[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Securing Subversion with a single-sign-on solution

From: James CE Johnson <jcej_at_tragus.org>
Date: Mon, 5 May 2008 11:40:45 -0400 (EDT)

A while back I figured out how to secure our Subversion repository against
our Active Directory instance using mod_auth_ldap. That's working quite
well and lets us avoid maintaining users and groups in two places. (Thanks
to all who identified some gaping holes in my solution and inspired/helped
me to get them plugged!)

However, we still have to maintain a pile of Apache configuration files
with <Location/> tags and as our user base grows that is going to become
unmanageable. What would be ideal is a mechanism for delegating
responsibility for some paths to an admin in the group using that path.

(I should stop here and point out that we have a single enterprise
repository rather than a repository-per-project. We thought about this
carefully and determined that for our use-cases it was more appropriate to
take this route.)

We happen to be using Sun's Access Manager (also available as OpenSSO)
which has a good delegation model and would work perfectly for what we
want to do. There is an Apache module that intercepts the access request
and redirects (via 302) the user to an SSO login page. Once authenticated,
the module then verifies authorization and redirects the user back to the
original page.

Unfortunately, the subversion client does not support the 302 redirection
that is at the heart of the implementation. (I've also used CAS in the
past which is another fantastic SSO solution and it behaves essentially
the same way.)

So, has anybody tried to secure Subversion with an SSO solution that
utilizes 302 redirects? If this is a fruitless effort I can create a
custom Apache module that uses AM's client SDK but I would rather use an
out-of-the-box solution if possible.

Thanks in advance for your thoughts,
James

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-05-05 17:31:12 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.