HTTP Authentication by Username Embedded in URL

[wo...@annevanrossum.nl]

Dear all,

I would like to know why on my system (I don't think it depends on it, but it is Ubuntu 8.10), the username can't be used within the URL:

svn co https://username:password@server/repos/ 

The URL does work in the browser (Mozilla, empty cache)!

And if it would work, I may use it in svn:externals because that doesn't accept --username and --password switches. And that would mean that I can link in another repository with a guest:guest account relieving the users from the burden of typing "guest" and "guest" when they encounter my open-source directory on this external repository.

Kind regards,

Anne

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1134269

RE: Re: HTTP Authentication by Username Embedded in URL

[Anne van Rossum <pu...@annevanrossum.nl>]

Thank you Ben, 

You are right that they do not necessarily have to type "guest" "guest", but they might also only need to press Return twice, being both entries empty. 

This seems to be a very simple thing to do, but because the users are on the "parent" SVN repository the users think that they have to enter their username and password again. (They have to wait, and I have to handle their emails ;-)).

The reason that I use a "daughter" repository is that I develop open-source and the "parent" repository is closed. It's a pity if then my open-source directory on the "daughter" repository still needs an (empty) username and password even though it's empty.

However, I don't know if asking for empty username and passwords is client-side or server-side. I guess it's server-side. So my last question is: "Is it really necessary to have the server asked for a username, or can the server configuration be adjusted?" The svn authentication is done by Apache (not by svnserve). Per-directory access control is done by the mod_authz_svn httpd module.

Now I am reading myself, I think I have the solution! This module allows for this setup in which anonymous access is tried first, and real authentication is resorted to if necessary by: 
 * Satisfy Any 
 * Require valid-user
I guess this will solve my problem! Hope I can help someone else with it too.

Thanks a lot again.

Anne

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1138145

RE: Re: HTTP Authentication by Username Embedded in URL

[bl...@collab.net]

Okay, I solved the problem on the server side, by putting a "Satisfy Any" before all authentication stuff. Real anonymous login is now possible.

And for the scheme hijacking in this thread. :-) That's not very fruitful IMHO. I can also comment that for example on the HTTPbis page there is already an error. It states this:

This section defines the syntax and semantics for identifiers using the http or https URI schemes.

  http-URI = "http:" "//" authority path-abempty [ "?" query ]

But the https URI scheme starts of course not with "http:" but with "https:". I think usability and security is more important than a nice analytic description. You will make errors in it anyway, and who reads it? :-)

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1138315

Re: HTTP Authentication by Username Embedded in URL

[Julian Reschke <ju...@gmx.de>]

Ben Collins-Sussman wrote:
> I can give a simple answer:  it's not a valid HTTP URL.  Some web
> browsers allow it, but it violates the HTTP specification:
> 
> 3.2.2 http URL
> The "http" scheme is used to locate network resources via the HTTP
> protocol. This section defines the scheme-specific syntax and
> semantics for http URLs.
> http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
> 
> So it's not something svn has bothered to add as an 'extra feature'.
> Are you sure your users are being forced to type 'guest/guest'?  It
> may happen during the first checkout, but the password should be
> cached on further updates.
> ...

Note that HTTPbis (Editor's Draft) says 
(<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-latest.html#rfc.section.2.1.1>):

   http-URI = "http:" "//" authority path-abempty [ "?" query ]

...thus userinfo @ host will be allowed (at least on the syntactical level).

BR, Julian

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1138289

Re: HTTP Authentication by Username Embedded in URL

[Ben Collins-Sussman <su...@red-bean.com>]

I can give a simple answer:  it's not a valid HTTP URL.  Some web
browsers allow it, but it violates the HTTP specification:

3.2.2 http URL
The "http" scheme is used to locate network resources via the HTTP
protocol. This section defines the scheme-specific syntax and
semantics for http URLs.
http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]

So it's not something svn has bothered to add as an 'extra feature'.
Are you sure your users are being forced to type 'guest/guest'?  It
may happen during the first checkout, but the password should be
cached on further updates.



On Tue, Feb 10, 2009 at 7:59 AM,  <wo...@annevanrossum.nl> wrote:
> Dear all,
>
> I would like to know why on my system (I don't think it depends on it, but it is Ubuntu 8.10), the username can't be used within the URL:
>
> svn co https://username:password@server/repos/
>
> The URL does work in the browser (Mozilla, empty cache)!
>
> And if it would work, I may use it in svn:externals because that doesn't accept --username and --password switches. And that would mean that I can link in another repository with a guest:guest account relieving the users from the burden of typing "guest" and "guest" when they encounter my open-source directory on this external repository.
>
> Kind regards,
>
> Anne
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1134269
>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1136222