Authorization is the process of verifying if a user, once identified by the authentication mechanism, is permitted to access the requested resource. The access is usually determined by verifying if the user is coming from a certain location or has a specific client environment characteristic.
Order
The order directive is a bit tricky to new Apache users, as it controls two seemingly unrelated issues:
Controls the order in which the Allow and Deny directives are processed.
Sets a default policy for connections that do not match either of the Allow or Deny rules.
There are only two options available to the order directive, discussed next.
- Code: Select all
Order deny, allow
This order creates the following rule set; the deny rules are processed before the allow rules. If the client does not match the deny rule or they do match the allow rule, then they will be granted access.
- Code: Select all
Order allow, deny
This is the opposite configuration in that the allow rules are processed before the deny rules. If the client does not match the allow rule or they do match the deny rule, then they will be denied access.
Let's show a few examples with the most basic of allow and deny rule qualifiers, the "All" parameter. Take a look at the following two example configurations:
Example 1Client would be denied.
- Code: Select all
<Directory "/usr/local/apache/htdocs">
Order allow,deny
Deny from all
Allow from all
</Directory>
Example 2Client would be allowed.
- Code: Select all
<Directory "/usr/local/apache/htdocs">
Order deny,allow
Deny from all
Allow from all
</Directory>
As these examples illustrate, unintended access may be allowed or denied if the incorrect directive arguments order is applied. It is therefore extremely important to fully test all configurations to validate that the proper access control is attained.
