Authorization Directives

<Directory /var/www/acme>
    Allow from www.example.com
</Directory>

The AuthAutoLogin directive automatically logs in as the specified user. This is useful for development to avoid having to enter the user credentials for each debug session.

The AuthDigestQop directive specifies the desire quality of protection to be employed by the AuthHandler when validating user credentials. The following levels are supported:

• none -- No authentication
• auth -- Standard digest authentication
• auth-int --Use integrity checking via an MD5 hash of the credentials. Not yet implemented.

The default level is "auth".

The AuthStore directive defines where Appweb can access user credentials for authenticating users and their passwords.

The "config" authentication method uses users credentials defined via the User directive and then stored internally in Appweb. These User directives are typically stored in a separate authentication configuration file that is included by appweb.conf. The authpass program can be used to create encrypted User passwords in the authentication file.

The "system" option selects the default system password database. On Unix, the Plugable Authentication Modules (PAM) method is used. Windows ActiveDirectory is not yet supported.

The "app" option selects a custom username and password storage scheme that you control in your application. Once selected, you need to implement a verification callback function that will be invoked to verify the user credentials. Use the httpSetAuthStoreVerify API to define your verification callback.

The AuthType directive specifies the authorization protocol to employ when validating users. If a route block does not define the AuthType, it is inherited from outer routes in the config file.

All forms of the AuthType directive specify an authentication realm except when using the "app" type with the "app" authentication store. The realm is included as an ingredient when encrypting passwords via the authpass program. For basic and digest authentication, this realm is also displayed by the browser when the user logs in.

The "AuthForm app" type depends on the user application verifying the user credentials using custom application specific logic.

The "AuthType form" authentication directive has extra arguments after the realm. These are four URIs to control the login and logout sequence. These are:

1. login-page — Unauthenticated users are redirected to this URI to log in
2. login-service-page — URI to receive the login POST request from the client
3. logout-service-page — URI to receive the logout request from the client
4. logged-in-page — Authenticated users are redirected to this URI after logging in

You should avoid using Basic or Digest authentication as they cannot reliably implement user logout. Basic authentication is especially not secure. It will transmit user credentials in a format that is very easy for malicious individuals to exploit. If using basic authentication, you should use SSL to encrypt the transmission of the password.

The Order directive defines who the server access control is applied. The allowSpec may be either "Deny,Allow" or "Allow,Deny". Note that no spaces may appear between the words or after the comma.

Deny,Allow

The deny directive is applied first then the allow directive. Requests that do not match the deny directive and do match the allow directive will be permitted access. Access is allowed by default if either the deny or allow directive is omitted.

Allow,Deny

The allow directive is applied first then the deny directive. Requests that do not match the allow directive or requests that match the deny directive will be denied. Access is denied by default if either the deny or allow directive is omitted.

Examples

To only allow access for a specified domain, www.example.com:

Order Deny,Allow
Deny from All
Allow from www.example.com

To deny access to a specific domain: www.myCompetitor.com

Order Allow,Deny
Allow from All
Deny from www.myCompetitor.com

The Require directive defines which users can access a set of resources. The directive may specify a set of users by name, or a set of abilities that users must possess before being granted access. In the absence of a require directive, any valid user will be permitted access. The Require ability directive specifies a list of ability words. These are typically verbs such as "view", "manage", "edit", and the like.

The Require secure directive specifies that access must be performed over a secure protocol using SSL/TLS. If an age is provided, a Strict-Transport-Security response header will be emitted. This instructs browsers that all connections thereafter must only request over HTTPS. This applies to the current and all future browser sessions to this domain up to the specified lifespan. If the domains attribute is specified, then the Strict-Transport-Security header will apply to all sub-domains.

The Require directive is inherited from outer hosts and blocks in the config file.

The Role directive defines a role with associated abilities. Roles may be specified by the User directive to specify a set of abilities for the user.

Role names are typically nouns such as: user, administrator, manager and the like.

Role directives are typically kept in a separate authentication configuration file with User directives that is included from the main appweb.conf file. It is essential that any configuration file containing Role or User directives be stored outside the Documents or any directory serving content.

The User directive defines a user for use with the internal AuthType. The user definition includes an encrypted password and a set of abilities. Multiple users can be defined.

The user abilities are words that may be specified by Require directives to restrict access to those users possessing the required abilities.

User directives are typically kept in a separate authentication configuration file that is included from the main appweb.conf file. It is essential that any configuration file containing User directives be stored outside the Documents or any directory serving content.