Here's the answer to my own question for posterity. I cloned the Siteminder
Web Agent configuration in the policy server to create a WebDAV agent with
the additional verbs that Subversion uses. Doing this copies the
configuration of the agent, but there is no way to copy the special
*functionality* of the SM web agent. When writing my security policy, I
explicitly set the REMOTE_USER header to the user name that was
authenticated, and everything is working fine now. This would have happened
under the covers when using the built-in web agent.
On 4/26/06, Rafael Caceres <rcaceres@aasa.com.pe> wrote:
>
> What Apache will do when the user is authenticated is set the
> 'request->remote_user'. I would think that any application willing to
> learn who the user is can obtain the data from the request object.
>
> On Wed, 2006-04-26 at 08:18 -0400, Andy Levy wrote:
> > On 4/25/06, Keith Lawless <keithlawless@gmail.com> wrote:
> > > I have set Subversion with Apache integration and have it working both
> with
> > > and without basic authentication via AuthType basic. Now, I want to
> wrap the
> > > whole thing up so that it is protected by Siteminder. So I have
> configured
> > > Siteminder, let it know what all the WebDAV verbs are, and set up the
> > > policies. From a security point of view, everything is working. My
> question
> > > is: now that an external provider is handling security, how do I pass
> the
> > > author's username to Subversion to make sure the history is updated
> > > correctly? Currently, it looks like everything is done by Anonymous.
> Is
> > > there an HTTP header I can set, or a variable I can append to the URL?
> >
> > >From what I recall about Siteminder (it's been a couple years since I
> > had the pleasure of working with it), the web server itself does see
> > all users as anonymous - but the ID and other credentials are stashed
> > in a cookie and/or some custom HTTP headers (I think you can configure
> > how it does this). The security happens before the web server proper
> > even sees the request (in IIS/Windows parlance, SM is an ISAPI filter
> > that catches the HTTP request before anything else sees it).
> >
> > Not having used SM with Apache, nor am I an Apache guru - but it seems
> > like the missing link is that somehow the credentials need to get
> > passed out of SM along with the rest of the request.
> >
> > Have you asked the SM folks about it?
> >
> > Don't know if I helped or just regurgitated things you already knew;
> > hopefully the former, if it's the latter I apologize.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
> >
> > Analizado por ThMailServer para Linux.
> >
> >
> > !DSPAM:444f656a115181718616930!
> >
>
>
> Analizado por ThMailServer para Linux.
>
Received on Wed Apr 26 20:03:38 2006