NaviServer Built-in Commands – 5.0.0a
ns_auth - Authorization check
The ns_auth command provides access to NaviServer’s pluggable authorization framework. It dispatches calls through the chain of registered authorization handlers, allowing user-provided C or Tcl callbacks to grant, deny, or challenge requests at both the URL and user/password level.
Before using ns_auth, one or more callbacks must be registered (e.g. via the nsperm module or the ns_register_auth Tcl API). See the nsperm - NaviServer Permissions and Access Control Guide for an example of how to configure and register handlers.
Performs a full request-level permission check exactly as done by NaviServer before serving a URL. The callbacks registered for "request" authorization are invoked in order, each receiving method, url, authuser, authpasswd and optional ipaddr. By default, the command returns one of the following status codes:
OK - access granted
ERROR - internal error during authorization
FORBIDDEN - access denied, no possible retry
UNAUTHORIZED - authentication required or failed, retry possible
FILTER_RETURN - authorization chain intentionally stopped
If the -dict flag is given, the result is returned as a dictionary:
{ authority <authority> code <code> }
where <authority> is the label of the handler that last ran, and <status> is the same status code as shown above.
Runs the user-level authorization handlers in order to verify only a username and password pair (with no URL context). Results and options are the same as for ns_auth request.