[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_authz_svn & certificates

From: Kevin Bentley <kevin.bentley_at_gmail.com>
Date: 2004-09-25 17:05:52 CEST

On Fri, 24 Sep 2004 19:26:08 -0700, Kevin Bentley
<kevin.bentley@gmail.com> wrote:
> 2. SSLUserName doesn't work. It would be a nice workaround, because
> you could use the Common Name field of the certificate. It doesn't
> work because mod_ssl uses a fixups hook to add the user field of the
> request. Unfortunately, fixups happen after auth_check and
> access_check. I was going to look into apache's code more closely to
> see if it would be possible to move the fixups check earlier in the
> code, or if it would be possible to move the SSLUserName code in
> mod_ssl into a auth check, which could be made to run before
> authz_svn's check. This is a problem with apache obviously, but I was
> wondering if anyone here has a plan on how to deal with this. I'd be
> willing to send a patch if I knew it was something the development
> team wanted to see.

As a followup to my own email, I wanted to add an update.

I got the SSLUserName working and it's pretty neat. I can use the
common name or email as the username, which looks nice in subversion.

However, I had to modify mod_ssl and subversion to make it work. I do
think this is a mod_ssl bug because the current mod_ssl doesn't allow
SSLUserName to be used by any other modules. I filed this bug with
Apache, but I'll have to wait and see what they say/do.

In my version around line 780 of ssl_engine_kernel.c, I added the
following right before the final 'return DECLINED' in ssl_hook_Access:

* Set r->user if requested
if (dc->szUserName) {
   val = ssl_var_lookup(r->pool, r->server, r->connection,
                        r, (char *)dc->szUserName);
   if (val && val[0]) {
       r->user = val;

The current mod_ssl code does it in a fixup hook, but that is not
useful to modules, since the fixup hook happens after all module
authentication. This is just a copy and paste of the code from fixup,
to stuff the request variable in before subversion gets it.

I also needed to modify subversion to register the subversion auth
hooks last in mod_authz_svn.c, like this:

static void register_hooks(apr_pool_t *p)
 static const char * const hookorder[] = { "mod_ssl.c", NULL };
 ap_hook_access_checker(access_checker, hookorder, NULL, APR_HOOK_LAST);
 ap_hook_auth_checker(auth_checker, hookorder, NULL, APR_HOOK_LAST);

Would the SVN developers consider making this change to mod_authz_svn,
so if the mod_ssl change is made, the SSLUsername would work?


Kevin Bentley

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Sep 25 17:06:06 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.