This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
-<title>Authentication, Authorization and Access Control - Apache HTTP Server</title>
+<title>Authentication and Authorization - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
-<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">How-To / Tutorials</a></div><div id="page-content"><div id="preamble"><h1>Authentication, Authorization and Access Control</h1>
+<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">How-To / Tutorials</a></div><div id="page-content"><div id="preamble"><h1>Authentication and Authorization</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/howto/auth.html" title="English"> en </a> |
<a href="../fr/howto/auth.html" hreflang="fr" rel="alternate" title="Français"> fr </a> |
someone is who they claim they are. Authorization is any
process by which someone is allowed to be where they want to
go, or to have information that they want to have.</p>
+
+ <p>For general access control, see the <a href="access.html">Access
+ Control How-To</a>.</p>
</div>
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#related">Related Modules and Directives</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#introduction">Introduction</a></li>
<ul>
<li>Authentication type (see the
- <code class="directive"><a href="../mod/core.html#authtype">AuthType</a></code> directive)
+ <code class="directive"><a href="../mod/mod_authn_core.html#authtype">AuthType</a></code> directive)
<ul>
<li><code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code></li>
<li><code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code></li>
</ul>
</li>
- <li>Authentication provider
+ <li>Authentication provider (see the
+ <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> and
+ <code class="directive"><a href="../mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code> directives)
+
<ul>
- <li><code class="module"><a href="../mod/mod_authn_alias.html">mod_authn_alias</a></code></li>
<li><code class="module"><a href="../mod/mod_authn_anon.html">mod_authn_anon</a></code></li>
<li><code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code></li>
<li><code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code></li>
- <li><code class="module"><a href="../mod/mod_authn_default.html">mod_authn_default</a></code></li>
<li><code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code></li>
<li><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></li>
+ <li><code class="module"><a href="../mod/mod_authn_socache.html">mod_authn_socache</a></code></li>
</ul>
</li>
<li>Authorization (see the
- <code class="directive"><a href="../mod/core.html#require">Require</a></code> directive)
+ <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code> directive)
<ul>
<li><code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code></li>
+ <li><code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code></li>
- <li><code class="module"><a href="../mod/mod_authz_default.html">mod_authz_default</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code></li>
+ <li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code></li>
</ul>
structure of your server, in order to know where some files are
kept. This should not be terribly difficult, and I'll try to
make this clear when we come to that point.</p>
+
+ <p>You will also need to make sure that the modules
+ <code class="module"><a href="../mod/mod_authn_core.html">mod_authn_core</a></code> and <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code>
+ have either been built into the httpd binary or loaded by the
+ httpd.conf configuration file. Both of these modules provide core
+ directives and functionality that are critical to the configuration
+ and use of authentication and authorization in the web server.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="gettingitworking" id="gettingitworking">Getting it working</a></h2>
# (Following line optional)<br />
AuthBasicProvider file<br />
AuthUserFile /usr/local/apache/passwd/passwords<br />
- Require user rbowen
+Require user rbowen
</code></p></div>
<p>Let's examine each of those directives individually. The <code class="directive"><a href="../mod/core.html#authtype">AuthType</a></code> directive selects
<code>AuthType Digest</code>. This method is implemented by <code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code> and is much more secure. Most recent
browsers support Digest authentication.</p>
- <p>The <code class="directive"><a href="../mod/core.html#authname">AuthName</a></code> directive sets
+ <p>The <code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code> directive sets
the <dfn>Realm</dfn> to be used in the authentication. The realm serves
two major functions. First, the client often presents this information to
the user as part of the password dialog box. Second, it is used by the
party modules in the <a href="http://modules.apache.org/">Apache Modules
Database</a>.</p>
- <p>Finally, the <code class="directive"><a href="../mod/core.html#require">Require</a></code>
+ <p>Finally, the <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code>
directive provides the authorization part of the process by
setting the user that is allowed to access this region of the
server. In the next section, we discuss various ways to use the
AuthBasicProvider file<br />
AuthUserFile /usr/local/apache/passwd/passwords<br />
AuthGroupFile /usr/local/apache/passwd/groups<br />
- Require group GroupName
+Require group GroupName
</code></p></div>
<p>Now, anyone that is listed in the group <code>GroupName</code>,
AuthBasicProvider dbm<br />
AuthDBMUserFile /www/passwords/passwd.dbm<br />
Require valid-user<br />
- </Directory>
+</Directory>
</code></p></div>
<p>Other options are available. Consult the
need to have Apache configured to permit CGI execution. There
are several ways to do this.</p>
+ <div class="warning">Note: If Apache has been built with shared module
+ support you need to ensure that the module is loaded; in your
+ <code>httpd.conf</code> you need to make sure the
+ <code class="directive"><a href="../mod/mod_so.html#loadmodule">LoadModule</a></code>
+ directive has not been commented out. A correctly configured directive
+ may look like this:
+
+ <pre class="prettyprint lang-config">
+ LoadModule cgi_module modules/mod_cgi.so
+ </pre>
+</div>
+
<h3><a name="scriptalias" id="scriptalias">ScriptAlias</a></h3>
- <p>The
+ <p>The
<code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code>
directive tells Apache that a particular directory is set
<p>For example, if the URL
<code>http://www.example.com/cgi-bin/test.pl</code>
- is requested, Apache will attempt to execute the file
+ is requested, Apache will attempt to execute the file
<code>/usr/local/apache2/cgi-bin/test.pl</code>
and return the output. Of course, the file will have to
exist, and be executable, and return output in a particular
use CGI programs. However, if the proper security precautions are
taken, there is no reason why CGI programs cannot be run from
arbitrary directories. For example, you may wish to let users
- have web content in their home directories with the
+ have web content in their home directories with the
<code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> directive.
If they want to have their own CGI programs, but don't have access to
the main <code>cgi-bin</code> directory, they will need to be able to
<p>There are two steps to allowing CGI execution in an arbitrary
directory. First, the <code>cgi-script</code> handler must be
activated using the <code class="directive"><a href="../mod/mod_mime.html#addhandler">AddHandler</a></code> or <code class="directive"><a href="../mod/core.html#sethandler">SetHandler</a></code> directive. Second,
- <code>ExecCGI</code> must be specified in the <code class="directive"><a href="../mod/core.html#options">Options</a></code> directive.</p>
+ <code>ExecCGI</code> must be specified in the <code class="directive"><a href="../mod/core.html#options">Options</a></code> directive.</p>
<h3><a name="options" id="options">Explicitly using Options to permit CGI execution</a></h3>
<span class="indent">
Options +ExecCGI<br />
</span>
- </Directory>
+</Directory>
</code></p></div>
<p>The above directive tells Apache to permit the execution
Options +ExecCGI<br />
AddHandler cgi-script .cgi<br />
</span>
- </Directory>
+</Directory>
</code></p></div>
<p>If you wish designate a <code>cgi-bin</code> subdirectory of
Options ExecCGI<br />
SetHandler cgi-script<br />
</span>
- </Directory>
+</Directory>
</code></p></div>
<p>The following is an example CGI program that prints one
line to your browser. Type in the following, save it to a
- file called <code>first.pl</code>, and put it in your
+ file called <code>first.pl</code>, and put it in your
<code>cgi-bin</code> directory.</p>
<div class="example"><p><code>
#!/usr/bin/perl<br />
print "Content-type: text/html\n\n";<br />
- print "Hello, World.";
+print "Hello, World.";
</code></p></div>
<p>Even if you are not familiar with Perl, you should be able
http://www.example.com/cgi-bin/first.pl
</code></p></div>
- <p>or wherever you put your file, you will see the one line
+ <p>or wherever you put your file, you will see the one line
<code>Hello, World.</code> appear in your browser window.
It's not very exciting, but once you get that working, you'll
have a good chance of getting just about anything working.</p>
<dt>The source code of your CGI program or a "POST Method Not
Allowed" message</dt>
<dd>That means that you have not properly configured Apache
- to process your CGI program. Reread the section on
+ to process your CGI program. Reread the section on
<a href="#configuring">configuring
Apache</a> and try to find what you missed.</dd>
<a href="#permissions">file permissions</a>.</dd>
<dt>A message saying "Internal Server Error"</dt>
- <dd>If you check the
+ <dd>If you check the
<a href="#errorlogs">Apache error log</a>, you will probably
find that it says "Premature end of
script headers", possibly along with an error message
<p>Make sure that this is in fact the path to the
interpreter.</p>
-
- <p>In addition, if your CGI program depends on other <a href="#env">environment variables</a>, you will need to
- assure that those variables are passed by Apache.</p>
-
<div class="warning">
When editing CGI scripts on Windows, end-of-line characters may be
appended to the interpreter path. Ensure that files are then
unrecognized end-of-line character being interpreted as a part of
the interpreter filename.
</div>
+
+
+ <h3><a name="missingenv" id="missingenv">Missing environment variables</a></h3>
+
+
+ <p>If your CGI program depends on non-standard <a href="#env">environment variables</a>, you will need to
+ assure that those variables are passed by Apache.</p>
+
+ <p>When you miss HTTP headers from the environment, make
+ sure they are formatted according to
+ <a href="http://tools.ietf.org/html/rfc2616">RFC 2616</a>,
+ section 4.2: Header names must start with a letter,
+ followed only by letters, numbers or hyphen. Any header
+ violating this rule will be dropped silently.</p>
(where the computer searches for the actual file
implementing a command when you type it), your username, your
terminal type, and so on. For a full list of your normal,
- every day environment variables, type
+ every day environment variables, type
<code>env</code> at a command prompt.</p>
<p>During the CGI transaction, the server and the browser
<p>This simple Perl CGI program will display all of the
environment variables that are being passed around. Two
- similar programs are included in the
+ similar programs are included in the
<code>cgi-bin</code>
directory of the Apache distribution. Note that some
variables are required, while others are optional, so you may
see some variables listed that were not in the official list.
- In addition, Apache provides many different ways for you to
+ In addition, Apache provides many different ways for you to
<a href="../env.html">add your own environment variables</a>
to the basic ones provided by default.</p>
<span class="indent">
print "$key --> $ENV{$key}<br>";<br />
</span>
- }
+}
</code></p></div>
<p>Other communication between the server and the client
happens over standard input (<code>STDIN</code>) and standard
- output (<code>STDOUT</code>). In normal everyday context,
- <code>STDIN</code> means the keyboard, or a file that a
+ output (<code>STDOUT</code>). In normal everyday context,
+ <code>STDIN</code> means the keyboard, or a file that a
program is given to act on, and <code>STDOUT</code>
- usually means the console or screen.</p>
+ usually means the console or screen.</p>
<p>When you <code>POST</code> a web form to a CGI program,
the data in that form is bundled up into a special format
<p>You'll sometimes also see this type of string appended to
a URL. When that is done, the server puts that string
- into the environment variable called
+ into the environment variable called
<code>QUERY_STRING</code>. That's called a <code>GET</code>
request. Your HTML form specifies whether a <code>GET</code>
- or a <code>POST</code> is used to deliver the data, by setting the
+ or a <code>POST</code> is used to deliver the data, by setting the
<code>METHOD</code> attribute in the <code>FORM</code> tag.</p>
<p>Your program is then responsible for splitting that string
set of functionality, which is all you need in most programs.</p>
<p>If you're writing CGI programs in C, there are a variety of
- options. One of these is the <code>CGIC</code> library, from
+ options. One of these is the <code>CGIC</code> library, from
<a href="http://www.boutell.com/cgic/">http://www.boutell.com/cgic/</a>.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
projects / thirdparty / apache / httpd.git / commitdiff
