[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: On backporting r21531 to 1.4.x.

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: 2006-10-09 20:47:35 CEST

Stefan Küng wrote:

> If it takes again almost a year until the next 'big' Subversion release
> I will have to buy a lot of Valium to survive all the complaints, or
> have users not update and still use an old version (which means I have
> to deal with bugs long fixed too).

Understandable. Again, I don't mean to diminish the negative effect of
not doing the right thing here. I merely want to ensure that the right
thing is being done by *all* parties.

>> * Your Windows credentials were passed over the wire without
>> you having authorized such a thing in an automated attempt to
>> authenticate. (At this point, if not earlier, my knowledge gets
>> shaky, and I have to presume that if those creds failed against
>> the server, some graceful fallback to Basic or Digest auth worked
>> just fine -- but I dunno.)
>
> No, it wouldn't fall back to basic auth. At least not in all
> circumstances. One problem for example is that the authentication can
> succeed (if the user is part of a domain which the server hosting the
> repository is part of too), but later the authorization fails. In that
> case, Subversion simply gives up with an error and doesn't try to
> reauthenticate (because the authentication was successful before).
> This can happen if e.g. the GUEST account is enabled on the domain
> controller (sometimes it has to be, due to other company apps requiring
> that). Or if the admin has set up different user accounts for the
> repository than the users use to log in to their workstations (happens a
> *lot* from what I get on the mailing list).

Ah! Well, that puts a whole new spin on things, then. Pretend this new
Neon option never existed. If we fixed Subversion so that it would
reauthenticate, where would that put us on the usability chart?

> The only way to disable the automatic authentication with SSPI is by
> disabling it during compile time.

You mean without the new Neon API, yes?

-- 
C. Michael Pilato <cmpilato@collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Received on Mon Oct 9 20:47:50 2006

This is an archived mail posted to the Subversion Dev mailing list.