1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
4<html xmlns="http://www.w3.org/1999/xhtml">
5  <head>
6    <title>Authentication, Authorization, and Access Control</title>
7  </head>
8
9  <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
10  vlink="#000080" alink="#FF0000">
11        <div align="CENTER">
12      <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
13
14      <h3>Apache HTTP Server Version 1.3</h3>
15    </div>
16
17
18
19<h1 align="center">Authentication, Authorization, and Access
20Control</h1>
21
22    <a name="TOC"></a>
23
24    <ul>
25      <li><a href="#intro">Introduction</a></li>
26      <li>
27        <a href="#basic">Basic authentication</a>
28
29        <ul>
30          <li><a href="#basicworks">How basic
31          authentication works</a></li>
32
33          <li>
34            <a href="#basicconfig">Configuration:
35            Protecting content with basic authentication</a>
36
37          </li>
38
39          <li>
40            <a href="#basicfaq">Frequently asked
41            questions about basic auth</a>
42          </li>
43
44          <li><a href="#basiccaveat">Security
45          caveat</a></li>
46        </ul>
47        <br />
48      </li>
49
50      <li>
51        <a href="#digest">Digest authentication</a>
52
53        <ul>
54          <li><a href="#digestworks">How digest auth
55          works</a></li>
56
57          <li>
58            <a href="#digestconfig">Configuration:
59            Protecting content with digest authentication</a>
60          </li>
61
62          <li><a href="#digestcaveat">Caveats</a></li>
63        </ul>
64        <br />
65      </li>
66
67      <li>
68        <a href="#database">Database authentication
69        modules</a>
70
71        <ul>
72          <li><a href="#modauthdb">mod_auth_db and
73          mod_auth_dbm</a></li>
74
75          <li><a href="#dbfiles">Berkeley DB files</a></li>
76
77          <li><a href="#installauthdb">Installing mod_auth_db</a></li>
78
79          <li>
80            <a href="#authdbconfig">Protecting a
81            directory with mod_auth_db</a>
82          </li>
83        </ul>
84        <br />
85      </li>
86
87      <li>
88        <a href="#access">Access control</a>
89
90        <ul>
91          <li><a href="#allowdeny">Allow and Deny</a></li>
92
93          <li><a href="#satisfy">Satisfy</a></li>
94        </ul>
95        <br />
96      </li>
97
98      <li><a href="#summary">Summary</a></li>
99    </ul>
100    <!--End of Table of Child-Links-->
101    <hr />
102
103    <h1><a name="auth"></a><br />
104     Authentication, Authorization, and Access Control</h1>
105
106    <h1><a name="intro">Introduction</a></h1>
107
108    <p>Apache has three distinct ways of dealing with the question
109    of whether a particular request for a resource will result in
110    that resource actually be returned. These criteria are called
111    <i>Authorization</i>, <i>Authentication</i>, and <i>Access
112    control</i>.</p>
113
114    <p>Authentication is any process by which you verify that
115    someone is who they claim they are. This usually involves a
116    username and a password, but can include any other method of
117    demonstrating identity, such as a smart card, retina scan,
118    voice recognition, or fingerprints. Authentication is
119    equivalent to showing your drivers license at the ticket
120    counter at the airport.</p>
121
122    <p>Authorization is finding out if the person, once identified,
123    is permitted to have the resource. This is usually determined
124    by finding out if that person is a part of a particular group,
125    if that person has paid admission, or has a particular level of
126    security clearance. Authorization is equivalent to checking the
127    guest list at an exclusive party, or checking for your ticket
128    when you go to the opera.</p>
129
130    <p>Finally, access control is a much more general way of
131    talking about controlling access to a web resource. Access can
132    be granted or denied based on a wide variety of criteria, such
133    as the network address of the client, the time of day, the
134    phase of the moon, or the browser which the visitor is using.
135    Access control is analogous to locking the gate at closing
136    time, or only letting people onto the ride who are more than 48
137    inches tall - it's controlling entrance by some arbitrary
138    condition which may or may not have anything to do with the
139    attributes of the particular visitor.</p>
140
141    <p>Because these three techniques are so closely related in
142    most real applications, it is difficult to talk about them
143    separate from one another. In particular, authentication and
144    authorization are, in most actual implementations,
145    inextricable.</p>
146
147    <p>If you have information on your web site that is sensitive,
148    or intended for only a small group of people, the techniques in
149    this tutorial will help you make sure that the people that see
150    those pages are the people that you wanted to see them.</p>
151
152    <h1><a name="basic"></a>Basic authentication</h1>
153
154    <p>As the name implies, basic authentication is the simplest
155    method of authentication, and for a long time was the most
156    common authentication method used. However, other methods of
157    authentication have recently passed basic in common usage, due
158    to usability issues that will be discussed in a minute.</p>
159
160    <h2><a name="basicworks"></a><br />
161     How basic authentication works</h2>
162
163    <p>When a particular resource has been protected using basic
164    authentication, Apache sends a <tt>401 Authentication
165    Required</tt> header with the response to the request, in order
166    to notify the client that user credentials must be supplied in
167    order for the resource to be returned as requested.</p>
168
169    <p>Upon receiving a <tt>401</tt> response header, the client's
170    browser, if it supports basic authentication, will ask the user
171    to supply a username and password to be sent to the server. If
172    you are using a graphical browser, such as Netscape or Internet
173    Explorer, what you will see is a box which pops up and gives
174    you a place to type in your username and password, to be sent
175    back to the server. If the username is in the approved list,
176    and if the password supplied is correct, the resource will be
177    returned to the client.</p>
178
179    <p>Because the HTTP protocol is stateless, each request will be
180    treated in the same way, even though they are from the same
181    client. That is, every resource which is requested from the
182    server will have to supply authentication credentials over
183    again in order to receive the resource.</p>
184
185    <p>Fortunately, the browser takes care of the details here, so
186    that you only have to type in your username and password one
187    time per browser session - that is, you might have to type it
188    in again the next time you open up your browser and visit the
189    same web site.</p>
190
191    <p>Along with the <tt>401</tt> response, certain other
192    information will be passed back to the client. In particular,
193    it sends a name which is associated with the protected area of
194    the web site. This is called the <i>realm</i>, or just the
195    authentication name. The client
196    browser caches the username and password that you supplied, and
197    stores it along with the authentication realm, so that if other
198    resources are requested from the same realm, the same username
199    and password can be returned to authenticate that request
200    without requiring the user to type them in again. This caching
201    is usually just for the current browser session, but some
202    browsers allow you to store them permanently, so that you never
203    have to type in your password again.</p>
204
205    <p>The authentication name, or realm, will appear in the pop-up
206    box, in order to identify what the username and password are
207    being requested for.</p>
208
209    <h2><a name="basicconfig"></a>
210     Configuration: Protecting content with basic
211    authentication</h2>
212
213    <p>There are two configuration steps which you must complete in
214    order to protect a resource using basic authentication. Or
215    three, depending on what you are trying to do.</p>
216
217    <ol>
218      <li>Create a password file</li>
219
220      <li>Set the configuration to use this password file</li>
221
222      <li>Optionally, create a group file</li>
223    </ol>
224
225    <h3><a name="htpasswd"></a><br />
226     Create a password file</h3>
227
228    <p>In order to determine whether a particular username/password
229    combination is valid, the username and password supplied by the
230    user will need to be compared to some authoritative listing of
231    usernames and password. This is the password file, which you
232    will need to create on the server side, and populate with valid
233    users and their passwords.</p>
234
235    <p>Because this file contains sensitive information, it should
236    be stored outside of the document directory. Although, as you
237    will see in a moment, the passwords are encrypted in the file,
238    if a cracker were to gain access to the file, it would be an
239    aid in their attempt to figure out the passwords. And, because
240    people tend to be sloppy with the passwords that they choose,
241    and use the same password for web site authentication as for
242    their bank account, this potentially be a very serious breach
243    of security, even if the content on your web site is not
244    particularly sensitive.</p>
245
246    <p><b>Caution:</b> Encourage your users to use a different
247    password for your web site than for other more essential
248    things. For example, many people tend to use two passwords -
249    one for all of their extremely important things, such as the
250    login to their desktop computer, and for their bank account,
251    and another for less sensitive things, the compromise of which
252    would be less serious.</p>
253
254    <p>To create the password file, use the <tt>htpasswd</tt>
255    utility that came with Apache. This will be located in the
256    <tt>bin</tt> directory of wherever you installed Apache. For
257    example, it will probably be located at
258    <tt>/usr/local/apache/bin/htpasswd</tt> if you installed Apache
259    from source.</p>
260
261    <p>To create the file, type:</p>
262<pre>
263htpasswd -c /usr/local/apache/passwd/passwords username
264</pre>
265
266    <p><tt>htpasswd</tt> will ask you for the password, and then
267    ask you to type it again to confirm it:</p>
268<pre>
269# htpasswd -c /usr/local/apache/passwd/passwords rbowen
270New password: mypassword
271Re-type new password: mypassword
272Adding password for user rbowen
273</pre>
274
275    <p>Note that in the example shown, a password file is being
276    created containing a user called <tt>rbowen</tt>, and this
277    password file is being placed in the location
278    <tt>/usr/local/apache/passwd/passwords</tt>. You will
279    substitute the location, and the username, which you want to
280    use to start your password file.</p>
281
282    <p>If <tt>htpasswd</tt> is not in your path, you will have to
283    type the full path to the file to get it to run. That is, in
284    the example above, you would replace <tt>htpasswd</tt> with
285    <tt>/usr/local/apache/bin/htpasswd</tt></p>
286
287    <p>The <tt>-c</tt> flag is used only when you are creating a
288    new file. After the first time, you will omit the <tt>-c</tt>
289    flag, when you are adding new users to an already-existing
290    password file.</p>
291<pre>
292htpasswd /usr/local/apache/passwd/passwords sungo
293</pre>
294
295    <p>The example just shown will add a user named <tt>sungo</tt>
296    to a password file which has already been created earlier. As
297    before, you will be asked for the password at the command line,
298    and then will be asked to confirm the password by typing it
299    again.</p>
300
301    <p><b>Caution:</b> Be very careful when you add new users to an
302    existing password file that you don't use the <tt>-c</tt> flag
303    by mistake. Using the <tt>-c</tt> flag will create a new
304    password file, even if you already have an existing file of
305    that name. That is, it will remove the contents of the file
306    that is there, and replace it with a new file containing only
307    the one username which you were adding.</p>
308
309    <p>The password is stored in the password file in encrypted
310    form, so that users on the system will not be able to read the
311    file and immediately determine the passwords of all the users.
312    Nevertheless, you should store the file in as secure a location
313    as possible, with whatever minimum permissions on the file so
314    that the web server itself can read the file. For example, if
315    your server is configured to run as user <tt>nobody</tt> and
316    group <tt>nogroup</tt>, then you should set permissions on the
317    file so that only the webserver can read the file and only
318    root can write to it:</p>
319<pre>
320chown root.nogroup /usr/local/apache/passwd/passwords
321chmod 640 /usr/local/apache/passwd/passwords
322</pre>
323
324    <p>On Windows, a similar precaution should be taken, changing
325    the ownership of the password file to the web server user, so
326    that other users cannot read the file.</p>
327
328    <h3><a name="htpasswdconfig"></a><br />
329     Set the configuration to use this password file</h3>
330
331    <p>Once you have created the password file, you need to tell
332    Apache about it, and tell Apache to use this file in order to
333    require user credentials for admission. This configuration is
334    done with the following directives:</p>
335
336    <table cellpadding="3">
337      <tr>
338        <td align="left">AuthType</td>
339
340        <td align="left" valign="top" width="360">Authentication
341        type being used. In this case, it will be set to
342        <tt>Basic</tt></td>
343      </tr>
344
345      <tr>
346        <td align="left">AuthName</td>
347
348        <td align="left" valign="top" width="360">The
349        authentication realm or name</td>
350      </tr>
351
352      <tr>
353        <td align="left">AuthUserFile</td>
354
355        <td align="left" valign="top" width="360">The location of
356        the password file</td>
357      </tr>
358
359      <tr>
360        <td align="left">AuthGroupFile</td>
361
362        <td align="left" valign="top" width="360">The location of
363        the group file, if any</td>
364      </tr>
365
366      <tr>
367        <td align="left">Require</td>
368
369        <td align="left" valign="top" width="360">The
370        requirement(s) which must be satisfied in order to grant
371        admission</td>
372      </tr>
373    </table>
374
375    <p>These directives may be placed in a <tt>.htaccess</tt> file
376    in the particular directory being protected, or may go in the
377    main server configuration file, in a <tt>&lt;Directory&gt;</tt>
378    section, or other scope container.</p>
379
380    <p>The example shown below defines an authentication realm
381    called ``By Invitation Only''. The password file located at
382    <tt>/usr/local/apache/passwd/passwords</tt> will be used to
383    verify the user's identity. Only users named <tt>rbowen</tt> or
384    <tt>sungo</tt> will be granted access, and even then only if
385    they provide a password which matches the password stored in
386    the password file.</p>
387<pre>
388AuthType Basic
389AuthName "By Invitation Only"
390AuthUserFile /usr/local/apache/passwd/passwords
391Require user rbowen sungo
392</pre>
393
394    <p>The phrase ``By Invitation Only'' will be displayed in the
395    password pop-up box, where the user will have to type their
396    credentials.</p>
397
398    <p>You will need to restart your Apache server in order for the
399    new configuration to take effect, if these directives were put
400    in the main server configuration file. Directives placed in
401    <tt>.htaccess</tt> files take effect immediately, since
402    <tt>.htaccess</tt> files are parsed each time files are
403    served.</p>
404
405    <p>The next time that you load a file from that directory, you
406    will see the familiar username/password dialog box pop up,
407    requiring that you type the username and password before you
408    are permitted to proceed.</p>
409
410    <p>Note that in addition to specifically listing the users to
411    whom you want to grant access, you can specify that any valid
412    user should be let in. This is done with the
413    <tt>valid-user</tt> keyword:</p>
414<pre>
415Require valid-user
416</pre>
417
418    <h3><a name="basicgroupfile"></a><br />
419     Optionally, create a group file</h3>
420
421    <p>Most of the time, you will want more than one, or two, or
422    even a dozen, people to have access to a resource. You want to
423    be able to define a group of people that have access to that
424    resource, and be able to manage that group of people, adding
425    and removing members, without having to edit the server
426    configuration file, and restart Apache, each time.</p>
427
428    <p>This is handled using authentication groups. An
429    authentication group is, as you would expect, a group name
430    associated with a list of members. This list is stored in a
431    group file, which should be stored in the same location as the
432    password file, so that you are able to keep track of these
433    things.</p>
434
435    <p>The format of the group file is exceedingly simple. A group
436    name appears first on a line, followed by a colon, and then a
437    list of the members of the group, separated by spaces. For
438    example:</p>
439<pre>
440authors: rich daniel allan
441</pre>
442
443    <p>Once this file has been created, you can <tt>Require</tt>
444    that someone be in a particular group in order to get the
445    requested resource. This is done with the
446    <tt>AuthGroupFile</tt> directive, as shown in the following
447    example.</p>
448<pre>
449AuthType Basic
450AuthName "Apache Admin Guide Authors"
451AuthUserFile /usr/local/apache/passwd/passwords
452AuthGroupFile /usr/local/apache/passwd/groups
453Require group authors
454</pre>
455
456    <p>The authentication process is now one step more involved.
457    When a request is received, and the requested username and
458    password are supplied, the group file is first checked to see
459    if the supplied username is even in the required group. If it
460    is, then the password file will be checked to see if the
461    username is in there, and if the supplied password matches the
462    password stored in that file. If any of these steps fail,
463    access will be forbidden.</p>
464
465    <h2><a name="basicfaq"></a><br />
466     Frequently asked questions about basic auth</h2>
467
468    <p>The following questions tend to get asked very frequently
469    with regard to basic authentication. It should be understood
470    that basic authentication is very basic, and so is limited to
471    the set of features that has been presented above. Most of the
472    more interesting things that people tend to want, need to be
473    implemented using some alternate authentication scheme.</p>
474
475    <h3><a name="logout"></a><br />
476     How do I log out?</h3>
477
478    <p>Since browsers first started implementing basic
479    authentication, website administrators have wanted to know how
480    to let the user log out. Since the browser caches the username
481    and password with the authentication realm, as described
482    earlier in this tutorial, this is not a function of the server
483    configuration, but is a question of getting the browser to
484    forget the credential information, so that the next time the
485    resource is requested, the username and password must be
486    supplied again. There are numerous situations in which this is
487    desirable, such as when using a browser in a public location,
488    and not wishing to leave the browser logged in, so that the
489    next person can get into your bank account.</p>
490
491    <p>However, although this is perhaps the most frequently asked
492    question about basic authentication, thus far none of the major
493    browser manufacturers have seen this as being a desirable
494    feature to put into their products.</p>
495
496    <p>Consequently, the answer to this question is, you can't.
497    Sorry.</p>
498
499    <h3><a name="passworddialog"></a><br />
500     How can I change what the password box looks like?</h3>
501
502    <p>The dialog that pops up for the user to enter their username
503    and password is ugly. It contains text that you did not
504    indicate that you wanted in there. It looks different in
505    Internet Explorer and Netscape, and contains different text.
506    And it asks for fields that the user might not understand -
507    for example, Netscape asks the user to type in their ``User
508    ID'', and they might not know what that means. Or, you might
509    want to provide additional explanatory text so that the user
510    has a better idea what is going on.</p>
511
512    <p>Unfortunately, these things are features of the browser, and
513    cannot be controlled from the server side. If you want the
514    login to look different, then you will need to implement your
515    own authentication scheme. There is no way to change what this
516    login box looks like if you are using basic authentication.</p>
517
518    <h3><a name="persistpass"></a><br />
519     How to I make it not ask me for my password the next
520    time?</h3>
521
522    <p>Because most browsers store your password information only
523    for the current browser session, when you close your browser it
524    forgets your username and password. So, when you visit the same
525    web site again, you will need to re-enter your username and
526    password.</p>
527
528    <p>There is nothing that can be done about this on the server
529    side.</p>
530
531    <p>However, the most recent versions of the major browsers
532    contain the ability to remember your password forever, so that
533    you never have to log in again. While it is debatable whether
534    this is a good idea, since it effectively overrides the entire
535    point of having security in the first place, it is certainly
536    convenient for the user, and simplifies the user
537    experience.</p>
538
539    <h3><a name="passwordtwice"></a><br />
540     Why does it sometimes ask me for my password twice?</h3>
541
542    <p>When entering a password-protected web site for the first
543    time, you will occasionally notice that you are asked for your
544    password twice. This may happen immediately after you entered
545    the password the first time, or it may happen when you click on
546    the first link after authenticating the first time.</p>
547
548    <p>This happens for a very simple, but nonetheless confusing,
549    reason, again having to do with the way that the browser caches
550    the login information.</p>
551
552    <p>Login information is stored on the browser based on the
553    authentication realm, specified by the <tt>AuthName</tt>
554    directive, and by the server name. In this way, the browser can
555    distinguish between the <tt>Private</tt> authentication realm
556    on one site and on another. So, if you go to a site using one
557    name for the server, and internal links on the server refer to
558    that server by a different name, the browser has no way to know
559    that they are in fact the same server.</p>
560
561    <p>For example, if you were to visit the URL
562    <tt>http://example.com/private/</tt>, which required
563    authentication, your browser would remember the supplied
564    username and password, associated with the hostname
565    <tt>example.com</tt>. If, by virtue of an internal redirect, or
566    fully-qualified HTML links in pages, you are then sent to the
567    URL <tt>http://www.example.com/private/</tt>, even though this
568    is really exactly the same URL, the browser does not know this
569    for sure, and is forced to request the authentication
570    information again, since <tt>example.com</tt> and
571    <tt>www.example.com</tt> are not exactly the same hostname.
572    Your browser has no particular way to know that these are the
573    same web site.</p>
574
575    <h2><a name="basiccaveat"></a><br />
576     Security caveat</h2>
577
578    <p>Basic authentication should not be considered secure for any
579    particularly rigorous definition of secure.</p>
580
581    <p>Although the password is stored on the server in encrypted
582    format, it is passed from the client to the server in plain
583    text across the network. Anyone listening with any variety of
584    packet sniffer will be able to read the username and password
585    in the clear as it goes across.</p>
586
587    <p>Not only that, but remember that the username and password
588    are passed with every request, not just when the user first
589    types them in. So the packet sniffer need not be listening at a
590    particularly strategic time, but just for long enough to see
591    any single request come across the wire.</p>
592
593    <p>And, in addition to that, the content itself is also going
594    across the network in the clear, and so if the web site
595    contains sensitive information, the same packet sniffer would
596    have access to that information as it went past, even if the
597    username and password were not used to gain direct access to
598    the web site.</p>
599
600    <p>Don't use basic authentication for anything that requires
601    real security. It is a detriment for most users, since very few
602    people will take the trouble, or have the necessary software
603    and/or equipment, to find out passwords. However, if someone
604    had a desire to get in, it would take very little for them to
605    do so.</p>
606
607    <p>Basic authentication across an SSL connection, however, will be
608    secure, since everything is going to be encrypted, including the
609    username and password.</p>
610
611    <h1><a name="digest"></a>Digest authentication</h1>
612
613    <p>Addressing one of the security caveats of basic
614    authentication, digest authentication provides an alternate
615    method for protecting your web content. However, it to has a
616    few caveats.</p>
617
618    <h2><a name="digestworks">How digest auth works</a></h2>
619
620    <p>Digest authentication is implemented by the module
621    <tt>mod_auth_digest</tt>. There is an older module,
622    <tt>mod_digest</tt>, which implemented an older version of the
623    digest authentication specification, but which will probably
624    not work with newer browsers.</p>
625
626    <p>Using digest authentication, your password is never sent
627    across the network in the clear, but is always transmitted as
628    an MD5 digest of the user's password. In this way, the password
629    cannot be determined by sniffing network traffic.</p>
630
631    <p>The full specification of digest authentication can be seen
632    in the internet standards document RFC 2617, which you can see
633    at <tt>http://www1.ics.uci.edu/pub/ietf/http/rfc2617.txt</tt>.
634    Additional information and resources about MD5 can be found at
635    <tt>http://userpages.umbc.edu/&nbsp;mabzug1/cs/md5/md5.html</tt></p>
636
637    <h2><a name="digestconfig"></a>Configuration:
638    Protecting content with digest authentication</h2>
639
640    <p>The steps for configuring your server for digest
641    authentication are very similar for those for basic
642    authentication.</p>
643
644    <ol>
645      <li>Create the password file</li>
646
647      <li>Set the configuration to use this password file</li>
648
649      <li>Optionally, create a group file</li>
650    </ol>
651
652    <h3><a name="htdigest"></a>Creating a password file</h3>
653
654    <p>As with basic authentication, a simple utility is provided
655    to create and maintain the password file which will be used to
656    determine whether a particular user's name and password are
657    valid. This utility is called <tt>htdigest</tt>, and will be
658    located in the <tt>bin</tt> directory of wherever you installed
659    Apache. If you installed Apache from some variety of package
660    manager, <tt>htdigest</tt> is likely to have been placed
661    somewhere in your path.</p>
662
663    <p>To create a new digest password file, type:</p>
664<pre>
665htdigest -c /usr/local/apache/passwd/digest realm username
666</pre>
667
668    <p><tt>htdigest</tt> will ask you for the desired password, and
669    then ask you to type it again to confirm it.</p>
670
671    <p>Note that the realm for which the authentication will be
672    required is part of the argument list.</p>
673
674    <p>Once again, as with basic authentication, you are encouraged
675    to place the generated file somewhere outside of the document
676    directory.</p>
677
678    <p>And, as with the <tt>htpasswd</tt> utility, the <tt>-c</tt>
679    flag creates a new file, or, if a file of that name already
680    exists, deletes the contents of that file and generates a new
681    file in its place. Omit the <tt>-c</tt> flag in order to add
682    new user information to an existing password file.</p>
683
684    <h3><a name="htdigestconfig"></a>Set the configuration
685    to use this password file</h3>
686
687    <p>Once you have created a password file, you need to tell
688    Apache about it in order to start using it as a source of
689    authenticated user information. This configuration is done with
690    the following directives:</p>
691
692    <table cellpadding="3">
693      <tr>
694        <td align="left">AuthType</td>
695
696        <td align="left" valign="top" width="360">Authentication
697        type being used. In this case, it will be set to
698        <tt>Digest</tt></td>
699      </tr>
700
701      <tr>
702        <td align="left">AuthName</td>
703
704        <td align="left" valign="top" width="360">The
705        authentication realm or name</td>
706      </tr>
707
708      <tr>
709        <td align="left">AuthDigestFile</td>
710
711        <td align="left" valign="top" width="360">The location of
712        the password file</td>
713      </tr>
714
715      <tr>
716        <td align="left">AuthDigestGroupFile</td>
717
718        <td align="left" valign="top" width="360">Location of the
719        group file, if any</td>
720      </tr>
721
722      <tr>
723        <td align="left">Require</td>
724
725        <td align="left" valign="top" width="360">The
726        requirement(s) which must be satisfied in order to grant
727        admission</td>
728      </tr>
729    </table>
730
731    <p>These directives may be placed in a <tt>.htaccess</tt> file
732    in the particular directory being protected, or may go in the
733    main server configuration file, in a <tt>&lt;Directory&gt;</tt>
734    section, or another scope container.</p>
735
736    <p>The following example defines an authentication realm called
737    "Private". The password file located at
738    <tt>/usr/local/apache/passwd/digest</tt> will be used to verify
739    the user's identity. Only users named <tt>drbacchus</tt> or
740    <tt>dorfl</tt> will be granted access, if they provide a
741    password that patches the password stored in the password
742    file.</p>
743<pre>
744AuthType Digest
745AuthName "Private"
746AuthDigestFile /usr/local/apache/passwd/digest
747Require user drbacchus dorfl
748</pre>
749
750    <p>The phrase "Private" will be displayed in the password
751    pop-up box, where the user will have to type their
752    credentials.</p>
753
754    <h3><a name="digestgroup"></a>Optionally, create a group file</h3>
755
756    <p>As you have observed, there are not many differences between
757    this configuration process and that required by basic
758    authentication, described in the previous section. This is true
759    also of group functionality. The group file used for digest
760    authentication is exactly the same as that used for basic
761    authentication. That is to say, lines in the group file consist
762    the name of the group, a colon, and a list of the members of
763    that group. For example:</p>
764<pre>
765admins: jim roy ed anne
766</pre>
767
768    <p>Once this file has been created, you can <tt>Require</tt>
769    that someone be in a particular group in order to get the
770    requested resource. This is done with the
771    <tt>AuthDigestGroupFile</tt> directive, as shown in the
772    following example.</p>
773<pre>
774AuthType Digest
775AuthName "Private"
776AuthDigestFile /usr/local/apache/passwd/digest
777AuthDigestGroupFile /usr/local/apache/passwd/digest.groups
778Require group admins
779</pre>
780
781    <p>The authentication process is the same as that used by basic
782    authentication. It is first verified that the user is in the
783    required group, and, if this is true, then the password is
784    verified.</p>
785
786    <h2><a name="digestcaveat">Caveats</a></h2>
787
788    <p>Before you leap into using digest authentication instead of
789    basic authentication, there are a few things that you should
790    know about.</p>
791
792    <p>Most importantly, you need to know that, although digest
793    authentication has this great advantage that you don't send
794    your password across the network in the clear, it is not
795    supported by all major browsers in use today, and so you should
796    not use it on a web site on which you cannot control the
797    browsers that people will be using, such as on your intranet
798    site. In particular, Opera 4.0 or later, Microsoft Internet
799    Explorer 5.0 or later, Mozilla 1.0.1 and Netscape 7 or later
800    as well as Amaya support digest authentication, while various
801    other browsers do not.</p>
802
803    <p>Next, with regard to security considerations, you should
804    understand two things. Although your password is not passed in
805    the clear, all of your data is, and so this is a rather small
806    measure of security. And, although your password is not really
807    sent at all, but a digest form of it, someone very familiar
808    with the workings of HTTP could use that information - just
809    your digested password - and use that to gain access to the
810    content, since that digested password is really all the
811    information required to access the web site.</p>
812
813    <p>The moral of this is that if you have content that really
814    needs to be kept secure, use SSL.</p>
815
816    <h1><a name="database">Database authentication
817    modules</a></h1>
818
819    <p>Basic authentication and digest authentication both suffer
820    from the same major flaw. They use text files to store the
821    authentication information. The problem with this is that
822    looking something up in a text file is very slow. It's rather
823    like trying to find something in a book that has no index. You
824    have to start at the beginning, and work through it one page at
825    a time until you find what you are looking for. Now imagine
826    that the next time you need to find the same thing, you don't
827    remember where it was before, so you have to start at the
828    beginning again, and work through one page at a time until you
829    find it again. And the next time. And the time after that.</p>
830
831    <p>Since HTTP is stateless, authentication has to be verified
832    every time that content is requested. And so every time a
833    document is accessed which is secured with basic or digest
834    authentication, Apache has to open up those text password files
835    and look through them one line at a time, until it finds the
836    user that is trying to log in, and verifies their password. In
837    the worst case, if the username supplied is not in there at
838    all, every line in the file will need to be checked. On
839    average, half of the file will need to be read before the user
840    is found. This is very slow.</p>
841
842    <p>While this is not a big problem for small sets of users,
843    when you get into larger numbers of users (where "larger" means
844    a few hundred) this becomes prohibitively slow. In many cases,
845    in fact, valid username/password combinations will get rejected
846    because the authentication module just had to spend so much
847    time looking for the username in the file that Apache will just
848    get tired of waiting and return a failed authentication.</p>
849
850    <p>In these cases, you need an alternative, and that
851    alternative is to use some variety of database. Databases are
852    optimized for looking for a particular piece of information in
853    a very large data set. It builds indexes in order to rapidly
854    locate a particular record, and they have query languages for
855    swiftly locating records that match particular criteria.</p>
856
857    <p>There are numerous modules available for Apache to
858    authenticate using a variety of different databases. In this
859    section, we'll just look at two modules which ship with Apache.
860    </p>
861
862    <h2><a name="modauthdb"></a>mod_auth_db and mod_auth_dbm</h2>
863
864    <p><tt>mod_auth_db</tt> and <tt>mod_auth_dbm</tt> are modules
865    which lets you keep your usernames and passwords in DB or DBM
866    files. There are few practical differences between DB files and
867    DBM files. And, on some operating systems, such as various
868    BSDs, and Linux, they are exactly the same thing. You should
869    pick whichever of the two modules makes the most sense on your
870    particular platform of choice. If you do not have DB support on
871    your platform, you may need to install it. You download an
872    implementation of DB at <tt>http://www.sleepycat.com/</tt>.
873
874    <h2><a name="dbfiles"></a>Berkeley DB files</h2>
875
876    <p>DB files, also known as Berkeley database files, are the
877    simplest form of database, and are rather ideally suited for
878    the sort of data that needs to be stored for HTTP
879    authentication. DB files store key/value pairs. That is, the
880    name of a variable, and the value of that variable. While other
881    databases allow the storage of many fields in a given record, a
882    DB file allows only this pairing of key and value.<a
883    name="foot1_return" href="#foot1"><sup>1</sup></a> This is ideal for
884    authentication, which requires only the pair of a username and
885    password.</p>
886
887    <h2><a name="installauthdb">Installing mod_auth_db</a></h2>
888
889    <p>For the purposes of this tutorial, we'll talk about
890    installing and configuring <tt>mod_auth_db</tt>. However,
891    everything that is said here can be directly applied to
892    <tt>mod_auth_dbm</tt> by simply replacing 'db' with 'dbm' and
893    'DB' with 'DBM' in the various commands, file names, and
894    directives.</p>
895
896    <p>Since <tt>mod_auth_db</tt> is not compiled in by default,
897    you will need to rebuild Apache in order to get the
898    functionality, unless you built in everything when we started.
899    Note that if you installed Apache with shared object
900    support, you may be able to just build the module and load it
901    in to Apache.</p>
902
903    <p>To build Apache from scratch with <tt>mod_auth_db</tt> built
904    in, use the following <tt>./configure</tt> line in your apache
905    source code directory.</p>
906<pre>
907./configure --enable-module=auth_db
908</pre>
909
910    <p>Or, if you had a more complex <tt>configure</tt> command
911    line, you can just add the <tt>-enable-module=auth_db</tt>
912    option to that command line, and you'll get
913    <tt>mod_auth_db</tt> built into your server.</p>
914
915    <h2><a name="authdbconfig">Protecting a directory with
916    mod_auth_db</a></h2>
917
918    <p>Once you have compiled the <tt>mod_auth_db</tt> module, and
919    loaded it into your web server, you'll find that there's very
920    little difference between using regular authentication and
921    using <tt>mod_auth_db</tt> authentication. The procedure is the
922    same as that we went through with basic and digest
923    authentication:</p>
924
925    <ol>
926      <li>Create the user file.</li>
927
928      <li>Configure Apache to use that file for
929      authentication.</li>
930
931      <li>Optionally, create a group file.</li>
932    </ol>
933
934    <h3><a name="dbmmanage"></a>Create the user file</h3>
935
936    <p>The user file for authentication is, this time, not a flat
937    text file, but is a DB file<a name="foot2_return"
938    href="#foot2"><sup>2</sup></a>. Fortunately, once again,
939    Apache provides us with a simple utility for the purpose of
940    managing this user file. This time, the utility is called
941    <tt>dbmmanage</tt>, and will be located in the <tt>bin</tt>
942    subdirectory of wherever you installed Apache.</p>
943
944    <p><tt>dbmmanage</tt> is somewhat more complicated to use than
945    <tt>htpasswd</tt> or <tt>htdigest</tt>, but it is still fairly
946    simple. The syntax which you will usually be using is as
947    follows:</p>
948<pre>
949dbmmanage passwords.dat adduser montressor
950</pre>
951
952    <p>As with <tt>htpasswd</tt>, you will at this point be
953    prompted for a password, and then asked to confirm that
954    password by typing it again. The main difference here is that
955    rather than a text file being created, you are creating a
956    binary file containing the information that you have
957    supplied.</p>
958
959    <p>Type <tt>dbmmanage</tt> with no arguments to get the full
960    list of options available with this utility.</p>
961
962    <h3><a name="perl_dbfile">Creating your user file with
963    Perl</a></h3>
964
965    <p>Note that, if you are so inclined, you can manage your user
966    file with Perl, or any other language which has a DB-file
967    module, for interfacing with this type of database. This covers
968    a number of popular programming languages.</p>
969
970    <p>The following Perl code, for example, will add a user
971    'rbowen', with password 'mypassword', to your password
972    file:</p>
973<pre>
974use DB_File;
975tie %database, 'DB_File', "passwords.dat"
976    or die "Can't initialize database: $!\n";
977
978$username = 'rbowen';
979$password = 'mypassword';
980@chars=(0..9,'a'..'z');
981$salt = $chars[int rand @chars] . $chars[int rand @chars];
982
983$crypt = crypt($password, $salt);
984$database{$username} = $crypt;
985
986untie %database;
987</pre>
988
989    <p>As you can imagine, this makes it very simple to write tools
990    to manage the user and password information stored in these
991    files.</p>
992
993    <p>Passwords are stored in Unix <tt>crypt</tt> format, just as
994    they were in the "regular" password files. The 'salt' that is
995    created in the middle there is part of the process, generating
996    a random starting point for that encryption. The technique
997    being used is called a 'tied hash'. The idea is to tie a
998    built-in data structure to the contents of the file, such that
999    when the data structure is changed, the file is automatically
1000    modified at the same time.</p>
1001
1002    <h3><a name="authdbuserfile"></a>Configuring Apache
1003    to use this password file</h3>
1004
1005    <p>Once you have created the password file, you need to tell
1006    Apache about it, and tell Apache to use this file to verify
1007    user credentials. This configuration will look almost the same
1008    as that for basic authentication. This configuration can go in
1009    a <tt>.htaccess</tt> file in the directory to be protected, or
1010    can go in the main server configuration, in a
1011    <tt>&lt;Directory&gt;</tt> section, or other scope container
1012    directive.</p>
1013
1014    <p>The configuration will look something like the
1015    following:</p>
1016<pre>
1017AuthName "Members Only"
1018AuthType Basic
1019AuthDBUserFile /usr/local/apache/passwd/passwords.dat
1020require user rbowen
1021</pre>
1022
1023    <p>Now, users accessing the directory will be required to
1024    authenticate against the list of valid users who are in
1025    <tt>/usr/local/apache/passwd/passwords.dat</tt>.</p>
1026
1027    <h3><a name="authdbgroupfile"></a><br />
1028     Optionally, create a group file</h3>
1029
1030    <p>As mentioned earlier, DB files store a key/value pair. In
1031    the case of group files, the key is the name of the user, and
1032    the value is a comma-separated list of the groups to which the
1033    user belongs.</p>
1034
1035    <p>While this is the opposite of the way that group files are
1036    stored elsewhere, note that we will primarily be looking up
1037    records based on the username, so it is more efficient to index
1038    the file by username, rather than by the group name.</p>
1039
1040    <p>Groups can be added to your group file using
1041    <tt>dbmmanage</tt> and the <tt>add</tt> command:</p>
1042<pre>
1043dbmmanage add groupfile rbowen one,two,three
1044</pre>
1045
1046    <p>In the above example, <tt>groupfile</tt> is the literal name
1047    of the group file, <tt>rbowen</tt> is the user being added, and
1048    <tt>one</tt>, <tt>two</tt>, and <tt>three</tt> are names of
1049    three groups to which this user belongs.</p>
1050
1051    <p>Once you have your groups in the file, you can require a
1052    group in the regular way:</p>
1053<pre>
1054AuthName "Members Only"
1055AuthType Basic
1056AuthDBUserFile /usr/local/apache/passwd/passwords.dat
1057AuthDBGroupFile /usr/local/apache/passwd/groups.dat
1058require group three
1059</pre>
1060
1061    <p>Note that if you want to use the same file for both password
1062    and group information, you can do so, but this is a little more
1063    complicated to manage, as you have to encrypt the password
1064    yourself before you feed it to the <tt>dbmmanage</tt>
1065    utility.</p>
1066
1067    <h1><a name="access"></a>Access control</h1>
1068
1069    <p>Authentication by username and password is only part of the
1070    story. Frequently you want to let people in based on something
1071    other than who they are. Something such as where they are
1072    coming from. Restricting access based on something other than
1073    the identity of the user is generally referred to as <i>Access
1074    Control</i>.</p>
1075
1076    <h2><a name="allowdeny"></a>Allow and Deny</h2>
1077
1078    <p>The <tt>Allow</tt> and <tt>Deny</tt> directives let you
1079    allow and deny access based on the host name, or host address,
1080    of the machine requesting a document. The directive goes
1081    hand-in-hand with these is the <tt>Order</tt> directive, which
1082    tells Apache in which order to apply the filters.</p>
1083
1084    <p>The usage of these directives is:</p>
1085<pre>
1086allow from address
1087</pre>
1088
1089    <p>where <i>address</i> is an IP address (or a partial IP
1090    address) or a fully qualified domain name (or a partial domain
1091    name); you may provide multiple addresses or domain names, if
1092    desired.</p>
1093
1094    <p>For example, if you have someone spamming your message
1095    board, and you want to keep them out, you could do the
1096    following:</p>
1097<pre>
1098deny from 11.22.33.44
1099</pre>
1100
1101    <p>Visitors coming from that address will not be able to see
1102    the content behind this directive. If, instead, you have a
1103    machine name, rather than an IP address, you can use that.
1104    </p>
1105<pre>
1106deny from hostname.example.com
1107</pre>
1108
1109    <p>And, if you'd like to block access from an entire domain,
1110    or even from an entire tld (top level domain, such as .com or .gov)
1111    you can specify just part of an address or domain name:</p>
1112<pre>
1113deny from 192.101.205
1114deny from exampleone.com exampletwo.com
1115deny from tld
1116</pre>
1117
1118    <p>Using <tt>Order</tt> will let you be sure that you are
1119    actually restricting things to the group that you want to let
1120    in, by combining a <tt>deny</tt> and an <tt>allow</tt>
1121    directive:</p>
1122<pre>
1123Order Deny,Allow
1124Deny from all
1125Allow from hostname.example.com
1126</pre>
1127
1128    <p>Listing just the <tt>allow</tt> directive would not do what
1129    you want, because it will let users from that host in, in
1130    addition to letting everyone in. What you want is to let in
1131    <i>only</i> users from that host.</p>
1132
1133    <h2><a name="satisfy"></a>Satisfy</h2>
1134
1135    <p>The <tt>Satisfy</tt> directive can be used to specify that
1136    several criteria may be considered when trying to decide if a
1137    particular user will be granted admission. <tt>Satisfy</tt> can
1138    take as an argument one of two options - <tt>all</tt> or
1139    <tt>any</tt>. By default, it is assumed that the value is
1140    <tt>all</tt>. This means that if several criteria are
1141    specified, then all of them must be met in order for someone to
1142    get in. However, if set to <tt>any</tt>, then several criteria
1143    may be specified, but if the user satisfies any of these, then
1144    they will be granted entrance.</p>
1145
1146    <p>A very good example of this is using access control to
1147    assure that, although a resource is password protected from
1148    outside your network, all hosts inside the network will be
1149    given free access to the resource. This would be accomplished
1150    by using the <tt>Satisfy</tt> directive, as shown below.</p>
1151<pre>
1152&lt;Directory /usr/local/apache/htdocs/sekrit&gt;
1153  AuthType Basic
1154  AuthName intranet
1155  AuthUserFile /www/passwd/users
1156  AuthGroupFile /www/passwd/groups
1157  Require group customers
1158  Order allow,deny
1159  Allow from internal.com
1160  Satisfy any
1161&lt;/Directory&gt;
1162</pre>
1163
1164    <p>In this scenario, users will be let in if they either have a
1165    password, or if they are in the internal network.</p>
1166
1167    <h1><a name="summary">Summary</a></h1>
1168
1169    <p>The various authentication modules provide a number of ways
1170    to restrict access to your host based on the identity of the
1171    user. They offer a somewhat standard interface to this
1172    functionality, but provide different back-end mechanisms for
1173    actually authenticating the user.</p>
1174
1175    <p>And the access control mechanism allows you to restrict
1176    access based on criteria unrelated to the identity of the
1177    user.<br />
1178    </p>
1179    <hr />
1180
1181    <h4>Footnotes</h4>
1182
1183    <dl>
1184      <dt><a name="foot1">... value.</a><a
1185      href="#foot1_return"><sup>1</sup></a></dt>
1186
1187      <dd>There are actually a number of implementations that get
1188      around this limitation. MLDBM is one of them, for example.
1189      However, for the purposes of this discussion, we'll just deal
1190      with standard Berkeley DB, which is likely to have shipped
1191      with whatever operating system you are already running.</dd>
1192
1193      <dt><a name="foot2">... file</a><a
1194      href="#foot2_return"><sup>2</sup></a></dt>
1195
1196      <dd>Or, if you are using mod_auth_dbm, a DBM file.</dd>
1197    </dl>
1198    <hr />
1199
1200  </body>
1201</html>
1202