Movatterモバイル変換

[0]ホーム
URL:

Modules |Directives |FAQ |Glossary |Sitemap

Apache HTTP Server Version 2.4

<-
Apache >HTTP Server >Documentation >Version 2.4 >Modules

Apache Module mod_authz_dbd

Available Languages: en  | fr 

Description:Group Authorization and Login using SQL
Status:Extension
Module Identifier:authz_dbd_module
Source File:mod_authz_dbd.c
Compatibility:Available in Apache 2.4 and later

Summary

This module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site by group membership. Similar functionality is provided bymod_authz_groupfile andmod_authz_dbm, with the exception that this module queries a SQL database to determine whether a user is a member of a group.

This module can also provide database-backed user login/logout capabilities. These are likely to be of most value when used in conjunction withmod_authn_dbd.

This module relies onmod_dbd to specify the backend database driver and connection parameters, and manage the database connections.

Support Apache!

Topics

Directives

Bugfix checklist

See also

top

The Require Directives

Apache'sRequire directives are used during the authorization phase to ensure that a user is allowed to access a resource. mod_authz_dbd extends the authorization types withdbd-group,dbd-login anddbd-logout.

Since v2.4.8,expressions are supported within the DBD require directives.

Require dbd-group

This directive specifies group membership that is required for the user to gain access.

Require dbd-group teamAuthzDBDQuery "SELECT user_group FROM authz WHERE user = %s"

Require dbd-login

This directive specifies a query to be run indicating the user has logged in.

Require dbd-loginAuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s"

Require dbd-logout

This directive specifies a query to be run indicating the user has logged out.

Require dbd-logoutAuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s"
top

Database Login

In addition to the standard authorization function of checking groupmembership, this module can also provide server-side user sessionmanagement via database-backed login/logout capabilities.Specifically, it can update a user's session status in the databasewhenever the user visits designated URLs (subject of course to userssupplying the necessary credentials).

This works by defining two specialRequire types:Require dbd-login andRequire dbd-logout.For usage details, see the configuration example below.

top

Client Login integration

Some administrators may wish to implement client-side sessionmanagement that works in concert with the server-side login/logoutcapabilities offered by this module, for example, by setting or unsettingan HTTP cookie or other such token when a user logs in or out.

To support such integration,mod_authz_dbd exports anoptional hook that will be run whenever a user's status is updated inthe database. Other session management modules can then use the hookto implement functions that start and end client-side sessions.

top

Configuration example

# mod_dbd configurationDBDriver pgsqlDBDParams "dbname=apacheauth user=apache pass=xxxxxx"DBDMin  4DBDKeep 8DBDMax  20DBDExptime 300<Directory "/usr/www/my.site/team-private/">  # mod_authn_core and mod_auth_basic configuration  # for mod_authn_dbd  AuthType Basic  AuthName Team  AuthBasicProvider dbd  # mod_authn_dbd SQL query to authenticate a logged-in user  AuthDBDUserPWQuery \    "SELECT password FROM authn WHERE user = %s AND login = 'true'"  # mod_authz_core configuration for mod_authz_dbd  Require dbd-group team  # mod_authz_dbd configuration  AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"  # when a user fails to be authenticated or authorized,  # invite them to login; this page should provide a link  # to /team-private/login.html  ErrorDocument 401 "/login-info.html"  <Files "login.html">    # don't require user to already be logged in!    AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"    # dbd-login action executes a statement to log user in    Require dbd-login    AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s"    # return user to referring page (if any) after    # successful login    AuthzDBDLoginToReferer On  </Files>  <Files "logout.html">    # dbd-logout action executes a statement to log user out    Require dbd-logout    AuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s"  </Files></Directory>
top

AuthzDBDLoginToRefererDirective

Description:Determines whether to redirect the Client to the Referringpage on successful login or logout if aReferer requestheader is present
Syntax:AuthzDBDLoginToReferer On|Off
Default:AuthzDBDLoginToReferer Off
Context:directory
Status:Extension
Module:mod_authz_dbd

In conjunction withRequire dbd-login orRequire dbd-logout, this provides the option to redirect the client back to the Referring page (the URL in theReferer HTTP request header, if present). When there is noReferer header,AuthzDBDLoginToReferer On will be ignored.

top

AuthzDBDQueryDirective

Description:Specify the SQL Query for the required operation
Syntax:AuthzDBDQueryquery
Context:directory
Status:Extension
Module:mod_authz_dbd

TheAuthzDBDQuery specifies an SQL query to run. The purpose of the query depends on theRequire directive in effect.

In all cases, the user's ID will be passed as a single string parameter when the SQL query is executed. It may be referenced within the query statement using a%s format specifier.

top

AuthzDBDRedirectQueryDirective

Description:Specify a query to look up a login page for the user
Syntax:AuthzDBDRedirectQueryquery
Context:directory
Status:Extension
Module:mod_authz_dbd

Specifies an optional SQL query to use after successful login (or logout) to redirect the user to a URL, which may be specific to the user. The user's ID will be passed as a single string parameter when the SQL query is executed. It may be referenced within the query statement using a%s format specifier.

AuthzDBDRedirectQuery "SELECT userpage FROM userpages WHERE user = %s"

The first column value of the first row returned by the query statement should be a string containing a URL to which to redirect the client. Subsequent rows will be ignored. If no rows are returned, the client will not be redirected.

Note thatAuthzDBDLoginToReferer takes precedence if both are set.

Available Languages: en  | fr 

top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to ourmailing lists.

Copyright 2025 The Apache Software Foundation.
Licensed under theApache License, Version 2.0.

Modules |Directives |FAQ |Glossary |Sitemap

[8]ページ先頭
©2009-2025 Movatter.jp