Securing Your Web Pages with Apache Page 8
AuthUserFile directive and friends tell
Apache (and the security modules) where to find the authentication
databases, it's the
Require directive that provides
the instructions on how to use them. If a scope doesn't include
(or inherit) a
Require directive, then it isn't
under discretionary access control regardless of whatever other
directives may be present.
Multiple occurrences of
Require are cumulative;
each line gets added to the list of conditions. Whether
processing stops at the first matching condition or if all of
them need to be met is up to the module programmer; for
mod_auth, for example, the first match satisfies
the condition for access, even if the configuration contains
something potentially confusing like:
AuthUserFile /home/foo/.htpasswd-foo Require user foo Require user bar
In this case (and in most cases, in fact), the intended meaning is, "Require the username to be foo OR bar."
To avoid complicated configuration files when the access list is
large, there's a shortcut notation:
This means, "any of the usernames in the authentication
database can access this realm." Obviously this won't
work unless the database contains credentials only
for users allowed access; if there are any users in it
which aren't supposed to have access (such as might happen
if you're sharing a single database across multiple realms),
you'll need to use grouping or some other mechanism because
valid-user keyword won't grind finely enough.
Even though the
Require directive isn't specific to
any particular module, the syntax of the command is. That means
that there aren't any restrictions on the syntax;
Require candy-type caramel"
will be accepted, on the grounds that one of the security modules
have understand what it means.
Most of the discretionary control modules also provide support
for grouping users together, and granting access to groups
rather than individuals. This can be done (for
AuthGroupFile directive. Like the user file,
the group file simply contains lines of text. Each line consists
of a group name, a colon, and a list of comma-separated usernames.
When the username is decoded from the request credentials,
the module can look it up in the group file to see to which
group(s) it belongs. Here's an example group file:
board:annette,bill,james,gwynyth finance:susan,steve,phoebe,zoe,bill_s engineering:geekboy,lisa,melanie,george,j_johnson
To allow access by group, you simply change the
Requiredirective to something like this:Require group board
As with normal Unix users, a single username may belong to multiple groups.
The Standard Apache Security Modules
Below is a list of the security-related modules that are included as part of the standard Apache distribution.
- This is the only module in the standard Apache distribution which
applies mandatory controls. It allows you to list hosts, domains,
and/or IP addresses or networks that are permitted or denied access