[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authz_svn_module Per-Directory ACL

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2005-01-25 16:50:04 CET

On Jan 25, 2005, at 3:41 AM, Martin Struwe wrote:

> $ cat /etc/apache2/dav_svn.authz
> [test:/]
> *=r
> user=rw
> [test:/dir]
> *=
> user=rw
> [test:/dir/file2.txt]
> user=
> $ svn co --username user http://localhost/svn/test/dir
> Authentication realm: <http://localhost:80> Subversion Repository
> Password for 'user':
> A dir/file3.txt
> Checked out revision 1.
> [great, file2.txt is hidden!]
> $ svn co --username user http://localhost/svn/test
> A test/file1.txt
> Checked out revision 1.
> [here i miss 'dir/file3.txt' and the password-question for 'user']

Well, you don't see the password-question again because the client is
caching it. That's easy. Read about 'credential caching' in chapter

But I think I know why you're not getting 'dir' at all in the 2nd
checkout. It has to do with the way checkouts work over HTTP:

1. the client sends a single HTTP request, asking for a directory.

2. the request is anonymous. But that's okay, because "Satisfy Any" is
present and the directory has permission "*=r". So the server never
sends an authentication challenge; the client remains anonymous.

3. the server begins to stream a tree in the HTTP response. Whenever
an unreadable directory is encountered (such as 'dir'), there's no
opportunity to send a fresh authentication challenge... because we're
still in the middle of an HTTP response. So the directory remains

This problem will go away someday when we stop doing checkouts in a
single HTTP request/response... that is, when checkouts are done
through a series of repeated GET requests on every file and dir. That
will allow the server to demand authentication at any point.

For now, the workarounds are:

   1. Disable anonymous access (stop using 'Satisfy Any'), and make a
'guest' account instead.


   2. Construct your authz file very carefully: if it's possible to
read the root directory of a checkout anonymously, then understand that
the client will *always* be anonymous for the entire checkout. In
other words, if the server doesn't send an authentication challenge for
the root-dir of the checkout, it will never ask for one later.

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 25 16:54:46 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.