Re: Logging SSL-authenticated users

Sander Striker wrote:

> Okay, just for the record, this thread is all about Apache configuration
> and has nothing to do with Subversion. Ask yourself if the same would
> apply if you want to [fill in thing you want] on a regular directory.

That is not the case. I believe Apache provides sufficient information,
and Subversion fails to use it properly.

The same does *not* apply to a regular directory. In a regular
directory, the remote user is irrelevant once authorized, since all the
server does it to return the resource.

Asking whether the same would apply to CGI, I find that this is more
similar: In a CGI script, I want to find out who the authenticated user
was, and want to make use of this. Apache and mod_ssl give me the power
to do so, by querying the SSL_CLIENT_S_DN_CN environment variable.

I'm asking that mod_dav_svn retrieves the SSL subject if available and
uses that if no user has been set.

> Nevertheless, we probably should mention something about this specific
> question in the book...

I think you are taking a too easy position here. It is probably the case
that a better service could be established by changing Apache, so it is
not necessarily the case that Subversion needs to change. However, I am
now convinced that the behaviour I consider desirable cannot be achieved
with the current Apache+Subversion code base, and could be achieved by
changing subversion.

I'm not asking for help in properly configuring Subversion: I can indeed
read documentation myself, and I can also read source code if
documentation is inconclusive. I'm asking for changes to Subversion.

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu May 15 10:09:59 2003