On Fri, 24 Sep 2004 19:26:08 -0700, Kevin Bentley
<kevin.bentley@gmail.com> wrote:
> 2. SSLUserName doesn't work. It would be a nice workaround, because
> you could use the Common Name field of the certificate. It doesn't
> work because mod_ssl uses a fixups hook to add the user field of the
> request. Unfortunately, fixups happen after auth_check and
> access_check. I was going to look into apache's code more closely to
> see if it would be possible to move the fixups check earlier in the
> code, or if it would be possible to move the SSLUserName code in
> mod_ssl into a auth check, which could be made to run before
> authz_svn's check. This is a problem with apache obviously, but I was
> wondering if anyone here has a plan on how to deal with this. I'd be
> willing to send a patch if I knew it was something the development
> team wanted to see.
As a followup to my own email, I wanted to add an update.
I got the SSLUserName working and it's pretty neat. I can use the
common name or email as the username, which looks nice in subversion.
However, I had to modify mod_ssl and subversion to make it work. I do
think this is a mod_ssl bug because the current mod_ssl doesn't allow
SSLUserName to be used by any other modules. I filed this bug with
Apache, but I'll have to wait and see what they say/do.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31418
In my version around line 780 of ssl_engine_kernel.c, I added the
following right before the final 'return DECLINED' in ssl_hook_Access:
/*
* Set r->user if requested
*/
if (dc->szUserName) {
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, (char *)dc->szUserName);
if (val && val[0]) {
r->user = val;
}
}
The current mod_ssl code does it in a fixup hook, but that is not
useful to modules, since the fixup hook happens after all module
authentication. This is just a copy and paste of the code from fixup,
to stuff the request variable in before subversion gets it.
I also needed to modify subversion to register the subversion auth
hooks last in mod_authz_svn.c, like this:
static void register_hooks(apr_pool_t *p)
{
static const char * const hookorder[] = { "mod_ssl.c", NULL };
ap_hook_access_checker(access_checker, hookorder, NULL, APR_HOOK_LAST);
ap_hook_auth_checker(auth_checker, hookorder, NULL, APR_HOOK_LAST);
}
Would the SVN developers consider making this change to mod_authz_svn,
so if the mod_ssl change is made, the SSLUsername would work?
Thanks!
Kevin Bentley
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Sep 25 17:06:06 2004