[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

assessing feasibility of svn_auth provider impl

From: Duffy Gillman <duffy_at_gillman.net>
Date: 2007-03-15 23:47:40 CET

Hi,

   I'm trying to assess the steps involved to create and deploy a
specialized authentication provider for the Shibboleth federated
authn/authz system out of Internet2 (http://shibboleth.internet2.edu/ ).
The system is https-based and requires several redirects and a couple of
user interactions for a first login. I am unsure where to start looking
to answer a couple of critical questions. Please forgive me if some of
these questions are newbie-ish. I have just begun trying to familiarize
myself with svn code.

So, on to some questions. Can anyone help point me to answers to the
questions below? RTFM is a wonderful response as long as you can help
me determine which FM I should be consulting ;)

1) can the svn client handle multiple redirects from an https-based
repository?

My sense from scouring this list is that the client will appropriately
handle an HTTP 302 response code. Does anyone know if it will handle
*multiple* 302's in succession?

2) can an svn_auth provider prompt the user for information other than
name/password or certificate-related information?

For Shibboleth authentication to work a user *may* have to choose the
authentication source from a list of approved sources maintained by the
Shibboleth federation. In a browser this is no problem - the user is
redirected to a page with a drop-down list and is able to select the
source that should issue the name/password challenge.

For the svn client, the svn_auth provider would need to parse this list
(from a <select> form field or from an XML document presented in the
response from the https server) and present an appropriate prompt at the
command line (eg. enter the number of the provider from this list: 1)
WYZ, Inc. 2) Univ. of Colorado, etc.)

Is an svn_auth provider ill-behaved if it interacts with the user with
custom prompts like this?

3) does the current https-based auth provider store cookies?

This is not a requirement. However, if it does it would be possible to
preserve the choice of authentication source from question 2 above...
and possibly to preserve the authentication session with the
authentication source.
 
* * *

I greatly appreciate any insight that can be afforded.

Thanks much for your time!

-Duffy

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Mar 18 12:55:22 2007

This is an archived mail posted to the Subversion Dev mailing list.