1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>mod_authz_core - Apache HTTP Server Version 2.4</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.4</p>
<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_authz_core</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
<a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Core Authorization</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>authz_core_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_authz_core.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTPD 2.3 and later</td></tr></table>
<h3>Summary</h3>
<p>This module provides core authorization capabilities so that
authenticated users can be allowed or denied access to portions
of the web site. <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides the
functionality to register various authorization providers. It is
usually used in conjunction with an authentication
provider module such as <code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code> and an
authorization module such as <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>. It
also allows for advanced logic to be applied to the
authorization processing.</p>
</div>
<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#logic">Authorization Containers</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requiredirectives">The Require Directives</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authzalias">Creating Authorization Provider Aliases</a></li>
</ul><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#authmerging">AuthMerging</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authzprovideralias"><AuthzProviderAlias></a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authzsendforbiddenonfailure">AuthzSendForbiddenOnFailure</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#require">Require</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requireall"><RequireAll></a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requireany"><RequireAny></a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#requirenone"><RequireNone></a></li>
</ul>
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_authz_core">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_authz_core">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
<li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="logic" id="logic">Authorization Containers</a></h2>
<p>The authorization container directives
<code class="directive"><a href="#requireall"><RequireAll></a></code>,
<code class="directive"><a href="#requireany"><RequireAny></a></code>
and
<code class="directive"><a href="#requirenone"><RequireNone></a></code>
may be combined with each other and with the
<code class="directive"><a href="#require">Require</a></code>
directive to express complex authorization logic.</p>
<p>The example below expresses the following authorization logic.
In order to access the resource, the user must either be the
<code>superadmin</code> user, or belong to both the
<code>admins</code> group and the <code>Administrators</code> LDAP
group and either belong to the <code>sales</code> group or
have the LDAP <code>dept</code> attribute <code>sales</code>.
Furthermore, in order to access the resource, the user must
not belong to either the <code>temps</code> group or the
LDAP group <code>Temporary Employees</code>.</p>
<pre class="prettyprint lang-config"><Directory "/www/mydocs">
<RequireAll>
<RequireAny>
Require user superadmin
<RequireAll>
Require group admins
Require ldap-group "cn=Administrators,o=Airius"
<RequireAny>
Require group sales
Require ldap-attribute dept="sales"
</RequireAny>
</RequireAll>
</RequireAny>
<RequireNone>
Require group temps
Require ldap-group "cn=Temporary Employees,o=Airius"
</RequireNone>
</RequireAll>
</Directory></pre>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="requiredirectives" id="requiredirectives">The Require Directives</a></h2>
<p><code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides some generic authorization
providers which can be used with the
<code class="directive"><a href="#require">Require</a></code> directive.</p>
<h3><a name="reqenv" id="reqenv">Require env</a></h3>
<p>The <code>env</code> provider allows access to the server
to be controlled based on the existence of an <a href="../env.html">environment variable</a>. When <code>Require
env <var>env-variable</var></code> is specified, then the request is
allowed access if the environment variable <var>env-variable</var>
exists. The server provides the ability to set environment
variables in a flexible way based on characteristics of the client
request using the directives provided by
<code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code>. Therefore, this directive can be
used to allow access based on such factors as the clients
<code>User-Agent</code> (browser type), <code>Referer</code>, or
other HTTP request header fields.</p>
<pre class="prettyprint lang-config">SetEnvIf User-Agent "^KnockKnock/2\.0" let_me_in
<Directory "/docroot">
Require env let_me_in
</Directory></pre>
<p>In this case, browsers with a user-agent string beginning
with <code>KnockKnock/2.0</code> will be allowed access, and all
others will be denied.</p>
<p>When the server looks up a path via an internal
<a class="glossarylink" href="../glossary.html#subrequest" title="see glossary">subrequest</a> such as looking
for a <code class="directive"><a href="../mod/mod_dir.html#directoryindex">DirectoryIndex</a></code>
or generating a directory listing with <code class="module"><a href="../mod/mod_autoindex.html">mod_autoindex</a></code>,
per-request environment variables are <em>not</em> inherited in the
subrequest. Additionally,
<code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> directives
are not separately evaluated in the subrequest due to the API phases
<code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code> takes action in.</p>
<h3><a name="reqall" id="reqall">Require all</a></h3>
<p>The <code>all</code> provider mimics the functionality that
was previously provided by the 'Allow from all' and 'Deny from all'
directives. This provider can take one of two arguments which are
'granted' or 'denied'. The following examples will grant or deny
access to all requests.</p>
<pre class="prettyprint lang-config">Require all granted</pre>
<pre class="prettyprint lang-config">Require all denied</pre>
<h3><a name="reqmethod" id="reqmethod">Require method</a></h3>
<p>The <code>method</code> provider allows using the HTTP method in
authorization decisions. The GET and HEAD methods are treated as
equivalent. The TRACE method is not available to this provider,
use <code class="directive"><a href="../mod/core.html#traceenable">TraceEnable</a></code> instead.</p>
<p>The following example will only allow GET, HEAD, POST, and OPTIONS
requests:</p>
<pre class="prettyprint lang-config">Require method GET POST OPTIONS</pre>
<p>The following example will allow GET, HEAD, POST, and OPTIONS
requests without authentication, and require a valid user for all other
methods:</p>
<pre class="prettyprint lang-config"><RequireAny>
Require method GET POST OPTIONS
Require valid-user
</RequireAny></pre>
<h3><a name="reqexpr" id="reqexpr">Require expr</a></h3>
<p>The <code>expr</code> provider allows basing authorization
decisions on arbitrary expressions.</p>
<pre class="prettyprint lang-config">Require expr "%{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17"</pre>
<pre class="prettyprint lang-config"><RequireAll>
Require expr "!(%{QUERY_STRING} =~ /secret/)"
Require expr "%{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"
</RequireAll></pre>
<pre class="prettyprint lang-config">Require expr "!(%{QUERY_STRING} =~ /secret/) && %{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"</pre>
<p>The syntax is described in the <a href="../expr.html">ap_expr</a>
documentation. Before httpd 2.4.16, the surrounding double-quotes MUST be
omitted.</p>
<p>Normally, the expression is evaluated before authentication. However, if
the expression returns false and references the variable
<code>%{REMOTE_USER}</code>, authentication will be performed and
the expression will be re-evaluated.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="authzalias" id="authzalias">Creating Authorization Provider Aliases</a></h2>
<p>Extended authorization providers can be created within the configuration
file and assigned an alias name. The alias providers can then be referenced
through the <code class="directive"><a href="#require">Require</a></code> directive
in the same way as a base authorization provider. Besides the ability to
create and alias an extended provider, it also allows the same extended
authorization provider to be referenced by multiple locations.
</p>
<h3><a name="example" id="example">Example</a></h3>
<p>The example below creates two different ldap authorization provider
aliases based on the ldap-group authorization provider. This example
allows a single authorization location to check group membership within
multiple ldap hosts:
</p>
<pre class="prettyprint lang-config"><AuthzProviderAlias ldap-group ldap-group-alias1 "cn=my-group,o=ctx">
AuthLDAPBindDN "cn=youruser,o=ctx"
AuthLDAPBindPassword yourpassword
AuthLDAPUrl "ldap://ldap.host/o=ctx"
</AuthzProviderAlias>
<AuthzProviderAlias ldap-group ldap-group-alias2 "cn=my-other-group,o=dev">
AuthLDAPBindDN "cn=yourotheruser,o=dev"
AuthLDAPBindPassword yourotherpassword
AuthLDAPUrl "ldap://other.ldap.host/o=dev?cn"
</AuthzProviderAlias>
Alias "/secure" "/webpages/secure"
<Directory "/webpages/secure">
Require all granted
AuthBasicProvider file
AuthType Basic
AuthName LDAP_Protected_Place
#implied OR operation
Require ldap-group-alias1
Require ldap-group-alias2
</Directory></pre>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthMerging" id="AuthMerging">AuthMerging</a> <a name="authmerging" id="authmerging">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls the manner in which each configuration section's
authorization logic is combined with that of preceding configuration
sections.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthMerging Off | And | Or</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthMerging Off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p>When authorization is enabled, it is normally inherited by each
subsequent <a href="../sections.html#merging">configuration section</a>,
unless a different set of authorization directives is specified.
This is the default action, which corresponds to an explicit setting
of <code>AuthMerging Off</code>.</p>
<p>However, there may be circumstances in which it is desirable
for a configuration section's authorization to be combined with
that of its predecessor while configuration sections are being
merged. Two options are available for this case, <code>And</code>
and <code>Or</code>.</p>
<p>When a configuration section contains <code>AuthMerging And</code>
or <code>AuthMerging Or</code>,
its authorization logic is combined with that of the nearest
predecessor (according to the overall order of configuration sections)
which also contains authorization logic as if the two sections
were jointly contained within a
<code class="directive"><a href="#requireall"><RequireAll></a></code> or
<code class="directive"><a href="#requireany"><RequireAny></a></code>
directive, respectively.</p>
<div class="note">The setting of <code class="directive">AuthMerging</code> is not
inherited outside of the configuration section in which it appears.
In the following example, only users belonging to group <code>alpha</code>
may access <code>/www/docs</code>. Users belonging to either
groups <code>alpha</code> or <code>beta</code> may access
<code>/www/docs/ab</code>. However, the default <code>Off</code>
setting of <code class="directive">AuthMerging</code> applies to the
<code class="directive"><a href="../mod/core.html#directory"><Directory></a></code>
configuration section for <code>/www/docs/ab/gamma</code>, so
that section's authorization directives override those of the
preceding sections. Thus only users belong to the group
<code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</div>
<pre class="prettyprint lang-config"><Directory "/www/docs">
AuthType Basic
AuthName Documents
AuthBasicProvider file
AuthUserFile "/usr/local/apache/passwd/passwords"
Require group alpha
</Directory>
<Directory "/www/docs/ab">
AuthMerging Or
Require group beta
</Directory>
<Directory "/www/docs/ab/gamma">
Require group gamma
</Directory></pre>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthzProviderAlias" id="AuthzProviderAlias"><AuthzProviderAlias></a> <a name="authzprovideralias" id="authzprovideralias">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of directives that represent an
extension of a base authorization provider and referenced by the specified
alias</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><AuthzProviderAlias <var>baseProvider Alias Require-Parameters</var>>
... </AuthzProviderAlias>
</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p><code class="directive"><AuthzProviderAlias></code> and
<code></AuthzProviderAlias></code> are used to enclose a group of
authorization directives that can be referenced by the alias name using the
directive <code class="directive"><a href="#require">Require</a></code>.</p>
<p>If several parameters are needed in <var>Require-Parameters</var>,
they must be enclosed in quotation marks. Otherwise, only the first one
is taken into account.</p>
<pre class="prettyprint lang-config"># In this example, for both addresses to be taken into account, they MUST be enclosed
# between quotation marks
<AuthzProviderAlias ip reject-ips "XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY">
</AuthzProviderAlias>
<Directory "/path/to/dir">
<RequireAll>
Require not reject-ips
Require all granted
</RequireAll>
</Directory></pre>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthzSendForbiddenOnFailure" id="AuthzSendForbiddenOnFailure">AuthzSendForbiddenOnFailure</a> <a name="authzsendforbiddenonfailure" id="authzsendforbiddenonfailure">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Send '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if
authentication succeeds but authorization fails
</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthzSendForbiddenOnFailure On|Off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthzSendForbiddenOnFailure Off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTPD 2.3.11 and later</td></tr>
</table>
<p>If authentication succeeds but authorization fails, Apache HTTPD will
respond with an HTTP response code of '401 UNAUTHORIZED' by default. This
usually causes browsers to display the password dialogue to the user
again, which is not wanted in all situations.
<code class="directive">AuthzSendForbiddenOnFailure</code> allows to change the
response code to '403 FORBIDDEN'.</p>
<div class="warning"><h3>Security Warning</h3>
<p>Modifying the response in case of missing authorization weakens the
security of the password, because it reveals to a possible attacker, that
his guessed password was right.</p>
</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="Require" id="Require">Require</a> <a name="require" id="require">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Tests whether an authenticated user is authorized by
an authorization provider.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Require [not] <var>entity-name</var>
[<var>entity-name</var>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p>This directive tests whether an authenticated user is authorized
according to a particular authorization provider and the specified
restrictions. <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code> provides the following
generic authorization providers:</p>
<dl>
<dt><code>Require all granted</code></dt>
<dd>Access is allowed unconditionally.</dd>
<dt><code>Require all denied</code></dt>
<dd>Access is denied unconditionally.</dd>
<dt><code>Require env <var>env-var</var> [<var>env-var</var>]
...</code></dt>
<dd>Access is allowed only if one of the given environment variables is
set.</dd>
<dt><code>Require method <var>http-method</var> [<var>http-method</var>]
...</code></dt>
<dd>Access is allowed only for the given HTTP methods.</dd>
<dt><code>Require expr <var>expression</var> </code></dt>
<dd>Access is allowed if <var>expression</var> evaluates to true.</dd>
</dl>
<p>Some of the allowed syntaxes provided by <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>,
<code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>,
and <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> are:</p>
<dl>
<dt><code>Require user <var>userid</var> [<var>userid</var>]
...</code></dt>
<dd>Only the named users can access the resource.</dd>
<dt><code>Require group <var>group-name</var> [<var>group-name</var>]
...</code></dt>
<dd>Only users in the named groups can access the resource.</dd>
<dt><code>Require valid-user</code></dt>
<dd>All valid users can access the resource.</dd>
<dt><code>Require ip 10 172.20 192.168.2</code></dt>
<dd>Clients in the specified IP address ranges can access the
resource.</dd>
<dt><code>Require forward-dns dynamic.example.org</code></dt>
<dd>A client the IP of which is resolved from the name dynamic.example.org will be granted access.
</dd>
</dl>
<p>Other authorization modules that implement require options
include <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>,
<code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, <code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code>,
<code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code> and <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
<p>In most cases, for a complete authentication and authorization
configuration, <code class="directive">Require</code> must be accompanied by
<code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code>, <code class="directive"><a href="../mod/mod_authn_core.html#authtype">AuthType</a></code> and
<code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> or
<code class="directive"><a href="../mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code>
directives, and directives such as
<code class="directive"><a href="../mod/mod_authn_file.html#authuserfile">AuthUserFile</a></code>
and <code class="directive"><a href="../mod/mod_authz_groupfile.html#authgroupfile">AuthGroupFile</a></code> (to
define users and groups) in order to work correctly. Example:</p>
<pre class="prettyprint lang-config">AuthType Basic
AuthName "Restricted Resource"
AuthBasicProvider file
AuthUserFile "/web/users"
AuthGroupFile "/web/groups"
Require group admin</pre>
<p>Access controls which are applied in this way are effective for
<strong>all</strong> methods. <strong>This is what is normally
desired.</strong> If you wish to apply access controls only to
specific methods, while leaving other methods unprotected, then
place the <code class="directive">Require</code> statement into a
<code class="directive"><a href="../mod/core.html#limit"><Limit></a></code>
section.</p>
<p>The result of the <code class="directive">Require</code> directive
may be negated through the use of the
<code>not</code> option. As with the other negated authorization
directive <code class="directive"><RequireNone></code>,
when the <code class="directive">Require</code> directive is negated it can
only fail or return a neutral result, and therefore may never
independently authorize a request.</p>
<p>In the following example, all users in the <code>alpha</code>
and <code>beta</code> groups are authorized, except for those who
are also in the <code>reject</code> group.</p>
<pre class="prettyprint lang-config"><Directory "/www/docs">
<RequireAll>
Require group alpha beta
Require not group reject
</RequireAll>
</Directory></pre>
<p>When multiple <code class="directive">Require</code> directives are
used in a single
<a href="../sections.html#merging">configuration section</a>
and are not contained in another authorization directive like
<code class="directive"><a href="#requireall"><RequireAll></a></code>,
they are implicitly contained within a
<code class="directive"><a href="#requireany"><RequireAny></a></code>
directive. Thus the first one to authorize a user authorizes the
entire request, and subsequent <code class="directive">Require</code> directives
are ignored.</p>
<div class="warning"><h3>Security Warning</h3>
<p>Exercise caution when setting authorization directives in
<code class="directive"><a href="../mod/core.html#location">Location</a></code> sections
that overlap with content served out of the filesystem.
By default, these <a href="../sections.html#merging">configuration sections</a> overwrite authorization configuration
in <code class="directive"><a href="../mod/core.html#directory">Directory</a></code>,
and <code class="directive"><a href="../mod/core.html#files">Files</a></code> sections.</p>
<p>The <code class="directive"><a href="#authmerging">AuthMerging</a></code> directive
can be used to control how authorization configuration sections are
merged.</p>
</div>
<h3>See also</h3>
<ul>
<li><a href="../howto/access.html">Access Control howto</a></li>
<li><a href="#logic">Authorization Containers</a></li>
<li><code class="module"><a href="../mod/mod_authn_core.html">mod_authn_core</a></code></li>
<li><code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="RequireAll" id="RequireAll"><RequireAll></a> <a name="requireall" id="requireall">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which none
must fail and at least one must succeed for the enclosing directive to
succeed.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireAll> ... </RequireAll></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p><code class="directive"><RequireAll></code> and
<code></RequireAll></code> are used to enclose a group of
authorization directives of which none must fail and at least one
must succeed in order for
the <code class="directive"><RequireAll></code> directive to
succeed.</p>
<p>If none of the directives contained within the
<code class="directive"><RequireAll></code> directive fails,
and at least one succeeds, then the
<code class="directive"><RequireAll></code> directive
succeeds. If none succeed and none fail, then it returns a
neutral result. In all other cases, it fails.</p>
<h3>See also</h3>
<ul>
<li><a href="#logic">Authorization Containers</a></li>
<li><a href="../howto/auth.html">Authentication, Authorization,
and Access Control</a></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="RequireAny" id="RequireAny"><RequireAny></a> <a name="requireany" id="requireany">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which one
must succeed for the enclosing directive to succeed.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireAny> ... </RequireAny></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p><code class="directive"><RequireAny></code> and
<code></RequireAny></code> are used to enclose a group of
authorization directives of which one must succeed in order for
the <code class="directive"><RequireAny></code> directive to
succeed.</p>
<p>If one or more of the directives contained within the
<code class="directive"><RequireAny></code> directive succeed,
then the <code class="directive"><RequireAny></code> directive
succeeds. If none succeed and none fail, then it returns a
neutral result. In all other cases, it fails.</p>
<div class="note">Because negated authorization directives are unable to
return a successful result, they can not significantly influence
the result of a <code class="directive"><RequireAny></code>
directive. (At most they could cause the directive to fail in
the case where they failed and all other directives returned a
neutral value.) Therefore negated authorization directives
are not permitted within a <code class="directive"><RequireAny></code>
directive.</div>
<h3>See also</h3>
<ul>
<li><a href="#logic">Authorization Containers</a></li>
<li><a href="../howto/auth.html">Authentication, Authorization,
and Access Control</a></li>
</ul>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="RequireNone" id="RequireNone"><RequireNone></a> <a name="requirenone" id="requirenone">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enclose a group of authorization directives of which none
must succeed for the enclosing directive to not fail.</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><RequireNone> ... </RequireNone></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_core</td></tr>
</table>
<p><code class="directive"><RequireNone></code> and
<code></RequireNone></code> are used to enclose a group of
authorization directives of which none must succeed
in order for the
<code class="directive"><RequireNone></code> directive to
not fail.</p>
<p>If one or more of the directives contained within the
<code class="directive"><RequireNone></code> directive succeed,
then the <code class="directive"><RequireNone></code> directive
fails. In all other cases, it returns a neutral result. Thus as with
the other negated authorization directive <code>Require not</code>,
it can never independently
authorize a request because it can never return a successful result.
It can be used, however, to restrict the set of users who are
authorized to access a resource.</p>
<div class="note">Because negated authorization directives are unable to
return a successful result, they can not significantly influence
the result of a <code class="directive"><RequireNone></code>
directive. Therefore negated authorization directives
are not permitted within a
<code class="directive"><RequireNone></code> directive.</div>
<h3>See also</h3>
<ul>
<li><a href="#logic">Authorization Containers</a></li>
<li><a href="../howto/auth.html">Authentication, Authorization,
and Access Control</a></li>
</ul>
</div>
</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_authz_core.html" title="English"> en </a> |
<a href="../fr/mod/mod_authz_core.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
<script type="text/javascript"><!--//--><![CDATA[//><!--
var comments_shortname = 'httpd';
var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html';
(function(w, d) {
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
d.write('<div id="comments_thread"><\/div>');
var s = d.createElement('script');
s.type = 'text/javascript';
s.async = true;
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
}
else {
d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
}
})(window, document);
//--><!]]></script></div><div id="footer">
<p class="apache">Copyright 2025 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
prettyPrint();
}
//--><!]]></script>
</body></html>
|
