[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: ra_dav/log and mod_authz_svn

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2005-03-07 15:08:23 CET

On Mar 7, 2005, at 6:45 AM, Chia-liang Kao wrote:

> Hi,
> If I configure have the following configuration:
> Apache:
> AuthType Basic
> AuthzSVNAccessFile /path/to/svnpolicy
> Satisfy any
> Require valid-user
> /path/to/svnpolicy:
> [/]
> * = rw
> [/private]
> foo = rw
> * =
> Now, if I have a change, say r6, changing things inside /private.
> Doing svn log
> -r6 -v http://server/svn/private prompts me for passwords. But doing
> log on
> http://server/svn/private does not, and I get an empty output of the
> log,
> without any prompt. So how do I guess that I need to run the log on
> /private or
> other secret paths to make svn at least try to authenticate with me?

This is another version of the well-known problem with our authn/authz
system when using "Satisfy Any". The log command sends an http REPORT
request on a (path, rev) pair. If the initial (path, rev) target is
anonymously readable, then there's no authentication ever, and the user
remains anonymous for the entire REPORT: unreadable revisions are
skipped over. If the initial (path, rev) target is unreadable, then
authentication is demanded, and that user is authenticated for the
entire REPORT.

In other words,

   1. you only get one chance to authenticate at the beginning;
authentication cannot happen in the middle of a response.

   2. your authentication lasts for the whole response.

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Mar 7 15:09:42 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.