[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Authentication / Authorization

From: Steve Nelson <sanelson_at_gmail.com>
Date: 2007-02-28 10:37:41 CET

Hello,

I have two repositories with two subdirectories each, and four groups
of users. I have written an authz file to describe the ACL I require
- namely that the root of both repository be anonymous read-only, and
that different control is imposed per group each subdirectory, with
inheritance taking place on anything beneath them.

Following the advice of the book, I have set up my apache container
with both Satisfy Any and Require Valid User, to provide a combination
of authentication and anonymous access.

I am finding that with Satisfy Any, all users can browse anywhere in
either repository, even if this is specifically restricted in the
authz file.

If I remove Satisfy Any, I find that every time a user moves within
the repos they are challenged for a password. The ACL is honoured -
ie the users are only allowed to do as the ACL describes, but they are
challenged even for areas where they should have anonymous, read-only
access.

What I want is a combination - but I cannot see what I have done
wrong. My container and authz file are below.

Any suggestions? Or am I missing something obvious?

S.
<Location /repos>
        DAV svn
        SVNParentPath /local/svn
        SVNIndexXSLT /svnindex.xsl

        # Require SSL connection for password protection.
        SSLRequireSSL

        # our access control policy
         /etc/httpd/conf/.svnauthz

        # try anonymous access first, resort to real
        # authentication if necessary.
        Satisfy Any
        Require valid-user

        # How to authenticate if needed
        AuthType Basic
        AuthName "De La Rue Subversion Repositories"
        AuthUserFile /etc/httpd/conf/.htpasswd
</Location>

And my AuthzSVN acl is:

[groups]
coe = sanjay, darryl
im = witcharp, nelsonst
general = subversion
atos = berry, fred

[/]
* = r
[devrep:/]
@coe = r
@im = r
@general = r
@atos = r

[devrep:/dlr]
@coe = rw
@im = rw
@general =
@atos = r

[devrep:/atos]
@coe =
@im = r
@general =
@atos = rw

[prdrep:/]
@coe = r
@im = r
@general = r
@atos = r

[prdrep:/prdobj]
@coe =
@im = rw
@general =
@atos =

[prdrep:/prddoc]
@coe = rw
@im = r
@general = r
@atos = r

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Feb 28 10:38:06 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.