Unlike your system’s login system, which will probably kick
you out, disconnect you, lock your account, or do something
equally extroverted and paranoid (and log the fact!)
if you misspell your password a few times in a row, there
are no such controls on the Web. So someone could very
easily write a script that just banged away on your
system, trying endless combinations of usernames and passwords,
and nothing would automatically perk up and make rude noises.
If you still want to to it after reading the above and
the additional information in the Apache FAQ, well, on your own
head be it. You can do it with mod_access, and that’s
all I’m going to say about it. And that’s probably already too much,
too.
What if you want to mix and match and have multiple types of
authentication database within a single realm? How does Apache
figure out which one to check first, and how does it know to
consult another if the first one fails to find the credentials?
The answer has to do with authoritativeness. Each of the discretionary
control modules includes a directive named something like
AuthAuthoritative. Each module’s version of this directive
is named differently, so that it can be associated with that module
and no other, so we also have AuthDBAuthoritative,
AutDBMAuthoritative, and Anonymous_Authoritative.
If a module is considered authoritative, then when Apache gets a
“I don’t know this person” response, it won’t look any
further. If the module isn’t authoritative, the server can
proceed to consult another module.
Technical note: Actually, the decision isn’t made by the
server itself. Each module knows whether or not it’s authoritative
(based on the presence/absence/setting of its*Authoritative
directive), and so in the case of a failure it signals the stop/continue
answer to the server by returning eitherHTTP_UNAUTHORIZED
orDECLINEDrespectively.
By default, the modules tend to consider themselves authoritative until
you tell them otherwise, on the principle that it’s better to be safe
than sorry. You can make this explicit with a
AuthAuthoritative On line, or allow responsibility
sharing with AuthAuthoritative Off. (Use the
appropriate directive for the module in question!)
htpasswd, htdigest, anddbmmanage Utilities These three utilities are considered ‘user’ tools, since you
don’t need to be the Webmaster in order to use them to create
access control files for your own Web directory. As user applications,
their documentation is in the man/man1 subdirectory
of your Apache server installation; you can read it with a
command such as:
% man /usr/local/web/apache/man/man1/htpasswd.1Given the assumptions stated
earlier, you should find all three of these applications in
the/usr/local/web/apache/bin/directory, and the source
of theirmanpages in
/usr/local/web/apache/man/man1/.
Ken Coar is a ServerWatch contributor.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
