[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How is mixed authentication/anonymous access implemented

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Wed, 29 Dec 2010 04:25:03 +0200

I think you're looking for this:

Also, I didn't quite understand your post, but unless it's about the
development of Subversion (i.e., implementing a new feature or asking
about internal implementation details), please follow up on the users@
list and not on the dev@ list.


Avalon wrote on Tue, Dec 28, 2010 at 14:35:08 +0100:
> Hi,
> SVN features a mixed authentication/anonymous access (see http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
> I want to achieve the same functionality using a PHP script: allow
> anonymous access until accessing some special content and than request
> authentification which should be checked according to a htaccess-file.
> As far as i understand the SVN example the authentification is performed by the Apache modules.
> I configured the ".htaccess" file to look similar:
> Order allow,deny
> Allow from all
> AuthType Basic
> AuthName "Realm"
> AuthUserFile "/path/to/.htusers"
> require valid-user
> Satisfy any
> Additionally a PHP script is inside the same folder.
> When you now browse to the URL of the PHP script, you can access it without any credentials requested.
> At some point the PHP script "decides" that authentification is required (e.g. when passing a param like "?need-auth=1").
> I suppose this is similar to how the mixed authentication/anonymous access in SVN works (?).
> Therefore it sends the following two headers:
> WWW-Authenticate: Basic realm="Realm"
> HTTP/1.x 401 Unauthorized
> Then the user is asked to insert username/password for the basic auth.
> But now comes the problem:
> The apache will ALWAYS let the user pass as anonymous access is always granted.
> I suppose the webserver does not even try to authenticate the user credentials.
> Therefore it is not possible to decide in PHP if the user is anonymous or has been successfully authenticated.
> How is this performed in SVN for the mixed authentication/anonymous access?
> What i do not want is:
> - check the credentials in PHP (due to the many different auth-methods which could be configured with Apache)
> - have a dummy anonymous user like "guest" with password "guest"
> - split anonymous and authenticated parts in separate folders (to use separate .htaccess-files)
> I hope to get some enlightenment from the way SVN realizes this feature.
> Any feedback is highly appreciated.
> Thank you
> Dirk
Received on 2010-12-29 03:28:14 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.