Hello all,
I've run into what seems to be a bug in Subversion or Apache. The
quick summary: checkouts fail when using mod_authz_svn with mod_ssl's
FakeBasicAuth option to achieve repository access control based on
client SSL certificates. This appears to be due to a problem with
authentication in subrequests.
I'll be the first to admit my ignorance about the internals of
Subversion and Apache, so I may be misdiagnosing the problem. In
particular, I have a possible fix/workaround, but I can't say whether
it's actually the Right Thing to do. I suspect this may actually be an
issue purely with Apache that's just being tickled by Subversion, but I
thought I'd post here first in order to make sure it wasn't related to
part of svn.
I'm running Subversion 1.0.6 with Apache 2.0.50 under FreeBSD 4.10.
I access my repository via HTTPS with SSL client certificates, and use
mod_authz_svn to specify repository permissions. To make this work, I
use mod_ssl's FakeBasicAuth option, which translates the client
certificate into a faked Authorization header identifying the
certificate, which mod_authz_svn can use to look up the user's
permissions.
With this configuration, some operations are possible on the
repository, but checkouts fail with the following error:
svn: REPORT request failed on '/svn/!svn/vcc/default'
svn:
Unable to open root of edit
The relevant messages in the Apache logs:
midnight-anchovy.mit.edu - - [05/Aug/2004:03:56:31 -0700] "REPORT /svn/!svn/vcc/default HTTP/1.1" 500 223
(Note the lack of a username added by FakeBasicAuth.)
[Thu Aug 05 03:56:31 2004] [error] [client 18.239.1.63] A failure occurred while driving the update report editor [500, #220000]
[Thu Aug 05 03:56:31 2004] [error] [client 18.239.1.63] Unable to open root of edit [500, #220000]
I've also observed that this error does not take place if I've granted
world-read access to the repository, only if authentication is required
to access the repository. (Of course, I've made sure that the client
has the correct certificates and configuration.)
It seems as though the Authorization header is not correctly added to
the subrequest, causing the authentication to fail. I poked around a
bit in the mod_ssl source, and found that I could make things work if I
made the following changes to httpd-2.0.50/modules/ssl/ssl_engine_kernel.c:
1) Commented out the following lines (813-815 in my copy):
if (!ap_is_initial_req(r)) {
return DECLINED;
}
2) Added '&& ap_is_initial_req(r)' to the following conditional (line
823):
if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) {
823)
Now, not being an Apache expert, I don't know whether this is the
correct fix. I'm not even entirely sure what my changes do -- in
particular, I'm not totally clear on why the second change is
necessary. I'm particularly suspicious because the first change
involves disabling a check that someone explicitly added, presumably
for some reason. But I've been running with this configuration for
several weeks now, and everything seems to be working correctly. (I was
initially using it under svn 1.0.5 and apache 2.0.49, then upgraded to
1.0.6/2.0.50.)
Can one of you shed some light on this problem? In particular, is the
fix I'm using correct? Is this issue related to the Subversion modules,
or is it a pure Apache issue that I should pass along to the Apache
folks? Or am I just doing something wrong? Any insights would be
appreciated.
Cheers,
Dan
--
Dan R. K. Ports
Research Minion
Massachusetts Institute of Technology <drkp@mit.edu>
Computer Science and Artificial Intelligence Lab <drkp@csail.mit.edu>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Aug 5 14:16:40 2004