[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How is mixed authentication/anonymous access implemented

From: Avalon <third-chance_at_gmx.de>
Date: Wed, 29 Dec 2010 14:44:48 +0100

> I think you're looking for this:
> http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html

These are actually all only work-arounds.
I am aware of these and especially mentioned that i do not want to use them.

> Also, I didn't quite understand your post, but unless it's about the
> development of Subversion (i.e., implementing a new feature or asking
> about internal implementation details), please follow up on the users@
> list and not on the dev@ list.

Actually, my question is about the implementation details.
How does SVN realizes this feature as stated in the documentation?

>> SVN features a mixed authentication/anonymous access (see http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).

Your link implies that this is not possible.
If the example is wrong it should be removed from docs and propably replaced with a note that such a scenario won't work because of (...).

Since i want to implement such a mixed access in a PHP web application, i would like to know how it is realized and implemented in SVN (not necessarily in code, but from the protocol point of view).

Dirk

>> SVN features a mixed authentication/anonymous access (see http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
>>
>> I want to achieve the same functionality using a PHP script: allow
>> anonymous access until accessing some special content and than request
>> authentification which should be checked according to a htaccess-file.
>> As far as i understand the SVN example the authentification is performed by the Apache modules.
>>
>> I configured the ".htaccess" file to look similar:
>> Order allow,deny
>> Allow from all
>> AuthType Basic
>> AuthName "Realm"
>> AuthUserFile "/path/to/.htusers"
>> require valid-user
>> Satisfy any
>>
>> Additionally a PHP script is inside the same folder.
>> When you now browse to the URL of the PHP script, you can access it without any credentials requested.
>>
>> At some point the PHP script "decides" that authentification is required (e.g. when passing a param like "?need-auth=1").
>> I suppose this is similar to how the mixed authentication/anonymous access in SVN works (?).
>>
>> Therefore it sends the following two headers:
>> WWW-Authenticate: Basic realm="Realm"
>> HTTP/1.x 401 Unauthorized
>>
>> Then the user is asked to insert username/password for the basic auth.
>> But now comes the problem:
>> The apache will ALWAYS let the user pass as anonymous access is always granted.
>> I suppose the webserver does not even try to authenticate the user credentials.
>> Therefore it is not possible to decide in PHP if the user is anonymous or has been successfully authenticated.
>>
>> How is this performed in SVN for the mixed authentication/anonymous access?
>>
>> What i do not want is:
>> - check the credentials in PHP (due to the many different auth-methods which could be configured with Apache)
>> - have a dummy anonymous user like "guest" with password "guest"
>> - split anonymous and authenticated parts in separate folders (to use separate .htaccess-files)
>>
>> I hope to get some enlightenment from the way SVN realizes this feature.
>>
>> Any feedback is highly appreciated.
Received on 2010-12-29 14:45:19 CET

This is an archived mail posted to the Subversion Dev mailing list.