[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Logging SSL-authenticated users

From: Sander Striker <striker_at_apache.org>
Date: 2003-05-15 10:23:15 CEST

> From: Martin v. Lowis [mailto:martin@v.loewis.de]
> Sent: Thursday, May 15, 2003 10:09 AM

> Sander Striker wrote:
> > Okay, just for the record, this thread is all about Apache configuration
> > and has nothing to do with Subversion. Ask yourself if the same would
> > apply if you want to [fill in thing you want] on a regular directory.
> That is not the case. I believe Apache provides sufficient information,
> and Subversion fails to use it properly.
> The same does *not* apply to a regular directory. In a regular
> directory, the remote user is irrelevant once authorized, since all the
> server does it to return the resource.

Well, strictly speaking, for Apache, the user hasn't been authenticated
yet (which is why r->user isn't set). Only mod_authn_xxx sets r->user.
So, the way to go here is either create mod_authn_ssl, or add an option
to mod_ssl to tell it that the client cert is the authentication and
therefor it should set r->user. I'd rather go for the first.

> Asking whether the same would apply to CGI, I find that this is more
> similar: In a CGI script, I want to find out who the authenticated user
> was, and want to make use of this. Apache and mod_ssl give me the power
> to do so, by querying the SSL_CLIENT_S_DN_CN environment variable.

> I'm asking that mod_dav_svn retrieves the SSL subject if available and
> uses that if no user has been set.

-1. mod_dav_svn shouldn't make that assumption IMO.
>> Nevertheless, we probably should mention something about this specific
>> question in the book...
> I think you are taking a too easy position here. It is probably the case
> that a better service could be established by changing Apache, so it is
> not necessarily the case that Subversion needs to change. However, I am
> now convinced that the behaviour I consider desirable cannot be achieved
> with the current Apache+Subversion code base,

Yes it can. You are just not willing to maintain a fake user file ;).

> and could be achieved by changing subversion.
> I'm not asking for help in properly configuring Subversion: I can indeed
> read documentation myself, and I can also read source code if
> documentation is inconclusive. I'm asking for changes to Subversion.

Things could be made easier, but on the Apache side, not the Subversion side.
IMHO that is.


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu May 15 10:24:30 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.