[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Checkouts fail with mod_authz_svn/FakeBasicAuth

From: Dan Ports <drkp_at_mit.edu>
Date: 2004-10-02 15:14:08 CEST

On Fri, Oct 01, 2004 at 03:32:35PM +0100, Julian Foad wrote:
> Dan Ports wrote:
> > I've run into what seems to be a bug in Subversion or Apache. The
> >quick summary: checkouts fail when using mod_authz_svn with mod_ssl's
> >FakeBasicAuth option to achieve repository access control based on
> >client SSL certificates. This appears to be due to a problem with
> >authentication in subrequests.
> [...]
>
> Sorry to hear you had trouble and got no reply on the mailing list. Please
> feel free to re-post your query if you haven't resolved the problem.

 I am indeed still having this problem, though the patch (against
Apache mod_ssl) I described in my previous message appears to solve it.
Briefly, I'm trying to use FakeBasicAuth and mod_authz_svn to restrict
access to parts of my repository to certain certificate-authenticated
users. The problem seems to be that FakeBasicAuth authentication
information is not preserved when a HTTP request generates a
subrequest, so authz_svn authorization based on FakeBasicAuth
certificate information fails to work.

 For more details, see my original post,
http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=73775

 Kevin Bentley also recently posted some notes on how to use mod_ssl's
SSLUserName option with authz_svn to accomplish the same goal, but this
appears to require patching both mod_ssl and mod_authz_svn.

 I'm currently running Subversion 1.0.6 with Apache 2.0.50; I'll see if
I can find some time this weekend to upgrade and test with the latest
version, though I doubt this will change anything.

 Dan

-- 
Dan R. K. Ports                                
Research Minion
Massachusetts Institute of Technology                     <drkp@mit.edu>
Computer Science and Artificial Intelligence Lab    <drkp@csail.mit.edu>                            
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Oct 2 15:09:48 2004

This is an archived mail posted to the Subversion Dev mailing list.