[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How is mixed authentication/anonymous access implemented

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Tue, 04 Jan 2011 15:17:35 -0500

On 01/04/2011 02:57 PM, Avalon wrote:
> I now this is a little bit off topic.
> But since SVN seems to be the only solution which has this feature, i hope
> for any insight from you.
>
>>> SVN features a mixed authentication/anonymous access (see
>>> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
>>>
>>>
>>>
>>> I want to achieve the same functionality using a PHP script: allow anonymous
>>> access until accessing some special content and than request
>>> authentification which should be checked according to a htaccess-file.
>>> As far as i understand the SVN example the authentification is performed by
>>> the Apache modules.
>>
>> The svnbook section you refer to above isn't *wrong*, but it certainly could
>> be misleading in terms of what is and isn't supported. (Which is why I
>> wrote the "workaround" blog post to which you were pointed by my peer here.)
>> For a better chance at getting a direct response with information you can
>> immediately apply, I would suggest consulting another PHP-centric community
>> for how they do this. (The Drupal community comes to mind.)
>
> I asked the same question on the PHP and Apache mailing list some months ago
> - without any success.
> The auth-stuff should NOT be implemented in PHP but being handled by the
> Apache.
> The PHP script should only decide when anonymous access is not sufficient
> (e.g. by sending a WWW-Authenticate header).
> Therefore i doubt that consulting other PHP projects would be helpful...
>
> The key question for me is how SVN triggers the "escalation" from anonymous
> usage to authentification.
> Are the two following scenarios correctly described?
>
> Anonymous access:
> A1: Anonymous user requests SVN
> A2: Apache asks authz-provider and it allows anonymous access
> A3: SVN delivers the requested content
>
> Escalation from anonymous to authentificated access:
> B1: Anonymous user requests restricted stuff from SVN
> B2: Apache asks authz-provider and it blocks anonymous access
> B3: According to "satisfy any" and the not-working anonymous access (and
> missing credentials) Apache sends WWW-Authenticate header to authenticate user
> B4: User enters username and passwort to browser dialog and requests
> restricted stuff from SVN again (this time with credentials)
> B5: Apache asks authz-provider and it blocks anonymous access
> B6: According to "satisfy any" and the not-working anonymous access Apache
> passes the credentials to authz, with the provided credential the user is
> authentificated and passed
> B3: SVN delivers the requested content
>
> The request to escalate from anonymous access in step B3 is initiated from
> SVN, but still the Apache does the authentification.
> Any details how this is performed might help to understand, if it is
> possible to trigger this from e.g. a PHP script.
> Is this only possible to due the implementation as an authz-module?

I believe you've summarized the scenarios accurately (but confess I'm a bit
fuzzy on this stuff). Apache modules can register themselves as relevant
for various "phases" of request processing, authentication and authorization
being two such examples. mod_authz_svn's register_hooks() function calls
ap_hook_access_checker(), ap_hook_check_user_id(), ap_hook_auth_checker(),
and so on to register its relevance to those phases.

I would imagine that a PHP-based CGI script would be limited to utility only
in the phases for which Apache's CGI handler module registers itself. An
embedded PHP interpreter module (mod_php5, or somesuch) might offer
different hooks at different request phases to the scripts it runs, but I
know nothing of the details there.

-- 
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Received on 2011-01-04 21:18:16 CET

This is an archived mail posted to the Subversion Dev mailing list.