[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Logging SSL-authenticated users

From: Martin v. Lwis <martin_at_v.loewis.de>
Date: 2003-05-15 10:01:09 CEST

Sander Striker wrote:
> FakeBasicAuth
[...]
> So apparently your certs Subject DN is empty.

Notice that this conclusion, strictly speaking, is invalid:
All the documentation says is that the standard Basic auth mechanism
then works. It does *not* state that req->user is set to the DN,
which is what mod_dav_svn uses.

I see something different from what David sees, and I have
studied two scenarios, which I can all explain consistently
with the Apache documentation

1. I add *only* +FakeBasicAuth, and don't add AuthType etc
    to the Location. I then can perform commits just fine,
    and "anonymous" gets logged. This may be the case as
    no Apache authentication is performed at all, so the
    HTTP Authentication: header which mod_ssl adds is never
    evaluated (notice that mod_ssl does *not* set req->user).

    I could explain the difference that David sees by
    assuming that he uses a different client, one that
    displays absent authors as "(no author)" instead of
    "anonymous".

2. I also add AuthType Basic. It then forces me to also
    add a basic user file, which I do. The SVN client performs
    a number of successful HTTP interactions, until eventually
    the MERGE request is rejected as unauthorized, and the
    commit fails. Even if this would work, it would not be
    satisfying, as it requires me to maintain a fake user file
    of authorized users. I meant to express authorization with
    a SSLRequire formula instead.

It would probably also log the full DN in the svn log,
whereas I would prefer it to log the CN only (as this is
sufficient to indicate authorship).

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu May 15 10:02:29 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.