[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Logging SSL-authenticated users

From: Martin v. Löwis <martin_at_v.loewis.de>
Date: 2003-05-15 10:38:45 CEST

Sander Striker wrote:

> Well, strictly speaking, for Apache, the user hasn't been authenticated
> yet (which is why r->user isn't set). Only mod_authn_xxx sets r->user.

That strict interpretation is not practical, IMO. mod_ssl has
authenticated the user, it can't get any better than that.
mod_ssl *does* perform authentication; this is one of its primary
purposes. It is irrelevant that it does not have the substring "authn"
in its module name.

That is, of course, from an end-user perspective. If Apache
architects think it should work differently, I can adjust as long as
it can be made to work the way I want.

>>I think you are taking a too easy position here. It is probably the case
>>that a better service could be established by changing Apache, so it is
>>not necessarily the case that Subversion needs to change. However, I am
>>now convinced that the behaviour I consider desirable cannot be achieved
>>with the current Apache+Subversion code base,
>
>
> Yes it can. You are just not willing to maintain a fake user file ;).

No. What I *really* want is to only get the CN in the SVN log. I don't
think I could achieve that, even if the fake user file would work as
designed.

> Things could be made easier, but on the Apache side, not the Subversion side.
> IMHO that is.

Hmm. Notice that, in general, there may be little interest on the Apache
side to change things. For Apache and its standard modules, all works
fine: You can authenticate and authorize in all possible ways, and in
cases where the resource contents depends on user identification (i.e.
in CGI cases), you can also properly identify the SSL-authenticated
users, using the various mod_ssl environment variables.

So it is really just subversion that needs extended services, and it
appears that these services could be implemented in subversion itself.

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu May 15 10:40:43 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.