You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Kevin Bentley <ke...@gmail.com> on 2004/09/25 02:26:08 UTC
mod_authz_svn & certificates
I've been spending all day trying to figure out a good way to get
ceritifcate authentication and mod_authz_svn playing together, without
also using mod_auth authentication. There are two problems I see
currently.
1. There's no way to use the SSLOption +FakeBasicAuth directly with
mod_authz_svn, because the certificate subject includes = characters.
No form of quoting or escaping the left side of the config file seems
to work.
For this issue, I would like to know if it's possible to add a feature
so the = sign inside quotes won't be read (or maybe if it is escaped
with a \).
There is a workaround, which is ugly, but you can create a group for
each user, and manage the configuration that way.
2. SSLUserName doesn't work. It would be a nice workaround, because
you could use the Common Name field of the certificate. It doesn't
work because mod_ssl uses a fixups hook to add the user field of the
request. Unfortunately, fixups happen after auth_check and
access_check. I was going to look into apache's code more closely to
see if it would be possible to move the fixups check earlier in the
code, or if it would be possible to move the SSLUserName code in
mod_ssl into a auth check, which could be made to run before
authz_svn's check. This is a problem with apache obviously, but I was
wondering if anyone here has a plan on how to deal with this. I'd be
willing to send a patch if I knew it was something the development
team wanted to see.
Thanks!
Kevin Bentley
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn & certificates
Posted by Kevin Bentley <ke...@gmail.com>.
On Fri, 24 Sep 2004 19:26:08 -0700, Kevin Bentley
<ke...@gmail.com> wrote:
> 2. SSLUserName doesn't work. It would be a nice workaround, because
> you could use the Common Name field of the certificate. It doesn't
> work because mod_ssl uses a fixups hook to add the user field of the
> request. Unfortunately, fixups happen after auth_check and
> access_check. I was going to look into apache's code more closely to
> see if it would be possible to move the fixups check earlier in the
> code, or if it would be possible to move the SSLUserName code in
> mod_ssl into a auth check, which could be made to run before
> authz_svn's check. This is a problem with apache obviously, but I was
> wondering if anyone here has a plan on how to deal with this. I'd be
> willing to send a patch if I knew it was something the development
> team wanted to see.
As a followup to my own email, I wanted to add an update.
I got the SSLUserName working and it's pretty neat. I can use the
common name or email as the username, which looks nice in subversion.
However, I had to modify mod_ssl and subversion to make it work. I do
think this is a mod_ssl bug because the current mod_ssl doesn't allow
SSLUserName to be used by any other modules. I filed this bug with
Apache, but I'll have to wait and see what they say/do.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31418
In my version around line 780 of ssl_engine_kernel.c, I added the
following right before the final 'return DECLINED' in ssl_hook_Access:
/*
* Set r->user if requested
*/
if (dc->szUserName) {
val = ssl_var_lookup(r->pool, r->server, r->connection,
r, (char *)dc->szUserName);
if (val && val[0]) {
r->user = val;
}
}
The current mod_ssl code does it in a fixup hook, but that is not
useful to modules, since the fixup hook happens after all module
authentication. This is just a copy and paste of the code from fixup,
to stuff the request variable in before subversion gets it.
I also needed to modify subversion to register the subversion auth
hooks last in mod_authz_svn.c, like this:
static void register_hooks(apr_pool_t *p)
{
static const char * const hookorder[] = { "mod_ssl.c", NULL };
ap_hook_access_checker(access_checker, hookorder, NULL, APR_HOOK_LAST);
ap_hook_auth_checker(auth_checker, hookorder, NULL, APR_HOOK_LAST);
}
Would the SVN developers consider making this change to mod_authz_svn,
so if the mod_ssl change is made, the SSLUsername would work?
Thanks!
Kevin Bentley
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org