[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

broken Digest auth

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2003-11-25 06:51:07 CET

cmpilato and I have been investigating issue 1608, whereby svn 0.33
broke Digest Authentication. We now understand the problem, but we're
not sure what the right solution is. We're looking for feedback and
suggestions.

Background -- let me first explain how things are *supposed* to work:

1. mod_dav_svn begins to send data to the client via an editor
(checkout, update, diff, merge, etc.) svn_repos_dir_delta() is driving
the editor.

2. Before sending data, svn_repos_dir_delta() invokes an authorization
'read' callback function: "does the user have permission to read this
(rev, path?)"

3. mod_dav_svn has a read-callback function which always does the same
thing: it converts the (rev, path) in question into a uri, and then
issues an internal _subrequest_ to apache, attempting to GET the uri.
This gives any apache authz modules a chance to validate the read
operation.

This subrequest system works just fine for http Basic Auth. In that
system, every client request contains a header that looks something like

   WWW-Authorization: Basic [crypted encoding of username+password]

When the subrequest is created, it inherits all of the headers from its
parent, so there's no problem with authn or authz.

But along comes Digest authentication. According to the RFC, each
client request looks something like this:

  WWW-Authorization: Digest username="XXX" password="XXX" nonce="XXX"
method="XXX" URI="XXX"

In other words, the http client needs to build an authorization header
that is *specific* to the method and URI being requested. And this is
now breaking our subrequest system. Typically, we invoke
svn_repos_dir_delta by issuing some kind of REPORT request on
'!svn/vcc/default'. But the authz subrequests are all GET methods on
specific repository-path URIs. Because the method and URI is different
from the parent request, the inherited Authorization: header fails to
authenticate. We get 'password mismatch' errors in the log, and
svn_repos_dir_delta() stops dead in its tracks.

One solution is to hack custom support into our authz_read callback:
look for the Authorization header, see if it's Digest auth. If it is,
then call various internal apache functions to rebuild a new header
that's custom to the 'GET !svn/ver/N/path' request. But man, how nasty.

Anyone have any thoughts?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Nov 25 06:51:51 2003

This is an archived mail posted to the Subversion Dev mailing list.