[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: broken Digest auth

From: Justin Erenkrantz <justin_at_erenkrantz.com>
Date: 2003-11-25 12:26:00 CET

--On Monday, November 24, 2003 11:51 PM -0600 Ben Collins-Sussman
<sussman@collab.net> wrote:

> '!svn/vcc/default'. But the authz subrequests are all GET methods on
> specific repository-path URIs. Because the method and URI is different
> from the parent request, the inherited Authorization: header fails to
> authenticate. We get 'password mismatch' errors in the log, and
> svn_repos_dir_delta() stops dead in its tracks.

Well, it's a little complicated, but I think httpd can 'fix' this with the
right patches applied to httpd.

I think some short-circuit logic in the authn hook could be in place if we're
a sub-req - return DECLINED if !ap_is_initial_req? I don't know how well
that'll work, but I'd start there and see how it works for this particular
issue. The r->user should be inherited from the parent request_rec, IIRC.

If that doesn't work, I'd say that in this case the authn (authentication,
i.e. mod_auth_digest) should work against the original method and sub-req for
digest auth. That is, it needs to go off of the credentials provided in the
r->main chain (see mainreq logic in authenticate_digest_user). It shouldn't
really care what the method and URI of the subreq are as the user has
*already* been authenticated against us by this point (in almost all
probability). We just need to identify *who* the person is at this stage, but
we already know that based on the main request_rec. Yet, I'm wondering if
there could be conflict between a req and its sub-reqs - i.e. different digest
realms - perhaps that is possible and why it is not done already. (Confused
yet?)

However, authz (authorization) needs to know the subreq method and URI to work
properly. mod_authz_svn is doing the 'right' thing, and I think it's
mod_auth_digest that's broken. So, you should focus on getting
mod_auth_digest working correctly on sub-reqs with different method and URIs.

While digest auth has been around for a while, I don't believe many people use
it in practice; so I'd expect it to be fragile. *shrug* -- justin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Nov 25 12:26:42 2003

This is an archived mail posted to the Subversion Dev mailing list.