1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5
This file is generated from xml source: DO NOT EDIT
6
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8
<title>Authentication, Authorization and Access Control - Apache HTTP Server</title>
9
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
12
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
13
<body id="manual-page"><div id="page-header">
14
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
15
<p class="apache">Apache HTTP Server Version 2.2</p>
16
<img alt="" src="../images/feather.gif" /></div>
17
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
19
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">How-To / Tutorials</a></div><div id="page-content"><div id="preamble"><h1>Authentication, Authorization and Access Control</h1>
21
<p><span>Available Languages: </span><a href="../en/howto/auth.html" title="English"> en </a> |
22
<a href="../ja/howto/auth.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
23
<a href="../ko/howto/auth.html" hreflang="ko" rel="alternate" title="Korean"> ko </a></p>
26
<p>Authentication is any process by which you verify that
27
someone is who they claim they are. Authorization is any
28
process by which someone is allowed to be where they want to
29
go, or to have information that they want to have.</p>
31
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#related">Related Modules and Directives</a></li>
32
<li><img alt="" src="../images/down.gif" /> <a href="#introduction">Introduction</a></li>
33
<li><img alt="" src="../images/down.gif" /> <a href="#theprerequisites">The Prerequisites</a></li>
34
<li><img alt="" src="../images/down.gif" /> <a href="#gettingitworking">Getting it working</a></li>
35
<li><img alt="" src="../images/down.gif" /> <a href="#lettingmorethanonepersonin">Letting more than one
37
<li><img alt="" src="../images/down.gif" /> <a href="#possibleproblems">Possible problems</a></li>
38
<li><img alt="" src="../images/down.gif" /> <a href="#dbmdbd">Alternate password storage</a></li>
39
<li><img alt="" src="../images/down.gif" /> <a href="#moreinformation">More information</a></li>
41
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
43
<h2><a name="related" id="related">Related Modules and Directives</a></h2>
45
<p>There are three types of modules involved in the authentication and
46
authorization process. You will usually need to choose at least one
47
module from each group.</p>
50
<li>Authentication type (see the
51
<code class="directive"><a href="../mod/core.html#authtype">AuthType</a></code> directive)
53
<li><code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code></li>
54
<li><code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code></li>
57
<li>Authentication provider
59
<li><code class="module"><a href="../mod/mod_authn_alias.html">mod_authn_alias</a></code></li>
60
<li><code class="module"><a href="../mod/mod_authn_anon.html">mod_authn_anon</a></code></li>
61
<li><code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code></li>
62
<li><code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code></li>
63
<li><code class="module"><a href="../mod/mod_authn_default.html">mod_authn_default</a></code></li>
64
<li><code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code></li>
65
<li><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></li>
68
<li>Authorization (see the
69
<code class="directive"><a href="../mod/core.html#require">Require</a></code> directive)
71
<li><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></li>
72
<li><code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code></li>
73
<li><code class="module"><a href="../mod/mod_authz_default.html">mod_authz_default</a></code></li>
74
<li><code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code></li>
75
<li><code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code></li>
76
<li><code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code></li>
81
<p>The module <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> is both an
82
authentication and authorization provider. The module
83
<code class="module"><a href="../mod/mod_authn_alias.html">mod_authn_alias</a></code> is not an authentication provider
84
in itself, but allows other authentication providers to be
85
configured in a flexible manner.</p>
87
<p>The module <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code> provides authorization
88
and access control based on hostname, IP address or characteristics
89
of the request, but is not part of the authentication provider
92
<p>You probably also want to take a look at the <a href="access.html">Access Control</a> howto, which discusses the
93
various ways to control access to your server.</p>
95
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
97
<h2><a name="introduction" id="introduction">Introduction</a></h2>
98
<p>If you have information on your web site that is sensitive
99
or intended for only a small group of people, the techniques in
100
this article will help you make sure that the people that see
101
those pages are the people that you wanted to see them.</p>
103
<p>This article covers the "standard" way of protecting parts
104
of your web site that most of you are going to use.</p>
106
<div class="note"><h3>Note:</h3>
107
<p>If your data really needs to be secure, consider using
108
<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> in addition to any authentication.</p>
110
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
111
<div class="section">
112
<h2><a name="theprerequisites" id="theprerequisites">The Prerequisites</a></h2>
113
<p>The directives discussed in this article will need to go
114
either in your main server configuration file (typically in a
115
<code class="directive"><a href="../mod/core.html#directory"><Directory></a></code> section), or
116
in per-directory configuration files (<code>.htaccess</code> files).</p>
118
<p>If you plan to use <code>.htaccess</code> files, you will
119
need to have a server configuration that permits putting
120
authentication directives in these files. This is done with the
121
<code class="directive"><a href="../mod/core.html#allowoverride">AllowOverride</a></code> directive, which
122
specifies which directives, if any, may be put in per-directory
123
configuration files.</p>
125
<p>Since we're talking here about authentication, you will need
126
an <code class="directive"><a href="../mod/core.html#allowoverride">AllowOverride</a></code> directive like the
129
<div class="example"><p><code>
130
AllowOverride AuthConfig
133
<p>Or, if you are just going to put the directives directly in
134
your main server configuration file, you will of course need to
135
have write permission to that file.</p>
137
<p>And you'll need to know a little bit about the directory
138
structure of your server, in order to know where some files are
139
kept. This should not be terribly difficult, and I'll try to
140
make this clear when we come to that point.</p>
141
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
142
<div class="section">
143
<h2><a name="gettingitworking" id="gettingitworking">Getting it working</a></h2>
144
<p>Here's the basics of password protecting a directory on your
147
<p>First, you need to create a password file. Exactly how you do
148
this will vary depending on what authentication provider you have
149
chosen. More on that later. To start with, we'll use a text password
152
<p>This file should be
153
placed somewhere not accessible from the web. This is so that
154
folks cannot download the password file. For example, if your
155
documents are served out of <code>/usr/local/apache/htdocs</code> you
156
might want to put the password file(s) in
157
<code>/usr/local/apache/passwd</code>.</p>
159
<p>To create the file, use the <code class="program"><a href="../programs/htpasswd.html">htpasswd</a></code> utility that
160
came with Apache. This will be located in the <code>bin</code> directory
161
of wherever you installed Apache. If you have installed Apache from
162
a third-party package, it may be in your execution path.</p>
164
<p>To create the file, type:</p>
166
<div class="example"><p><code>
167
htpasswd -c /usr/local/apache/passwd/passwords rbowen
170
<p><code class="program"><a href="../programs/htpasswd.html">htpasswd</a></code> will ask you for the password, and
171
then ask you to type it again to confirm it:</p>
173
<div class="example"><p><code>
174
# htpasswd -c /usr/local/apache/passwd/passwords rbowen<br />
175
New password: mypassword<br />
176
Re-type new password: mypassword<br />
177
Adding password for user rbowen
180
<p>If <code class="program"><a href="../programs/htpasswd.html">htpasswd</a></code> is not in your path, of course
181
you'll have to type the full path to the file to get it to run.
182
With a default installation, it's located at
183
<code>/usr/local/apache2/bin/htpasswd</code></p>
185
<p>Next, you'll need to configure the server to request a
186
password and tell the server which users are allowed access.
187
You can do this either by editing the <code>httpd.conf</code>
188
file or using an <code>.htaccess</code> file. For example, if
189
you wish to protect the directory
190
<code>/usr/local/apache/htdocs/secret</code>, you can use the
191
following directives, either placed in the file
192
<code>/usr/local/apache/htdocs/secret/.htaccess</code>, or
193
placed in <code>httpd.conf</code> inside a <Directory
194
/usr/local/apache/apache/htdocs/secret> section.</p>
196
<div class="example"><p><code>
198
AuthName "Restricted Files"<br />
199
# (Following line optional)<br />
200
AuthBasicProvider file<br />
201
AuthUserFile /usr/local/apache/passwd/passwords<br />
205
<p>Let's examine each of those directives individually. The <code class="directive"><a href="../mod/core.html#authtype">AuthType</a></code> directive selects
206
that method that is used to authenticate the user. The most
207
common method is <code>Basic</code>, and this is the method
208
implemented by <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code>. It is important to be aware,
209
however, that Basic authentication sends the password from the client to
210
the server unencrypted. This method should therefore not be used for
211
highly sensitive data, unless accompanied by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.
212
Apache supports one other authentication method:
213
<code>AuthType Digest</code>. This method is implemented by <code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code> and is much more secure. Most recent
214
browsers support Digest authentication.</p>
216
<p>The <code class="directive"><a href="../mod/core.html#authname">AuthName</a></code> directive sets
217
the <dfn>Realm</dfn> to be used in the authentication. The realm serves
218
two major functions. First, the client often presents this information to
219
the user as part of the password dialog box. Second, it is used by the
220
client to determine what password to send for a given authenticated
223
<p>So, for example, once a client has authenticated in the
224
<code>"Restricted Files"</code> area, it will automatically
225
retry the same password for any area on the same server that is
226
marked with the <code>"Restricted Files"</code> Realm.
227
Therefore, you can prevent a user from being prompted more than
228
once for a password by letting multiple restricted areas share
229
the same realm. Of course, for security reasons, the client
230
will always need to ask again for the password whenever the
231
hostname of the server changes.</p>
233
<p>The <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> is,
234
in this case, optional, since <code>file</code> is the default value
235
for this directive. You'll need to use this directive if you are
236
choosing a different source for authentication, such as
237
<code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code> or <code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code>.</p>
239
<p>The <code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code>
240
directive sets the path to the password file that we just
241
created with <code class="program"><a href="../programs/htpasswd.html">htpasswd</a></code>. If you have a large number
242
of users, it can be quite slow to search through a plain text
243
file to authenticate the user on each request. Apache also has
244
the ability to store user information in fast database files.
245
The <code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code> module provides the <code class="directive"><a href="../mod/mod_authn_dbm.html#authdbmuserfile">AuthDBMUserFile</a></code> directive. These
246
files can be created and manipulated with the <code class="program"><a href="../programs/dbmmanage.html">dbmmanage</a></code> program. Many
247
other types of authentication options are available from third
248
party modules in the <a href="http://modules.apache.org/">Apache Modules
251
<p>Finally, the <code class="directive"><a href="../mod/core.html#require">Require</a></code>
252
directive provides the authorization part of the process by
253
setting the user that is allowed to access this region of the
254
server. In the next section, we discuss various ways to use the
255
<code class="directive"><a href="../mod/core.html#require">Require</a></code> directive.</p>
256
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
257
<div class="section">
258
<h2><a name="lettingmorethanonepersonin" id="lettingmorethanonepersonin">Letting more than one
260
<p>The directives above only let one person (specifically
261
someone with a username of <code>rbowen</code>) into the
262
directory. In most cases, you'll want to let more than one
263
person in. This is where the <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> comes in.</p>
265
<p>If you want to let more than one person in, you'll need to
266
create a group file that associates group names with a list of
267
users in that group. The format of this file is pretty simple,
268
and you can create it with your favorite editor. The contents
269
of the file will look like this:</p>
271
<div class="example"><p><code>
272
GroupName: rbowen dpitts sungo rshersey
275
<p>That's just a list of the members of the group in a long
276
line separated by spaces.</p>
278
<p>To add a user to your already existing password file,
281
<div class="example"><p><code>
282
htpasswd /usr/local/apache/passwd/passwords dpitts
285
<p>You'll get the same response as before, but it will be
286
appended to the existing file, rather than creating a new file.
287
(It's the <code>-c</code> that makes it create a new password
290
<p>Now, you need to modify your <code>.htaccess</code> file to
291
look like the following:</p>
293
<div class="example"><p><code>
295
AuthName "By Invitation Only"<br />
297
AuthBasicProvider file
298
AuthUserFile /usr/local/apache/passwd/passwords<br />
299
AuthGroupFile /usr/local/apache/passwd/groups<br />
300
Require group GroupName
303
<p>Now, anyone that is listed in the group <code>GroupName</code>,
304
and has an entry in the <code>password</code> file, will be let in, if
305
they type the correct password.</p>
307
<p>There's another way to let multiple users in that is less
308
specific. Rather than creating a group file, you can just use
309
the following directive:</p>
311
<div class="example"><p><code>
315
<p>Using that rather than the <code>Require user rbowen</code>
316
line will allow anyone in that is listed in the password file,
317
and who correctly enters their password. You can even emulate
318
the group behavior here, by just keeping a separate password
319
file for each group. The advantage of this approach is that
320
Apache only has to check one file, rather than two. The
321
disadvantage is that you have to maintain a bunch of password
322
files, and remember to reference the right one in the
323
<code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code> directive.</p>
324
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
325
<div class="section">
326
<h2><a name="possibleproblems" id="possibleproblems">Possible problems</a></h2>
327
<p>Because of the way that Basic authentication is specified,
328
your username and password must be verified every time you
329
request a document from the server. This is even if you're
330
reloading the same page, and for every image on the page (if
331
they come from a protected directory). As you can imagine, this
332
slows things down a little. The amount that it slows things
333
down is proportional to the size of the password file, because
334
it has to open up that file, and go down the list of users
335
until it gets to your name. And it has to do this every time a
338
<p>A consequence of this is that there's a practical limit to
339
how many users you can put in one password file. This limit
340
will vary depending on the performance of your particular
341
server machine, but you can expect to see slowdowns once you
342
get above a few hundred entries, and may wish to consider a
343
different authentication method at that time.</p>
344
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
345
<div class="section">
346
<h2><a name="dbmdbd" id="dbmdbd">Alternate password storage</a></h2>
348
<p>Because storing passwords in plain text files has the above
349
problems, you may wish to store your passwords somewhere else, such
350
as in a database.</p>
352
<p><code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code> and <code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code>
353
are two modules which make this possible. Rather than selecting
354
<code class="directive"><a href="../mod/mod_auth_basic.html#authbasicsource">AuthBasicSource</a></code> file,
355
instead you can choose <code>dbm</code> or <code>dbd</code> as your
358
<p>To select a dbd file rather than a text file, for example:</p>
360
<div class="example"><p><code>
361
<Directory /www/docs/private><br />
362
AuthName "Private"<br />
364
AuthBasicProvider dbm<br />
365
AuthDBMUserFile /www/passwords/passwd.dbm<br />
369
<p>Other options are available. Consult the
370
<code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code> documentation for more details.</p>
371
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
372
<div class="section">
373
<h2><a name="moreinformation" id="moreinformation">More information</a></h2>
374
<p>You should also read the documentation for
375
<code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> and <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code> which
376
contain some more information about how this all works.
377
<code class="module"><a href="../mod/mod_authn_alias.html">mod_authn_alias</a></code> can also help in simplifying certain
378
authentication configurations.</p>
380
<p>And you may want to look at the <a href="access.html">Access
381
Control</a> howto, which discusses a number of related topics.</p>
384
<div class="bottomlang">
385
<p><span>Available Languages: </span><a href="../en/howto/auth.html" title="English"> en </a> |
386
<a href="../ja/howto/auth.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a> |
387
<a href="../ko/howto/auth.html" hreflang="ko" rel="alternate" title="Korean"> ko </a></p>
388
</div><div id="footer">
389
<p class="apache">Copyright 2006 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
390
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
b'\\ No newline at end of file'