Different URLs within a realm can be protected in different ways,
with different sets of credentials being valid for different locations.
However, since the realm is the key the client uses to remember
which credentials to send, being egregious about using multiple
sets of credentials within the same realm tends to annoy users
when they have to re-authenticate repeatedly for what looks like
(and in fact is) the same realm. It’s generally a good idea to
have a one-to-one relationship between realms and sets of
authorised credentials.
But how do you turn on access control in the first place?
Just as you apply any other Apache directive: by having the
directives appear in the appropriate scope. For example:
AuthName Finance AuthType Basic AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance Require valid-userThis will protect the
finance
subdirectory and all
files and subdirectories in it any below it. Other directories,
such asproducts
, remain unaffected.
containers are all very well, but what
if you want to protect only a single file? Or perhaps a document
that isn't mapped to the filesystem, like the output from
mod_status
? The answer remains the same: use the
appropriate scoping directives (such as
and) to apply the security measures
to the items you want protected.Inheritance
Like almost all other Apache configuration details, the security
directives that apply to a particular document or directoy may be
inherited from the parent, or possibly even further up the tree.
This means that at each level you need only supply those directives that
are different. The following two fragments are equivalent:AuthName "Finance Department" AuthType Basic AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance Require valid-user AuthName "Finance Department" AuthType Basic AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance Require user susan bob AuthName "Finance Department" AuthType Basic AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance Require valid-userRequire user susan bobThe second fragment takes advantage of the inheritance of the
values from the parent directory, and simply restricts the access
list to only Bob and Susan.It's generally not a good idea to make too many assumptions when
dealing with security matters, so even though inheritance can seem
to make your life easier by not requiring you to duplicate
directives all over the place, this might be an illusion. Just
wait until you see how complicated your life becomes when all the
inherited values become compromised because of a single mistake
at a higher level.A related subject involves determining which of possibly several
access control modules has the Final Say on whether access is
granted or not. This is covered in a
later section.Requiring a Specific Username