Order, Allow, Deny

Security in htaccess: htpasswd, 401 Authentication

Order, Allow, Deny

Postby produke » 21 Oct 2006 02:53

Authorization
Authorization is the process of verifying if a user, once identified by the authentication mechanism, is permitted to access the requested resource. The access is usually determined by verifying if the user is coming from a certain location or has a specific client environment characteristic.

Order
The order directive is a bit tricky to new Apache users, as it controls two seemingly unrelated issues:

Controls the order in which the Allow and Deny directives are processed.

Sets a default policy for connections that do not match either of the Allow or Deny rules.

There are only two options available to the order directive, discussed next.

Code: Select all
Order deny, allow

This order creates the following rule set; the deny rules are processed before the allow rules. If the client does not match the deny rule or they do match the allow rule, then they will be granted access.

Code: Select all
Order allow, deny

This is the opposite configuration in that the allow rules are processed before the deny rules. If the client does not match the allow rule or they do match the deny rule, then they will be denied access.

Let's show a few examples with the most basic of allow and deny rule qualifiers, the "All" parameter. Take a look at the following two example configurations:

Example 1Client would be denied.

Code: Select all
<Directory "/usr/local/apache/htdocs">
Order allow,deny
Deny from all
Allow from all
</Directory>


Example 2Client would be allowed.

Code: Select all
<Directory "/usr/local/apache/htdocs">
Order deny,allow
Deny from all
Allow from all
</Directory>


As these examples illustrate, unintended access may be allowed or denied if the incorrect directive arguments order is applied. It is therefore extremely important to fully test all configurations to validate that the proper access control is attained.
User avatar
produke
 
Posts: 242
Joined: 25 Sep 2006 04:48

Return to Security and Authentication



Who is online

Users browsing this forum: No registered users