Apache > HTTP Server > Documentation > Version 2.4 > Modules

Apache Module mod_authz_core

Available Languages:  en  |  fr 

Description:Core Authorization
Module Identifier:authz_core_module
Source File:mod_authz_core.c
Compatibility:Available in Apache HTTPD 2.3 and later


This module provides core authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site. mod_authz_core provides the functionality to register various authorization providers. It is usually used in conjunction with an authentication provider module such as mod_authn_file and an authorization module such as mod_authz_user. It also allows for advanced logic to be applied to the authorization processing.



Bugfix checklist

See also


Creating Authorization Provider Aliases

Extended authorization providers can be created within the configuration file and assigned an alias name. The alias providers can then be referenced through the Require directive in the same way as a base authorization provider. Besides the ability to create and alias an extended provider, it also allows the same extended authorization provider to be referenced by multiple locations.


The example below creates two different ldap authorization provider aliases based on the ldap-group authorization provider. This example allows a single authorization location to check group membership within multiple ldap hosts:

<AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx>
    AuthLDAPBindDN cn=youruser,o=ctx
    AuthLDAPBindPassword yourpassword
    AuthLDAPURL ldap://ldap.host/o=ctx

<AuthzProviderAlias ldap-group ldap-group-alias2 cn=my-other-group,o=dev>
    AuthLDAPBindDN cn=yourotheruser,o=dev
    AuthLDAPBindPassword yourotherpassword
    AuthLDAPURL ldap://other.ldap.host/o=dev?cn

Alias "/secure" "/webpages/secure"
<Directory "/webpages/secure">
    Require all granted
    AuthBasicProvider file
    AuthType Basic
    AuthName LDAP_Protected_Place
    #implied OR operation
    Require ldap-group-alias1
    Require ldap-group-alias2

Authorization Containers

The authorization container directives <RequireAll>, <RequireAny> and <RequireNone> may be combined with each other and with the Require directive to express complex authorization logic.

The example below expresses the following authorization logic. In order to access the resource, the user must either be the superadmin user, or belong to both the admins group and the Administrators LDAP group and either belong to the sales group or have the LDAP dept attribute sales. Furthermore, in order to access the resource, the user must not belong to either the temps group or the LDAP group Temporary Employees.

<Directory "/www/mydocs">
            Require user superadmin
                Require group admins
                Require ldap-group cn=Administrators,o=Airius
                    Require group sales
                    Require ldap-attribute dept="sales"
            Require group temps
            Require ldap-group cn=Temporary Employees,o=Airius

The Require Directives

mod_authz_core provides some generic authorization providers which can be used with the Require directive.

Require env

The env provider allows access to the server to be controlled based on the existence of an environment variable. When Require env env-variable is specified, then the request is allowed access if the environment variable env-variable exists. The server provides the ability to set environment variables in a flexible way based on characteristics of the client request using the directives provided by mod_setenvif. Therefore, this directive can be used to allow access based on such factors as the clients User-Agent (browser type), Referer, or other HTTP request header fields.

SetEnvIf User-Agent ^Kno