[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SV: Accessing different revs via Apache?

From: Noel Yap <yap_noel_at_yahoo.com>
Date: 2002-10-10 18:36:50 CEST

--- Jeff Stuart <jstuart@computer-city.net> wrote:
> > Handling authorization outside of the Subversion
> > server will allow circumvention of the protection.
> I
> > really think that authorization should be handled
> by
> > the Subversion server.
> >
> And then we have yet another program doing
> authentication/authorization. Apache does it well.
> :) Let's build off
> that instead.

I believe the Subversion docs say that authentication
is left up to the network layer and that Subversion
will someday handle authorization (although one could
use a start-commit trigger now).

The more I think about it, the more I think that
authorization should be handled by the application
since it's very tied into what the application can do
(eg grant tag creation priveleges to group G0).

The problem with relying on Apache authorization
(rather than authentication) is that it allows
circumvention by different client implementations (eg
local) and it has no knowledge of the possible
operations that need to be controlled. The beauty of
CVS permissioning was that it was done through the
file system making it less subvertible by anything (if
the notion of tags and branches were implemented
through the file system rather than internally through
RCS files, permissioning of these items would've come
for free).

Now, I'm just a security hobbyist, but I'd think that
in order for authorization to work properly,
authentication info shouldn't be spoofable. Since I'm
not an expert, I'll assume that this condition is
satisfied.

IMHO, it's perfect that Apache be responsible for
authentication and that the Subversion server be
responsible for authorization. As an aside, does
anyone know if Apache can use SRP?

Thanks,
Noel

__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Oct 10 18:37:32 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.