Recipe 6.6 Requiring Both Weak and Strong Authentication

Problem

You want to require both weak and strong authentication for a particular resource. For example, you wish to ensure that the user accesses the site from a particular location and to require that he provides a password.

Solution

Use the Satisfy directive to require both types of authentication:

<Directory /www/htdocs/sensitive>
       
    # Enforce all restrictions
    Satisfy All

    # Require a password
    AuthType Basic
    AuthName Sensitive
    AuthUserFile /www/passwords/users
    AuthGroupFile /www/passwords/groups
    Require group salesmen

    # Require access from a certain network
    Order deny,allow
    Deny from all
    Allow from 192.168.1
</Directory>

Discussion

In this example, a user must provide a login, identifying him as a member of the salesmen group, and he must also use a machine on the 192.168.1 network.

The Satisfy All directive requires that all access control measures be enforced for the specified scope. A user accessing the resource from a nonmatching IP address will immediately receive a Forbidden error message in his browser, while, in the logfile, the following error message is logged:

[Sun May 25 15:31:53 2003] [error] [client 208.32.53.7] client denied by server 
configuration: /usr/local/apache/htdocs/index.html

Users who are in the required set of IP addresses, however, receive a password dialog box and are required to provide a valid username and password.

See Also

• Recipe 6.9