You want to require both weak and strong authentication for a particular resource. For example, you wish to ensure that the user accesses the site from a particular location and to require that he provides a password.
Use the Satisfy directive to require both types of authentication:
<Directory /www/htdocs/sensitive> # Enforce all restrictions Satisfy All # Require a password AuthType Basic AuthName Sensitive AuthUserFile /www/passwords/users AuthGroupFile /www/passwords/groups Require group salesmen # Require access from a certain network Order deny,allow Deny from all Allow from 192.168.1 </Directory>
In this example, a user must provide a login, identifying him as a member of the salesmen group, and he must also use a machine on the 192.168.1 network.
The Satisfy All directive requires that all access control measures be enforced for the specified scope. A user accessing the resource from a nonmatching IP address will immediately receive a Forbidden error message in his browser, while, in the logfile, the following error message is logged:
[Sun May 25 15:31:53 2003] [error] [client 220.127.116.11] client denied by server configuration: /usr/local/apache/htdocs/index.html
Users who are in the required set of IP addresses, however, receive a password dialog box and are required to provide a valid username and password.