[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache SVN module and LUA authentification hook

From: Branko Čibej <brane_at_apache.org>
Date: Fri, 5 Jan 2018 16:29:47 +0100

On 05.01.2018 16:00, Stefan Hauffe wrote:
>
> Hello community,
>
>  
>
> I have an Apache 2.4 which shall deliver SVN repos by the
> http-Protocol. I’m experienced with standard Basic Authentification
> and path-based authorization for the Subversion repo.
>
>  
>
> In my new application, the authentication will be done by a LUA-script
> using the directive “LuaHookCheckUserID”. Generally, the LUA script
> works as expected (used this documentation
> <https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luahookcheckuserid>).
>
>  
>
> Unfortunately it seems, that the authorization file (Subversion
> Accessfile) is not read out correctly. I see an empty repo with my
> (authorized) user.
>
>  
>
> From the logfile (Debug/Error) I see, that LUA granted my user. But
> also a “Access denied” message on a SVN file path:
>
>  
>
> [lua:debug] [pid 6872:tid ] @/path/to/hook.lua(29): [client ip]
> Accepted user myuser
>
> [authz_svn:info] [pid 6872:tid ] [client ip] Access granted: 'myuser'
> GET (null)
>
> [authz_svn:debug] [pid 6872:tid ]
> subversion/mod_authz_svn/mod_authz_svn.c(450): [client ip] Path to
> authz file is /path/to/accessfile
>
> [authz_svn:info] [pid 6872:tid ] [client ip] Access denied: - GET
> repo002:/file.txt
>
>  
>
> My simplest working LUA-Scripts goes here:
>
>  
>
> require 'apache2'
>
> function authcheck_hook(r)
>
>     r.user = "myuser"
>
>     r:debug("Accepted user " .. r.user)
>
>     return apache2.OK
>
> end
>

Are you really changing the username stored in the request in your
authentication script? That could certainly be the problem, AFAIK
there's no guarantee that that change gets propagated back to mod_authz_svn.

(It's also a horribly wrong approach to authentication.)

-- Brane
Received on 2018-01-05 16:29:54 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.