You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Avalon <th...@gmx.de> on 2010/12/28 13:35:08 UTC
How is mixed authentication/anonymous access implemented
Hi,
SVN features a mixed authentication/anonymous access (see http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
I want to achieve the same functionality using a PHP script: allow anonymous access until accessing some special content and than request authentification which should be checked according to a
htaccess-file.
As far as i understand the SVN example the authentification is performed by the Apache modules.
I configured the ".htaccess" file to look similar:
Order allow,deny
Allow from all
AuthType Basic
AuthName "Realm"
AuthUserFile "/path/to/.htusers"
require valid-user
Satisfy any
Additionally a PHP script is inside the same folder.
When you now browse to the URL of the PHP script, you can access it without any credentials requested.
At some point the PHP script "decides" that authentification is required (e.g. when passing a param like "?need-auth=1").
I suppose this is similar to how the mixed authentication/anonymous access in SVN works (?).
Therefore it sends the following two headers:
WWW-Authenticate: Basic realm="Realm"
HTTP/1.x 401 Unauthorized
Then the user is asked to insert username/password for the basic auth.
But now comes the problem:
The apache will ALWAYS let the user pass as anonymous access is always granted.
I suppose the webserver does not even try to authenticate the user credentials.
Therefore it is not possible to decide in PHP if the user is anonymous or has been successfully authenticated.
How is this performed in SVN for the mixed authentication/anonymous access?
What i do not want is:
- check the credentials in PHP (due to the many different auth-methods which could be configured with Apache)
- have a dummy anonymous user like "guest" with password "guest"
- split anonymous and authenticated parts in separate folders (to use separate .htaccess-files)
I hope to get some enlightenment from the way SVN realizes this feature.
Any feedback is highly appreciated.
Thank you
Dirk
Re: How is mixed authentication/anonymous access implemented
Posted by "C. Michael Pilato" <cm...@collab.net>.
On 01/04/2011 02:57 PM, Avalon wrote:
> I now this is a little bit off topic.
> But since SVN seems to be the only solution which has this feature, i hope
> for any insight from you.
>
>>> SVN features a mixed authentication/anonymous access (see
>>> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
>>>
>>>
>>>
>>> I want to achieve the same functionality using a PHP script: allow anonymous
>>> access until accessing some special content and than request
>>> authentification which should be checked according to a htaccess-file.
>>> As far as i understand the SVN example the authentification is performed by
>>> the Apache modules.
>>
>> The svnbook section you refer to above isn't *wrong*, but it certainly could
>> be misleading in terms of what is and isn't supported. (Which is why I
>> wrote the "workaround" blog post to which you were pointed by my peer here.)
>> For a better chance at getting a direct response with information you can
>> immediately apply, I would suggest consulting another PHP-centric community
>> for how they do this. (The Drupal community comes to mind.)
>
> I asked the same question on the PHP and Apache mailing list some months ago
> - without any success.
> The auth-stuff should NOT be implemented in PHP but being handled by the
> Apache.
> The PHP script should only decide when anonymous access is not sufficient
> (e.g. by sending a WWW-Authenticate header).
> Therefore i doubt that consulting other PHP projects would be helpful...
>
> The key question for me is how SVN triggers the "escalation" from anonymous
> usage to authentification.
> Are the two following scenarios correctly described?
>
> Anonymous access:
> A1: Anonymous user requests SVN
> A2: Apache asks authz-provider and it allows anonymous access
> A3: SVN delivers the requested content
>
> Escalation from anonymous to authentificated access:
> B1: Anonymous user requests restricted stuff from SVN
> B2: Apache asks authz-provider and it blocks anonymous access
> B3: According to "satisfy any" and the not-working anonymous access (and
> missing credentials) Apache sends WWW-Authenticate header to authenticate user
> B4: User enters username and passwort to browser dialog and requests
> restricted stuff from SVN again (this time with credentials)
> B5: Apache asks authz-provider and it blocks anonymous access
> B6: According to "satisfy any" and the not-working anonymous access Apache
> passes the credentials to authz, with the provided credential the user is
> authentificated and passed
> B3: SVN delivers the requested content
>
> The request to escalate from anonymous access in step B3 is initiated from
> SVN, but still the Apache does the authentification.
> Any details how this is performed might help to understand, if it is
> possible to trigger this from e.g. a PHP script.
> Is this only possible to due the implementation as an authz-module?
I believe you've summarized the scenarios accurately (but confess I'm a bit
fuzzy on this stuff). Apache modules can register themselves as relevant
for various "phases" of request processing, authentication and authorization
being two such examples. mod_authz_svn's register_hooks() function calls
ap_hook_access_checker(), ap_hook_check_user_id(), ap_hook_auth_checker(),
and so on to register its relevance to those phases.
I would imagine that a PHP-based CGI script would be limited to utility only
in the phases for which Apache's CGI handler module registers itself. An
embedded PHP interpreter module (mod_php5, or somesuch) might offer
different hooks at different request phases to the scripts it runs, but I
know nothing of the details there.
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
Re: How is mixed authentication/anonymous access implemented
Posted by Avalon <th...@gmx.de>.
I now this is a little bit off topic.
But since SVN seems to be the only solution which has this feature, i hope for any insight from you.
>> SVN features a mixed authentication/anonymous access (see
>> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
>>
>>
>> I want to achieve the same functionality using a PHP script: allow anonymous
>> access until accessing some special content and than request
>> authentification which should be checked according to a htaccess-file.
>> As far as i understand the SVN example the authentification is performed by
>> the Apache modules.
>
> The svnbook section you refer to above isn't *wrong*, but it certainly could
> be misleading in terms of what is and isn't supported. (Which is why I
> wrote the "workaround" blog post to which you were pointed by my peer here.)
> For a better chance at getting a direct response with information you can
> immediately apply, I would suggest consulting another PHP-centric community
> for how they do this. (The Drupal community comes to mind.)
I asked the same question on the PHP and Apache mailing list some months ago - without any success.
The auth-stuff should NOT be implemented in PHP but being handled by the Apache.
The PHP script should only decide when anonymous access is not sufficient (e.g. by sending a WWW-Authenticate header).
Therefore i doubt that consulting other PHP projects would be helpful...
The key question for me is how SVN triggers the "escalation" from anonymous usage to authentification.
Are the two following scenarios correctly described?
Anonymous access:
A1: Anonymous user requests SVN
A2: Apache asks authz-provider and it allows anonymous access
A3: SVN delivers the requested content
Escalation from anonymous to authentificated access:
B1: Anonymous user requests restricted stuff from SVN
B2: Apache asks authz-provider and it blocks anonymous access
B3: According to "satisfy any" and the not-working anonymous access (and missing credentials) Apache sends WWW-Authenticate header to authenticate user
B4: User enters username and passwort to browser dialog and requests restricted stuff from SVN again (this time with credentials)
B5: Apache asks authz-provider and it blocks anonymous access
B6: According to "satisfy any" and the not-working anonymous access Apache passes the credentials to authz, with the provided credential the user is authentificated and passed
B3: SVN delivers the requested content
The request to escalate from anonymous access in step B3 is initiated from SVN, but still the Apache does the authentification.
Any details how this is performed might help to understand, if it is possible to trigger this from e.g. a PHP script.
Is this only possible to due the implementation as an authz-module?
Dirk
Re: How is mixed authentication/anonymous access implemented
Posted by "C. Michael Pilato" <cm...@collab.net>.
On 12/28/2010 08:35 AM, Avalon wrote:
> Hi,
>
> SVN features a mixed authentication/anonymous access (see
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
>
>
> I want to achieve the same functionality using a PHP script: allow anonymous
> access until accessing some special content and than request
> authentification which should be checked according to a htaccess-file.
> As far as i understand the SVN example the authentification is performed by
> the Apache modules.
The svnbook section you refer to above isn't *wrong*, but it certainly could
be misleading in terms of what is and isn't supported. (Which is why I
wrote the "workaround" blog post to which you were pointed by my peer here.)
For a better chance at getting a direct response with information you can
immediately apply, I would suggest consulting another PHP-centric community
for how they do this. (The Drupal community comes to mind.)
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
Re: How is mixed authentication/anonymous access implemented
Posted by Avalon <th...@gmx.de>.
> I think you're looking for this:
> http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html
These are actually all only work-arounds.
I am aware of these and especially mentioned that i do not want to use them.
> Also, I didn't quite understand your post, but unless it's about the
> development of Subversion (i.e., implementing a new feature or asking
> about internal implementation details), please follow up on the users@
> list and not on the dev@ list.
Actually, my question is about the implementation details.
How does SVN realizes this feature as stated in the documentation?
>> SVN features a mixed authentication/anonymous access (see http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
Your link implies that this is not possible.
If the example is wrong it should be removed from docs and propably replaced with a note that such a scenario won't work because of (...).
Since i want to implement such a mixed access in a PHP web application, i would like to know how it is realized and implemented in SVN (not necessarily in code, but from the protocol point of view).
Dirk
>> SVN features a mixed authentication/anonymous access (see http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
>>
>> I want to achieve the same functionality using a PHP script: allow
>> anonymous access until accessing some special content and than request
>> authentification which should be checked according to a htaccess-file.
>> As far as i understand the SVN example the authentification is performed by the Apache modules.
>>
>> I configured the ".htaccess" file to look similar:
>> Order allow,deny
>> Allow from all
>> AuthType Basic
>> AuthName "Realm"
>> AuthUserFile "/path/to/.htusers"
>> require valid-user
>> Satisfy any
>>
>> Additionally a PHP script is inside the same folder.
>> When you now browse to the URL of the PHP script, you can access it without any credentials requested.
>>
>> At some point the PHP script "decides" that authentification is required (e.g. when passing a param like "?need-auth=1").
>> I suppose this is similar to how the mixed authentication/anonymous access in SVN works (?).
>>
>> Therefore it sends the following two headers:
>> WWW-Authenticate: Basic realm="Realm"
>> HTTP/1.x 401 Unauthorized
>>
>> Then the user is asked to insert username/password for the basic auth.
>> But now comes the problem:
>> The apache will ALWAYS let the user pass as anonymous access is always granted.
>> I suppose the webserver does not even try to authenticate the user credentials.
>> Therefore it is not possible to decide in PHP if the user is anonymous or has been successfully authenticated.
>>
>> How is this performed in SVN for the mixed authentication/anonymous access?
>>
>> What i do not want is:
>> - check the credentials in PHP (due to the many different auth-methods which could be configured with Apache)
>> - have a dummy anonymous user like "guest" with password "guest"
>> - split anonymous and authenticated parts in separate folders (to use separate .htaccess-files)
>>
>> I hope to get some enlightenment from the way SVN realizes this feature.
>>
>> Any feedback is highly appreciated.
Re: How is mixed authentication/anonymous access implemented
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
I think you're looking for this:
http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html
Also, I didn't quite understand your post, but unless it's about the
development of Subversion (i.e., implementing a new feature or asking
about internal implementation details), please follow up on the users@
list and not on the dev@ list.
Thanks.
Avalon wrote on Tue, Dec 28, 2010 at 14:35:08 +0100:
> Hi,
>
> SVN features a mixed authentication/anonymous access (see http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3).
>
> I want to achieve the same functionality using a PHP script: allow
> anonymous access until accessing some special content and than request
> authentification which should be checked according to a htaccess-file.
> As far as i understand the SVN example the authentification is performed by the Apache modules.
>
> I configured the ".htaccess" file to look similar:
> Order allow,deny
> Allow from all
> AuthType Basic
> AuthName "Realm"
> AuthUserFile "/path/to/.htusers"
> require valid-user
> Satisfy any
>
> Additionally a PHP script is inside the same folder.
> When you now browse to the URL of the PHP script, you can access it without any credentials requested.
>
> At some point the PHP script "decides" that authentification is required (e.g. when passing a param like "?need-auth=1").
> I suppose this is similar to how the mixed authentication/anonymous access in SVN works (?).
>
> Therefore it sends the following two headers:
> WWW-Authenticate: Basic realm="Realm"
> HTTP/1.x 401 Unauthorized
>
> Then the user is asked to insert username/password for the basic auth.
> But now comes the problem:
> The apache will ALWAYS let the user pass as anonymous access is always granted.
> I suppose the webserver does not even try to authenticate the user credentials.
> Therefore it is not possible to decide in PHP if the user is anonymous or has been successfully authenticated.
>
> How is this performed in SVN for the mixed authentication/anonymous access?
>
> What i do not want is:
> - check the credentials in PHP (due to the many different auth-methods which could be configured with Apache)
> - have a dummy anonymous user like "guest" with password "guest"
> - split anonymous and authenticated parts in separate folders (to use separate .htaccess-files)
>
> I hope to get some enlightenment from the way SVN realizes this feature.
>
> Any feedback is highly appreciated.
>
> Thank you
> Dirk