[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How is mixed authentication/anonymous access implemented

From: Avalon <third-chance_at_gmx.de>
Date: Tue, 04 Jan 2011 20:57:29 +0100

I now this is a little bit off topic.
But since SVN seems to be the only solution which has this feature, i hope for any insight from you.

>> SVN features a mixed authentication/anonymous access (see
>> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
>> I want to achieve the same functionality using a PHP script: allow anonymous
>> access until accessing some special content and than request
>> authentification which should be checked according to a htaccess-file.
>> As far as i understand the SVN example the authentification is performed by
>> the Apache modules.
> The svnbook section you refer to above isn't *wrong*, but it certainly could
> be misleading in terms of what is and isn't supported. (Which is why I
> wrote the "workaround" blog post to which you were pointed by my peer here.)
> For a better chance at getting a direct response with information you can
> immediately apply, I would suggest consulting another PHP-centric community
> for how they do this. (The Drupal community comes to mind.)

I asked the same question on the PHP and Apache mailing list some months ago - without any success.
The auth-stuff should NOT be implemented in PHP but being handled by the Apache.
The PHP script should only decide when anonymous access is not sufficient (e.g. by sending a WWW-Authenticate header).
Therefore i doubt that consulting other PHP projects would be helpful...

The key question for me is how SVN triggers the "escalation" from anonymous usage to authentification.
Are the two following scenarios correctly described?

Anonymous access:
A1: Anonymous user requests SVN
A2: Apache asks authz-provider and it allows anonymous access
A3: SVN delivers the requested content

Escalation from anonymous to authentificated access:
B1: Anonymous user requests restricted stuff from SVN
B2: Apache asks authz-provider and it blocks anonymous access
B3: According to "satisfy any" and the not-working anonymous access (and missing credentials) Apache sends WWW-Authenticate header to authenticate user
B4: User enters username and passwort to browser dialog and requests restricted stuff from SVN again (this time with credentials)
B5: Apache asks authz-provider and it blocks anonymous access
B6: According to "satisfy any" and the not-working anonymous access Apache passes the credentials to authz, with the provided credential the user is authentificated and passed
B3: SVN delivers the requested content

The request to escalate from anonymous access in step B3 is initiated from SVN, but still the Apache does the authentification.
Any details how this is performed might help to understand, if it is possible to trigger this from e.g. a PHP script.
Is this only possible to due the implementation as an authz-module?

Received on 2011-01-04 20:57:56 CET

This is an archived mail posted to the Subversion Dev mailing list.