it appears.
In the following example, only users belonging to group alpha
may access /www/docs. Users belonging to either
groups alpha or beta may access
/www/docs/ab. However, the default Off
setting of AuthMerging applies to the
<Directory>
configuration section for /www/docs/ab/gamma, so
that section's authorization directives override those of the
preceding sections. Thus only users belong to the group
gamma may access /www/docs/ab/gamma.<Directory "/www/docs">
AuthType Basic
AuthName Documents
AuthBasicProvider file
AuthUserFile "/usr/local/apache/passwd/passwords"
Require group alpha
</Directory>
<Directory "/www/docs/ab">
AuthMerging Or
Require group beta
</Directory>
<Directory "/www/docs/ab/gamma">
Require group gamma
</Directory>
| Description: | Enclose a group of directives that represent an extension of a base authorization provider and referenced by the specified alias |
|---|---|