[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

mod_authz_svn & certificates

From: Kevin Bentley <kevin.bentley_at_gmail.com>
Date: 2004-09-25 04:26:08 CEST

I've been spending all day trying to figure out a good way to get
ceritifcate authentication and mod_authz_svn playing together, without
also using mod_auth authentication. There are two problems I see

1. There's no way to use the SSLOption +FakeBasicAuth directly with
mod_authz_svn, because the certificate subject includes = characters.
No form of quoting or escaping the left side of the config file seems
to work.
For this issue, I would like to know if it's possible to add a feature
so the = sign inside quotes won't be read (or maybe if it is escaped
with a \).
There is a workaround, which is ugly, but you can create a group for
each user, and manage the configuration that way.

2. SSLUserName doesn't work. It would be a nice workaround, because
you could use the Common Name field of the certificate. It doesn't
work because mod_ssl uses a fixups hook to add the user field of the
request. Unfortunately, fixups happen after auth_check and
access_check. I was going to look into apache's code more closely to
see if it would be possible to move the fixups check earlier in the
code, or if it would be possible to move the SSLUserName code in
mod_ssl into a auth check, which could be made to run before
authz_svn's check. This is a problem with apache obviously, but I was
wondering if anyone here has a plan on how to deal with this. I'd be
willing to send a patch if I knew it was something the development
team wanted to see.


Kevin Bentley

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Sep 25 04:26:24 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.