Securing Your Web Pages with Apache Page 10
Unlike your system's login system, which will probably kick you out, disconnect you, lock your account, or do something equally extroverted and paranoid (and log the fact!) if you misspell your password a few times in a row, there are no such controls on the Web. So someone could very easily write a script that just banged away on your system, trying endless combinations of usernames and passwords, and nothing would automatically perk up and make rude noises.
If you still want to to it after reading the above and
the additional information in the Apache FAQ, well, on your own
head be it. You can do it with
mod_access, and that's
all I'm going to say about it. And that's probably already too much,
Which Database is Authoritative?
What if you want to mix and match and have multiple types of authentication database within a single realm? How does Apache figure out which one to check first, and how does it know to consult another if the first one fails to find the credentials?
The answer has to do with authoritativeness. Each of the discretionary
control modules includes a directive named something like
AuthAuthoritative. Each module's version of this directive
is named differently, so that it can be associated with that module
and no other, so we also have
If a module is considered authoritative, then when Apache gets a "I don't know this person" response, it won't look any further. If the module isn't authoritative, the server can proceed to consult another module.
Technical note: Actually, the decision isn't made by the server itself. Each module knows whether or not it's authoritative (based on the presence/absence/setting of its
*Authoritativedirective), and so in the case of a failure it signals the stop/continue answer to the server by returning either
By default, the modules tend to consider themselves authoritative until
you tell them otherwise, on the principle that it's better to be safe
than sorry. You can make this explicit with a
AuthAuthoritative On line, or allow responsibility
AuthAuthoritative Off. (Use the
appropriate directive for the module in question!)
These three utilities are considered 'user' tools, since you
don't need to be the Webmaster in order to use them to create
access control files for your own Web directory. As user applications,
their documentation is in the
of your Apache server installation; you can read it with a
command such as:
% man /usr/local/web/apache/man/man1/htpasswd.1
Given the assumptions stated earlier, you should find all three of these applications in the
/usr/local/web/apache/bin/directory, and the source of their