[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Question regarding mixed anymous/authenticated repository

From: Sander Striker <striker_at_apache.org>
Date: 2004-03-23 18:34:33 CET

> -----Original Message-----
> From: Ben Collins-Sussman [mailto:sussman@collab.net]
> Sent: Tuesday, March 23, 2004 3:13 PM
> To: Serhat Sakarya
> Cc: users@subversion.tigris.org; striker@apache.org
> Subject: Re: Question regarding mixed anymous/authenticated repository
>
>
> Serhat Sakarya wrote:
>
> > [/]
> > * = r
> > serhat = rw
> >
> > [/Ideas]
> > * =
> > serhat = rw
>
> > My question is: how can we get the client to checkout the entire
> > repository? The same applies to doing updates and commits. Do we have to
> > change something on the client side or server side for this to happen?
>
> The problem here is that there's no way for the client to "push"
> authentication at the server, the way it does in CVS. Authentication is
> strictly a "server pull" thing, and you've configured your server to not
> automatically challenge clients. You've made it very tolerant by
> putting in the "satisfy any" directive: the client asks for /, and your
> authz file tells the server that there's no need to issue an auth challenge.
>
> The "skipping" of /Ideas is actually a feature, believe it or not.
>
> I think the only way to get the behavior you want is to disable
> anonymous access completely (by removing the 'satisfy any' directive).
> Then you'll be able to identify yourself as 'serhat' when you try to
> checkout '/'.
>
> Sander Striker: what do you think about this?

Actually, we can 'push' the credentials on the first request, with mod_dav_svn
from trunk they will actually 'stick'. As in, just send the Authorization
header, which I'm fairly sure neon is capable of doing this. But this will
not work with digest auth (it needs a challenge), only with basic. And TBH
I don't know if it is wanted to push credentials to a server without a
challenge...

Anyways, Ben is completely right. The only way to overcome the
ignore-directories-I-don't-have-access-to feature is to require
authentication always. The setup I have in my mind is:

- over https://

<Location xxx>
  DAV svn
  ...

  AuthzSVNAccessFile ...
  Require valid-user
</Location>

- over http://

<Location xxx>
  DAV svn
  ...

  AuthzSVNAccessFile ...
</Location>

That will forbid access to e.g. /Ideas over http://, but get you
the entire repos over https://.

The extra benefit of this setup is that your credentials are never
sent over the wire in the clear.

Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 23 18:35:37 2004

This is an archived mail posted to the Subversion Users mailing list.