Apache Server for Windows Little Black Book:Authentication
function GetCookie (name) { var arg = name + "="; var alen = arg.length; var clen = document.cookie.length; var i = 0; while (i < clen) { var j = i + alen; if (document.cookie.substring(i, j) == arg) { var end = document.cookie.indexOf (";", j); if (end == -1) end = document.cookie.length; return unescape(document.cookie.substring(j, end)); } i = document.cookie.indexOf(" ", i) + 1; if (i == 0) break; } return null; } var m1=''; var gifstr=GetCookie("UsrType"); if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; } document.write(m1+m2+m3);            Keyword Title Author ISBN Publisher Imprint Brief Full  Advanced      Search  Search Tips Please Select ----------- Components Content Mgt Certification Databases Enterprise Mgt Fun/Games Groupware Hardware IBM Redbooks Intranet Dev Middleware Multimedia Networks OS Prod Apps Programming Security UI Web Services Webmaster Y2K ----------- New Titles ----------- Free Archive To access the contents, click the chapter and section titles. Apache Server for Windows Little Black Book (Publisher: The Coriolis Group) Author(s): Greg Holden with Matthew Keller ISBN: 1576103919 Publication Date: 01/01/99 function isIE4() { return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') ); } function bookMarkit() { var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0"; parent.location.href=url; //var win = window.open(url,"myitk"); //if(!isIE4()) // win.focus(); } Search this book:  















Previous
Table of Contents
Next




Core Configuration Directives
A common setup for an authorized directory looks like this:



AuthType Basic
AuthName "restricted area"
AuthUserFile C:/www/Apache/passwd
require valid-user


The AuthType directive describes the type of authentication to be used. It has this syntax:


AuthType type


As this book is being written, the only available options for arguments to AuthType are Basic and Digest. AuthType (as well as the other directives mentioned in this section: AuthName, Require, and AuthUserGroup) has these additional attributes:

•  Context—directory, .htaccess
•  Override—AuthConfig

The AuthName directive assigns a name to the realm that you want to protect. It follows this syntax:


AuthName name


You can use any name you want for your protected area.

The Require directive lets you specify which users are allowed access to a protected realm. Require follows this syntax:


Require entity-name entity entity...


Entity-name and entity can take three forms to identify approved users. You can identify them by listing their username one after another, like this:


Require user greg matthew jeff lucy


Another argument to require is the user-group name provided by AuthUserGroup (see “Text-Based Access Via mod_auth” later in this chapter):


Require ProductionGroup AdministrativeGroup [othergroupname]...


Finally, you can tell Apache to admit all valid users (that is, all users whose names are listed in your password file):



Require valid-user


You can limit access further by using the <Limit> directive. The <Limit> directive allows only users who use an HTTP method such as GET or POST to retrieve files from within the directory. This means that users are required to submit data via a Web form or CGI script that uses GET or POST to transmit data. For example, we use a CGI script and limit the POST operation to members of a user group called PCGI:


<Files "c:/apache/secure-cgi/MattChat.pl">
<Limit POST>
Require group PCGI
</Limit>
</Files>


The Satisfy core directive specifies the access policy to be used if both Allow and Require are used. It’s only useful if you have combined username/password and hostname restrictions with a particular directory. Satisfy has this syntax:


Satisfy any | all


If you specify All, Apache requires that the client enter a valid username and password and that it is from an approved hostname. If you specify Any, the client is given access if either the username/password or the hostname is correct.
Modules That Handle Authentication
The following sections describe the Apache modules and directives that provide Apache with the ability to authenticate users by either hostname or password.

Host-Based Security Via mod_access
If you are using Apache to serve files within an organization through an intranet, you can use mod_access’s directives for restricting access to approved hostnames or IP addresses. For instance, if you work for The Coriolis Group and have an intranet that serves files to the domain coriolis.com, you can use mod_access’s Allow directive to permit access only to a personnel list stored in a protected directory:


Allow from coriolis.com
Allow from corporate.coriolis.com


You can also use Allow with a full IP address, a partial IP address, or a network/netmask pair. (See “Restricting Access By Domain Name” in the Immediate Solutions section of this chapter.)
The other directives provided by mod_access are as follows:

•  Allow from env=variable—Permits access only when the named environment variable is present. It’s used when you use other directives, such as BrowserMatch, to set an environment variable such as a type of Web browser. You can then allow users of that browser to access a specified directory.
•  Deny from env=variable—Denies access when the named environment variable is present.
•  Deny—Denies access to a list of hosts. The hosts can be specified by partial domain name, full or partial IP address, a network/netmask pair, or a network/nnn CIDR specification. (CIDR stands for Classless InterDomain Routing, a method for allocating blocks of Internet addresses.) In addition, the argument All (which means deny from all) prevents anyone from accessing a directory.
•  Order—Lets you specify the order in which any Allow and Deny directives you have used are to be executed. For instance, Order deny,allow tells Apache to process Deny directives first and then process the Allow directives. The Order directive also takes the argument mutual-failure. This tells Apache that only hosts that appear on the Allow list and do not appear on the Deny list will be given access.

Text-Based Access Via mod_auth
Although mod_access handles hostname-based access restrictions, mod_auth provides basic HTTP authentication by using usernames, group names, and passwords stored in text files. mod_auth has three directives:


•  AuthGroupFile—Identifies a text file that contains a group of users who can be authenticated. For instance, you can create a text file called mygroup. Each line of the group file contains a group name followed by the usernames of the group members (for instance, mygroup: jack jill).
•  AuthUserFile—Identifies a text file that contains a list of users and passwords for user authentication. Unless an absolute path is specified, the location is treated as relative to the location specified by ServerRoot.
•  AuthAuthoritative—Use this directive only if you have configured a directory to use more than one authentication scheme. If you set AuthAuthoritative to on, Apache tries the first scheme (that is, the higher-level authentication method) and, if that fails, moves on to the lower-level authentication method.


WARNING!  Many third-party modules have been written to provide Apache for Unix with basic HTTP authentication. You can try to convert them to DLLs for use with Apache for Windows, but reports to the Apache Problem Report Database (bugs.apache.org) indicate that this is not always successful.





Previous
Table of Contents
Next






Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.