[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authentication re-vamp

From: Greg Stein <gstein_at_lyra.org>
Date: 2001-09-14 04:43:03 CEST

On Thu, Sep 13, 2001 at 05:06:25PM -0500, Ben Collins-Sussman wrote:
>...
> A. new RA vtable sequence: put back open(). [EASY]
>
> RA->open (URL, callback, [...])

session_baton = RA->open()

> ...callback can be a way of storing a tmp file in WC.

A single callback, or maybe a vtable of callbacks.

> authenticator = RA->get_authenticator(method)
> session_baton = svn_client_authenticate(authenticator)

No return value there. You authenticate the session_baton returned by
RA->open.

But see below: I don't think you even have RA->get_authenticator. Instead,
you would have the vtable of callbacks, containing client-provided auth
mechanisms.

> [ B: pass RA session to client ]

>...
> C. Improve auth-method selection [EASY]
>
> -- auth-method as optional commandline switch
>
> Use a single switch that takes a string: e.g. --auth="ssl"
>
> -- else: keep trying all available methods until they all fail.
> Cache info from one attempt to the next if possible.

Probably not. It will be more than this. Consider the server-requests model.
The server will be saying "give me <this>". In turn, RA would ask its caller
for the requested information.

IOW, RA is in control and is driving the selection. Not the client or WC or
some other caller.

To some extent, it is the client that is telling the RA what is available,
and the RA negotiates between server-requests and client-provides. The
client says "I have a function you can call to get a username/password." Or
"I have a function to get a client-side cert."

>...
> D. Prompts [EASY]
>
> -- display the method being used
>
> -- display a 'default' username if available
>
> -- prompt callback should take an array of prompts

Not sure what is going on here. This might be different based on the the
above pull model.

>
> E. Push vs. Pull models. [HARD]
>
> The current system pre-emptively requests info, then "pushes" it
> at the RA layer. This is odd, given that Apache typically makes
> a challenge and then "pulls" the info. As a result, the info is
> effectively being cached in the session_baton until Apache pulls
> it from there.

Yes.

> So, it would be nice to switch the whole client/user-interface to
> work with the "pull" model too.

Not "too" but "only". The admin defines what the server wants for authn, and
the client needs to meet that requirement.

>...
> F. Method negotiation? [HARD]

Responded to elsewhere.

Cheers,
-g 

-- 
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Oct 21 14:36:41 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.