Apache HTTP Server Version 2.4 (original) (raw)

Apache Module mod_authn_core

Available Languages: en | fr

Summary

This module provides core authentication capabilities to allow or deny access to portions of the web site.[mod_authn_core](../mod/mod%5Fauthn%5Fcore.html) provides directives that are common to all authentication providers.

Creating Authentication Provider Aliases

Extended authentication providers can be created within the configuration file and assigned an alias name. The alias providers can then be referenced through the directives[AuthBasicProvider](../mod/mod%5Fauth%5Fbasic.html#authbasicprovider) or[AuthDigestProvider](../mod/mod%5Fauth%5Fdigest.html#authdigestprovider) in the same way as a base authentication provider. Besides the ability to create and alias an extended provider, it also allows the same extended authentication provider to be reference by multiple locations.

Examples

This example checks for passwords in two different text files.

Checking multiple text password files

Check here first

Then check here

<Directory "/var/web/pages/secure"> AuthBasicProvider file1 file2

AuthType Basic
AuthName "Protected Area"
Require valid-user

The example below creates two different ldap authentication provider aliases based on the ldap provider. This allows a single authenticated location to be serviced by multiple ldap hosts:

Checking multiple LDAP servers

Alias "/secure" "/webpages/secure" <Directory "/webpages/secure"> AuthBasicProvider ldap-other-alias ldap-alias1

AuthType Basic
AuthName "LDAP Protected Place"
Require valid-user
# Note that Require ldap-* would not work here, since the 
# AuthnProviderAlias does not provide the config to authorization providers
# that are implemented in the same module as the authentication provider.

AuthName Directive

This directive sets the name of the authorization realm for a directory. This realm is given to the client so that the user knows which username and password to send.AuthName takes a single argument; if the realm name contains spaces, it must be enclosed in quotation marks. It must be accompanied by [AuthType](#authtype) and [Require](../mod/mod%5Fauthz%5Fcore.html#require) directives, and directives such as [AuthUserFile](../mod/mod%5Fauthn%5Ffile.html#authuserfile) and[AuthGroupFile](../mod/mod%5Fauthz%5Fgroupfile.html#authgroupfile) to work.

For example:

AuthName "Top Secret"

The string provided for the AuthName is what will appear in the password dialog provided by most browsers.

From 2.4.55, expression syntax can be used inside the directive to produce the name dynamically.

For example:

AuthName "%{HTTP_HOST}"

See also

• Authentication, Authorization, and Access Control
• [mod_authz_core](../mod/mod%5Fauthz%5Fcore.html)

Directive

<AuthnProviderAlias> and</AuthnProviderAlias> are used to enclose a group of authentication directives that can be referenced by the alias name using one of the directives [ AuthBasicProvider](../mod/mod%5Fauth%5Fbasic.html#authbasicprovider) or [ AuthDigestProvider](../mod/mod%5Fauth%5Fdigest.html#authdigestprovider).

This directive has no affect on authorization, even for modules that provide both authentication and authorization.

AuthType Directive

This directive selects the type of user authentication for a directory. The authentication types available are None,Basic (implemented by[mod_auth_basic](../mod/mod%5Fauth%5Fbasic.html)), Digest (implemented by [mod_auth_digest](../mod/mod%5Fauth%5Fdigest.html)), andForm (implemented by [mod_auth_form](../mod/mod%5Fauth%5Fform.html)).

To implement authentication, you must also use the [AuthName](#authname) and [Require](../mod/mod%5Fauthz%5Fcore.html#require) directives. In addition, the server must have an authentication-provider module such as[mod_authn_file](../mod/mod%5Fauthn%5Ffile.html) and an authorization module such as [mod_authz_user](../mod/mod%5Fauthz%5Fuser.html).

The authentication type None disables authentication. When authentication is enabled, it is normally inherited by each subsequent configuration section, unless a different authentication type is specified. If no authentication is desired for a subsection of an authenticated section, the authentication type None may be used; in the following example, clients may access the/www/docs/public directory without authenticating:

<Directory "/www/docs"> AuthType Basic AuthName Documents AuthBasicProvider file AuthUserFile "/usr/local/apache/passwd/passwords" Require valid-user

<Directory "/www/docs/public"> AuthType None Require all granted

From 2.4.55, expression syntax can be used inside the directive to specify the type dynamically.

When disabling authentication, note that clients which have already authenticated against another portion of the server's document tree will typically continue to send authentication HTTP headers or cookies with each request, regardless of whether the server actually requires authentication for every resource.

See also

• Authentication, Authorization, and Access Control

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our mailing lists.