On 4/25/06, Keith Lawless <keithlawless@gmail.com> wrote:
> I have set Subversion with Apache integration and have it working both with
> and without basic authentication via AuthType basic. Now, I want to wrap the
> whole thing up so that it is protected by Siteminder. So I have configured
> Siteminder, let it know what all the WebDAV verbs are, and set up the
> policies. From a security point of view, everything is working. My question
> is: now that an external provider is handling security, how do I pass the
> author's username to Subversion to make sure the history is updated
> correctly? Currently, it looks like everything is done by Anonymous. Is
> there an HTTP header I can set, or a variable I can append to the URL?
From what I recall about Siteminder (it's been a couple years since I
had the pleasure of working with it), the web server itself does see
all users as anonymous - but the ID and other credentials are stashed
in a cookie and/or some custom HTTP headers (I think you can configure
how it does this). The security happens before the web server proper
even sees the request (in IIS/Windows parlance, SM is an ISAPI filter
that catches the HTTP request before anything else sees it).
Not having used SM with Apache, nor am I an Apache guru - but it seems
like the missing link is that somehow the credentials need to get
passed out of SM along with the rest of the request.
Have you asked the SM folks about it?
Don't know if I helped or just regurgitated things you already knew;
hopefully the former, if it's the latter I apologize.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Apr 26 14:20:04 2006