Reason: user 'xxx' does not meet 'require'ments for user to be allowed access

This post is meant as lessons learned from setting up Apache HTTPD server with authentication for some backend resources. The goal was to secure the resources with simple password based authentication and allow given list of users to access them. Accounts have been assembed in dbm file on local filesystem.

Configuration that works, but...

<VirtualHost *:80>
    ErrorLog /var/log/httpd/http-error.log
    CustomLog /var/log/httpd/http-access.log

    <Location /myresources>
        AuthType basic
        AuthName "Authenticate using username and password"
        AuthBasicProvider dbm

        AuthDBMUserFile "/etc/httpd/authentication.dbm"
        AuthGroupFile "/etc/httpd/groups"
        <RequireAny>
            Require user adam
            Require user bob
            Require user cecil
        </RequireAny>
    </Location>
</VirtualHost>

So, what we have here

• Credentials for user accounts are stored in /etc/httpd/authentication.dbm
• Access to myresources is allowed only to used adam, bob, cecil. This is defined using RequireAny meaning that if any of these requirements is matched, user is granted with access.

This will work, but you will see disturbing messages in error log. They are disturbing, because they will be naming those users that are allowed! However, at the same time, you will not see any error response in access log. (Log messages are shortened)

/var/log/httpd/http-error.log

[authz_user:error] [client 10.10.10.10:10000] AH01663: access to /myresources failed, reason: user 'bob' does not meet 'require'ments for user to be allowed access

/var/log/httpd/http-access.log

10.10.10.10 - bob "POST /myresources HTTP/1.1" 200 102

Why is that?

The reason for this is that error log will contain error message for each unsatisfied Require directive. For adam there won't be any error message as he is first in list. For bob there will be 1 and for cecil there will be 2 for each request.

Configuration that works, but...

<VirtualHost *:80>
    ErrorLog /var/log/httpd/http-error.log
    CustomLog /var/log/httpd/http-access.log

    <Location /myresources>
        AuthType basic
        AuthName "Authenticate using username and password"
        AuthBasicProvider dbm

        AuthDBMUserFile "/etc/httpd/authentication-myresources.dbm"
        AuthGroupFile "/etc/httpd/groups"
        Require valid-user
    </Location>
</VirtualHost>

The difference here is that there is no Require user list. Instead, any valid user is allowed. But, the authentication database can have more users that only those allowed to access myresources. This is why there is changed authentication file and you have to keep there correct list of users.

The latter configuration won't be generating false alarms in error log, but I don't consider it perfect too.