[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credential caching in mod_dav_svn

From: David James <james_at_cs.toronto.edu>
Date: 2007-04-17 00:44:59 CEST

On 4/16/07, Darshak Thakore <d.thakore@cablelabs.com> wrote:
> Hi all,
> This question is related to the mod_dav_svn module. I am running
> subversion behind apache httpd using mod_dav_svn. I also need
> per-directory access control so I have the mod_authz_svn configured. Now
> we already have a custom user database that runs on another server and
> we want to leverage that user database. So I configured apache's basic
> auth module (mod_auth_basic) to call a wrapper script that I wrote which
> connects to our user database and authenticates a user. If I understand
> correctly, the workflow should be :
> 1. user tries to access a repository or a directory within using http://
> 2. apache passes this off to mod_dav_svn
> 3. mod_dav_svn will invoke mod_basic module which in turn will challenge
> the user for credentials
> 3. user supplies the credentials
> 4. mod_basic passes off the credentials to the configured authenticator
> module (in my case this would be the wrapper script). Assuming the user
> supplied the correct password mod_basic will send a positive auth
> message to mod_dav_svn
> 5. upon authentication, mod_dav_svn will invoke the mod_authz_svn module
> to check if the requested operation is allowed.
> Now as a user if I am checking out lets say
> http://myserver/svn/repo1/trunk/ I believe the mod_dav_svn module will
> perform authentication once and then would recursively invoke
> authorization on each and every path. Instead what I have observed is
> that mod_dav_svn invokes authentication also on each and every path. I
> am trying to understand why it is invoking authentication for each and
> every path when a user had already been authentication once for that
> particular request.
> Also is there any way to change this behavior ??

Hi Darshak,

Josh Gilkerson has submitted a patch to the dev@ list which skips the
extra authorization subrequests for each path if you enable a
short-circuit option in your httpd config. Instead, Subversion
performs these authorization checks internally.

See http://svn.haxx.se/dev/archive-2007-04/0551.shtml

This feature should improve performance significantly in your case.
I'm hoping to get it committed soon so you might see this feature in
Subversion 1.5.



To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Apr 17 00:45:19 2007

This is an archived mail posted to the Subversion Users mailing list.