On Thu, Jul 17, 2008 at 8:47 AM, Omry Yadan <omry_at_yadan.net> wrote:
> What if the client sends the authentication credentials anyway (if they are
> available or if the user specifies them in the command line), and webdav is
> tweaked to authenticate the client in such case even if resource does not
> required authentication?
There's no such thing as the client 'forcing' the server to
authenticate credentials. With apache, the server sends an
authentication challenge, the client responds to the challenge.
That's it. If the server doesn't send the challenge in the first
place, then no amount of client typing 'svn --username X --password Y'
is going to cause authentication to happen.
The problem you're running into has been documented in the book for
years: see "Partial Readability" sidebar in
http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz
As others have said, it's not something subversion can fix --
mod_dav_svn is just an apache module, and thus is forced to work with
apache's authentication design. There's nothing to 'look at' here;
we wrote the dav module and understand the problem completely, and
it's not a fixable thing. There are multiple workarounds that have
been offerred, however:
1. use http for anonymous, https for commits
2. require authentication for all reads and writes, but announce a
generic 'guest' account with no password.
3. have all your clients use the serf HTTP library instead of neon
4. use svnserve instead of apache
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-07-20 14:36:48 CEST