On Mar 7, 2005, at 6:45 AM, Chia-liang Kao wrote:
> Hi,
>
> If I configure have the following configuration:
> Apache:
> AuthType Basic
> AuthzSVNAccessFile /path/to/svnpolicy
> Satisfy any
> Require valid-user
>
> /path/to/svnpolicy:
> [/]
> * = rw
> [/private]
> foo = rw
> * =
>
> Now, if I have a change, say r6, changing things inside /private.
> Doing svn log
> -r6 -v http://server/svn/private prompts me for passwords. But doing
> log on
> http://server/svn/private does not, and I get an empty output of the
> log,
> without any prompt. So how do I guess that I need to run the log on
> /private or
> other secret paths to make svn at least try to authenticate with me?
>
This is another version of the well-known problem with our authn/authz
system when using "Satisfy Any". The log command sends an http REPORT
request on a (path, rev) pair. If the initial (path, rev) target is
anonymously readable, then there's no authentication ever, and the user
remains anonymous for the entire REPORT: unreadable revisions are
skipped over. If the initial (path, rev) target is unreadable, then
authentication is demanded, and that user is authenticated for the
entire REPORT.
In other words,
1. you only get one chance to authenticate at the beginning;
authentication cannot happen in the middle of a response.
2. your authentication lasts for the whole response.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Mar 7 15:09:42 2005