[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Problem implementing path-based authorization with authz

From: Rob van Oostrum <rvanoo_at_gmail.com>
Date: Sat, 9 Jan 2010 11:58:10 -0500

Your problem is with Crowd, not authz. Authentication is failing: "Could not
authenticate to server: rejected Basic challenge (https://dev.host.net)"

Check your Crowd configuration/documentation. I'd suggest taking SVN out of
the equation and verifying that your integration with Crowd is working
first.

Cheers,
Rob

On Sat, Jan 9, 2010 at 1:19 AM, Brian Topping <topping_at_codehaus.org> wrote:

> Hello all,
>
> I've been wrestling with getting authz setup in a way that must be somewhat
> unconventional all week and was hoping someone here on the list might be
> able to offer some insight. The environment is Apache httpd
> 2.2.3, mod_dav_svn 1.6.6, and Subversion 1.6.6. My configs follow.
>
> So far, most of the docs that I've seen on authz start by granting read
> access to everyone at the root of the tree, then subtracting authorizations
> to specific sensitive directories. My concern with this is that this allows
> people to lazily create directories without considering that they might be
> granting access to any valid user.
>
> Instead, I would like to configure path-based access to deny access to all
> non-root directories, then rely on specific grants to individual directories
> based on group.
>
> I have groups working fine, but as soon as I lock down the root directory,
> my svn client gets the following problem:
>
> Username: svn: PROPFIND of '/repos/project/!svn/vcc/default': authorization
> failed: Could not authenticate to server: rejected Basic challenge (
> https://dev.host.net)
>
>
> I understand about the metadata located at !svn. So I added:
>
> [/project/!svn]
> * = r
>
>
> But this doesn't seem to do anything. I still get the first error.
>
> Is there a way to do what I am trying to do?
>
> I have exhaustively tested that the AuthHandler is doing asking the right
> questions of the authentication broker and is able to recover the correct
> user and group mappings.
>
> Note that I am using Atlassian's Crowd-based auth. This is a fork of
> standard authz to patch Crowd users and groups in, but it would be easy for
> me to convert to direct LDAP if necessary.
>
> /etc/httpd/conf.d/subversion.conf:
>
> <Location /repos>
>
> LoadModule perl_module modules/mod_perl.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
>
> # Uncomment this to enable the repository
> DAV svn
>
> # Set this to the path to your repository
> SVNParentPath /var/www/svn/
>
> SSLRequireSSL
>
> AuthName crowd
> AuthType Basic
>
> PerlAuthenHandler Apache::CrowdAuth
> PerlSetVar CrowdAppName subversion
> PerlSetVar CrowdAppPassword xxx
> PerlSetVar CrowdSOAPURL
> https://dev.host.net/crowd/services/SecurityServer
>
> PerlAuthzHandler Apache::CrowdAuthz
> PerlSetVar CrowdAuthzSVNAccessFile /var/www/svn/access
>
> require valid-user
>
>
> </Location>
>
>
> /var/www/svn/access
>
> [/project/!svn]
> * = r
>
> [/project/trunk/project-web]
> @project-web-developer = rw
>
>
> Cheers, Brian
>
Received on 2010-01-09 17:58:47 CET

This is an archived mail posted to the Subversion Users mailing list.