Authorization servers

Authentication is any process by which you verify that someone is who they clayên ổn they are. Authorization is any process by which someone is allowed to lớn be where they want lớn go, or lớn have information that they want lớn have.

Bạn đang xem: Authorization servers

For general access control, see the Access Control How-To.


*

See also



Related Modules and Directives

There are three types of modules involved in the authentication andauthorization process. You will usually need khổng lồ choose at least onemodule from each group.

Authentication type (see the AuthType directive) Authentication provider (see the AuthBasicProvider and AuthDigestProvider directives) Authorization (see the Require directive)

In addition to lớn these modules, there are also mod_authn_core and mod_authz_core. These modules implement core directives that are core to all auth modules.

The module mod_authnz_ldap is both an authentication và authorization provider. The module mod_authz_host provides authorization and access control based on hostname, IPhường address or characteristics of the request, but is not part of the authentication provider system. For backwards compatibility with the mod_access, there is a new module mod_access_compat.

You probably also want lớn take a look at the Access Control howkhổng lồ, which discusses the various ways khổng lồ control access khổng lồ your VPS.




The Prerequisites

The directives discussed in this article will need to lớn go either in your main hệ thống configuration file (typically in a section), or in per-directory configuration files (.htaccess files).

If you plan to lớn use .htaccess files, you will need to lớn have a hệ thống configuration that permits putting authentication directives in these files. This is done with the AllowOverride directive sầu, which specifies which directives, if any, may be put in per-directory configuration files.

Since we"re talking here about authentication, you will need an AllowOverride directive sầu like the following:

AllowOverride AuthConfig Or, if you are just going to put the directives directly in your main VPS configuration file, you will of course need khổng lồ have write permission khổng lồ that file.

And you"ll need to know a little bit about the directory structure of your server, in order khổng lồ know where some files are kept. This should not be terribly difficult, và I"ll try to lớn make this clear when we come to that point.

You will also need to lớn make sure that the modules mod_authn_core and mod_authz_core have either been built inkhổng lồ the nayaritas.net binary or loaded by the nayaritas.net.conf configuration tệp tin. Both of these modules provide core directives & functionality that are critical lớn the configuration and use of authentication and authorization in the web VPS.



Getting it working

Here"s the basics of password protecting a directory on your VPS.

First, you need to lớn create a password tệp tin. Exactly how you vì this will vary depending on what authentication provider you have chosen. More on that later. To start with, we"ll use a text password tệp tin.

This tệp tin should be placed somewhere not accessible from the web. This is so that folks cannot tải về the password file. For example, if your documents are served out of /usr/local/nayaritas.net/htdocs, you might want khổng lồ put the password file(s) in /usr/local/nayaritas.net/passwd.

To create the tệp tin, use the htpasswd utility that came with nayaritas.net. This will be located in the bin directory of wherever you installed nayaritas.net. If you have installed Apabít from a third-buổi tiệc ngọt package, it may be in your execution path.

To create the file, type:


htpasswd -c /usr/local/nayaritas.net/passwd/passwords rbowen


htpasswd will ask you for the password, and then ask you to lớn type it again lớn confirm it:


# htpasswd -c /usr/local/nayaritas.net/passwd/passwords rbowen New password: mypassword Re-type new password: mypassword Adding password for user rbowen


If htpasswd is not in your path, of course you"ll have sầu khổng lồ type the full path lớn the tệp tin to lớn get it khổng lồ run. With a mặc định installation, it"s located at /usr/local/nayaritas.net2/bin/htpasswd

Next, you"ll need lớn configure the server to lớn request a password & tell the hệ thống which users are allowed access. You can vày this either by editing the nayaritas.net.conf file or using an .htaccess file. For example, if you wish to lớn protect the directory /usr/local/nayaritas.net/htdocs/secret, you can use the following directives, either placed in the tệp tin /usr/local/nayaritas.net/htdocs/secret/.htaccess, or placed in nayaritas.net.conf inside a section.

AuthType BasicAuthName "Restricted Files"# (Following line optional)AuthBasicProvider fileAuthUserFile "/usr/local/nayaritas.net/passwd/passwords"Require user rbowen Let"s examine each of those directives individually. The AuthType directive selects the method that is used to lớn authenticate the user. The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important khổng lồ be aware, however, that Basic authentication sends the password from the client lớn the VPS unencrypted. This method should therefore not be used for highly sensitive sầu data, unless accompanied by mod_ssl. Apađậy supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest & was intended lớn be more secure. This is no longer the case & the connection should be encrypted with mod_ssl instead.

The AuthName directive sets the Realm khổng lồ be used in the authentication. The realm serves two major functions. First, the client often presents this information lớn the user as part of the password dialog box. Second, it is used by the client lớn determine what password to lớn send for a given authenticated area.

So, for example, once a client has authenticated in the "Restricted Files" area, it will automatically retry the same password for any area on the same hệ thống that is marked with the "Restricted Files" Realm. Therefore, you can prevent a user from being prompted more than once for a password by letting multiple restricted areas share the same realm. Of course, for security reasons, the client will always need to lớn ask again for the password whenever the hostname of the hệ thống changes.

The AuthBasicProvider is, in this case, optional, since file is the mặc định value for this directive sầu. You"ll need to use this directive if you are choosing a different source for authentication, such as mod_authn_dbm or mod_authn_dbd.

The AuthUserFile directive sets the path to the password tệp tin that we just created with htpasswd. If you have sầu a large number of users, it can be quite slow lớn search through a plain text tệp tin to lớn authenticate the user on each request. Apabịt also has the ability lớn store user information in fast database files. The mod_authn_dbm module provides the AuthDBMUserFile directive. These files can be created và manipulated with the dbmmanage and htdbm programs. Many other types of authentication options are available from third các buổi party modules.

Finally, the Require directive sầu provides the authorization part of the process by setting the user that is allowed lớn access this region of the server. In the next section, we discuss various ways to use the Require directive.


Letting more than oneperson in

The directives above sầu only let one person (specifically someone with a username of rbowen) into lớn the directory. In most cases, you"ll want khổng lồ let more than one person in. This is where the AuthGroupFile comes in.

Xem thêm: Download Sketchup Pro 2016 Full Crack + Plugin + V, Sketchup 2016 32 Bit Full Crack + V

If you want khổng lồ let more than one person in, you"ll need lớn create a group file that associates group names with a danh sách of users in that group. The format of this file is pretty simple, & you can create it with your favorite editor. The contents of the tệp tin will look lượt thích this:


That"s just a danh sách of the members of the group in a long line separated by spaces.

To add a user lớn your already existing password file, type:


You"ll get the same response as before, but it will be appended to the existing file, rather than creating a new file. (It"s the -c that makes it create a new password file).

Now, you need lớn modify your .htaccess tệp tin or blochồng to lớn look lượt thích the following:

AuthType BasicAuthName "By Invitation Only"# Optional line:AuthBasicProvider fileAuthUserFile "/usr/local/nayaritas.net/passwd/passwords"AuthGroupFile "/usr/local/nayaritas.net/passwd/groups"Require group GroupName Now, anyone that is listed in the group GroupName, & has an entry in the password file, will be let in, if they type the correct password.

There"s another way lớn let multiple users in that is less specific. Rather than creating a group tệp tin, you can just use the following directive:

Require valid-user Using that rather than the Require user rbowen line will allow anyone in that is listed in the password file, & who correctly enters their password.


Possible problems

Because of the way that Basic authentication is specified, your username and password must be verified every time you request a document from the server. This is even if you"re reloading the same page, & for every image on the page (if they come from a protected directory). As you can imagine, this slows things down a little. The amount that it slows things down is proportional to lớn the kích cỡ of the password file, because it has to lớn open up that file, and go down the danh sách of users until it gets lớn your name. And it has khổng lồ vày this every time a page is loaded.

A consequence of this is that there"s a practical limit to lớn how many users you can put in one password tệp tin. This limit will vary depending on the performance of your particular hệ thống machine, but you can expect khổng lồ see slowdowns once you get above sầu a few hundred entries, & may wish to lớn consider a different authentication method at that time.


Alternate password storage

Because storing passwords in plain text files has the above sầu problems, you may wish khổng lồ store your passwords somewhere else, such as in a database.

mod_authn_dbm and mod_authn_dbd are two modules which make this possible. Rather than selecting AuthBasicProvider file, instead you can choose dbm or dbd as your storage format.

To select a dbm file rather than a text tệp tin, for example:

AuthName "Private" AuthType Basic AuthBasicProvider dbm AuthDBMUserFile "/www/passwords/passwd.dbm" Require valid-user Other options are available. Consult the mod_authn_dbm documentation for more details.


Using multiple providers

With the introduction of the new provider based authentication và authorization architecture, you are no longer locked inkhổng lồ a single authentication or authorization method. In fact any number of the providers can be mixed & matched to lớn provide you with exactly the scheme that meets your needs. In the following example, both the file và LDAP based authentication providers are being used.

AuthName "Private" AuthType Basic AuthBasicProvider tệp tin ldap AuthUserFile "/usr/local/nayaritas.net/passwd/passwords" AuthLDAPURL ldap://ldaphost/o=yourorg Require valid-user In this example the file provider will attempt to authenticate the user first. If it is unable to lớn authenticate the user, the LDAP provider will be called. This allows the scope of authentication khổng lồ be broadened if your organization implements more than one type of authentication store. Other authentication và authorization scenargame ios may include mixing one type of authentication with a different type of authorization. For example, authenticating against a password file yet authorizing against an LDAP directory.

Just as multiple authentication providers can be implemented, multiple authorization methods can also be used. In this example both tệp tin group authorization as well as LDAPhường. group authorization is being used.

AuthName "Private" AuthType Basic AuthBasicProvider tệp tin AuthUserFile "/usr/local/nayaritas.net/passwd/passwords" AuthLDAPURL ldap://ldaphost/o=yourorg AuthGroupFile "/usr/local/nayaritas.net/passwd/groups" Require group GroupName Require ldap-group cn=mygroup,o=yourorg To take authorization a little further, authorization container directives such as & allow lô ghích to be applied so that the order in which authorization is handled can be completely controlled through the configuration. See Authorization Containers for an example of how they may be applied.


Beyond just authorization

The way that authorization can be applied is now much more flexible than just a single check against a single data store. Ordering, lô ghích và choosing how authorization will be done is now possible.

Applying ngắn gọn xúc tích & ordering

Controlling how và in what order authorization will be applied has been a bit of a mystery in the past. In Apabịt 2.2 a provider-based authentication mechanism was introduced to lớn decouple the actual authentication process from authorization và supporting functionality. One of the side benefits was that authentication providers could be configured and called in a specific order which didn"t depkết thúc on the load order of the auth module itself. This same provider based mechanism has been brought forward inlớn authorization as well. What this means is that the Require directive sầu not only specifies which authorization methods should be used, it also specifies the order in which they are called. Multiple authorization methods are called in the same order in which the Require directives appear in the configuration.

With the introduction of authorization container directives such as & , the configuration also has control over when the authorization methods are called & what criteria determines when access is granted. See Authorization Containers for an example of how they may be used khổng lồ express complex authorization xúc tích và ngắn gọn.

By mặc định all Require directives are handled as though contained within a container directive. In other words, if any of the specified authorization methods succeed, then authorization is granted.

Using authorization providers for access control

Authentication by username và password is only part of the story. Frequently you want to let people in based on something other than who they are. Something such as where they are coming from.

The authorization providers all, env, host & ip let you allow or deny access based on other host based criteria such as host name or ip address of the machine requesting a document.

The usage of these providers is specified through the Require directive. This directive registers the authorization providers that will be called during the authorization stage of the request processing. For example:

Require ip address where address is an IPhường address (or a partial IP. address) or:

Require host domain_name where domain_name is a fully qualified domain name (or a partial domain name name); you may provide multiple addresses or domain names, if desired.

For example, if you have someone spamming your message board, và you want lớn keep them out, you could vày the following:

Require all granted Require not ip 10.252.46.165 Visitors coming from that address will not be able to see the content covered by this directive sầu. If, instead, you have sầu a machine name, rather than an IPhường address, you can use that.

Require all granted Require not host host.example.com And, if you"d lượt thích lớn blochồng access from an entire domain name, you can specify just part of an address or domain name:

Require all granted Require not ip 192.168.205 Require not host phishers.example.com moreidiots.example Require not host ke Using with multiple directives, each negated with not, will only allow access, if all of negated conditions are true. In other words, access will be blocked, if any of the negated conditions fails.

Access Control backwards compatibility

One of the side effects of adopting a provider based mechanism for authentication is that the previous access control directives Order, Allow, Deny and Satisfy are no longer needed. However to provide backwards compatibility for older configurations, these directives have sầu been moved to the mod_access_compat module.


Note

The directives provided by mod_access_compat have been deprecated by mod_authz_host. Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. The mod_access_compat module was created khổng lồ support configurations containing only old directives khổng lồ facilitate the 2.4 upgrade. Please check the upgrading guide for more information.