You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Thomas Beale <th...@deepthought.com.au> on 2005/07/23 11:48:55 UTC
apache / subversion / access doesn't follow documented rules?
Hi,
[platform: server = debian sarge / svn 1.2 / apache 2.0.54; client =
Windows XP; TortoiseSVN 1.2]
I have a number of repostories set up on the server which logically
should have the following kinds of permissions:
dev1 - anon read, auth required for any modifying operation
dev2 - anon read, auth required for any modifying operation
devN - ...etc
webdev - our website; auth required for read and write
I cannot find any combination of Apache directives to make this work
properly.
First attempt (apache2.conf include file):
<VirtualHost 1.2.3.4>
...
<Location />
DAV svn
SVNParentPath /usr/local/var/svn
# authorisation
AuthzSVNAccessFile /etc/subversion/access-control
# authentication
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/subversion/authentication
# anonymous access rules
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
</VirtualHost>
This works fine for the devX repositories - users are only challenged
for write operations like commit. But accessing the webdev repository
always results in a "403 forbidden access" - even though in the
access-control file, the permissions are set such that that repository
allows only named users to access in 'r' or 'rw' modes.
This is probably correct behaviour, since the above configuration is
allowing authentication to be bypassed for read-only operations, for all
repositories, so the user isn't authenticated by the time the
access-control settings are looked up.
Next attempt: same as before, but remove the <LimitExcept> lines, i.e.
Require valid-user
is required for all repositories. Now the webdev repository works
properly, but of course read access to the others requires
authentication, which is a severe annoyance.
Third attempt:
<VirtualHost 1.2.3.4>
...
<Location /webdev>
DAV svn
SVNPath /usr/local/var/svn/webdev
# authorisation
AuthzSVNAccessFile /etc/subversion/access-control
# only valid users allowed
Require valid-user
# authentication
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/subversion/authentication
</Location>
<Location />
DAV svn
SVNParentPath /usr/local/var/svn
# authorisation
AuthzSVNAccessFile /etc/subversion/access-control
# authentication
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/subversion/authentication
# anonymous access rules
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
</VirtualHost>
I messed around with SVNParentPath and SVNPath, and also other details
here, but always the same thing - 403 forbidden on the webdev
repository, normal anonymous access on the others. Apache is definitely
matching the "/webdev" in the first Location directive, since I can put
them in the reverse order and then for webdev, I do not have to
authenticate at all (which must be wrong, since the access-control file
always requires it).
This kind of combination of repositories cannot be that strange - does
anyone else have a solution?
- thomas beale
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache / subversion / access doesn't follow documented rules?
Posted by Thomas Beale <th...@deepthought.com.au>.
David Anderson wrote:
> Thomas Beale wrote:
>
>> I can't work out apache's logic in determining whether to challenge
>> for a password (does it consider the access-control settings first?)
>> when one is not needed, and then allows you in after you refuse to
>> give it - twice! Very strange.
>
>
> Such strange behaviour is often due to the client browser that gets
> confused by changing configurations on the server side. Does purging the
> auth cache and restarting the browser (to purge any session cache), or
> accessing the repository from a "clean" browser solve your anonymous
> problems? That would be my best bet, I've had both firefox and IE behave
> very strangely when I was configuring access control for my site, due to
> client confusion.
>
> - Dave.
If anyone is interested, I discovered the fix for this. It just happened
that the pages for which an authentication challenge occurred, when it
shouldn't have (access control is set to * = r) were .htm pages which
contained _two_ references to a style-sheet file that did not exist; the
authorisation logic (not sure how much done by apache and the svn authz
module) possibly decided that since the file did not exist that "Satisfy
Any" did not work, and it had to authenticate - twice. Hitting cancel
twice allowed the user in. Removing the wrong .css references fixed the
problem completely. What was deceiving is that there was no indication
that the authentication request was due to a file missing, and that it
was being made in a repository with anonymous read access. I still don't
understand the logic...
- thomas beale
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache / subversion / access doesn't follow documented rules?
Posted by David Anderson <da...@calixo.net>.
Thomas Beale wrote:
> I can't work out apache's logic in determining whether to challenge for
> a password (does it consider the access-control settings first?) when
> one is not needed, and then allows you in after you refuse to give it -
> twice! Very strange.
Such strange behaviour is often due to the client browser that gets
confused by changing configurations on the server side. Does purging the
auth cache and restarting the browser (to purge any session cache), or
accessing the repository from a "clean" browser solve your anonymous
problems? That would be my best bet, I've had both firefox and IE behave
very strangely when I was configuring access control for my site, due to
client confusion.
- Dave.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache / subversion / access doesn't follow documented rules?
Posted by Thomas Beale <th...@deepthought.com.au>.
David Anderson wrote:
> Thomas Beale wrote:
>
>> This kind of combination of repositories cannot be that strange - does
>> anyone else have a solution?
>
>
> A combination of SVNParentPath and an authz access control file should
> work. However, I notice you never use the "Satisfy any" directive, which
> indicates to apache to try anonymous access first, and then fallback to
> authenticated access if required. Perhaps this could be the source of
> your problems?
I forgot to mention that when I do what you show below, I get challenged
for username/password even on repositories which have * = r set in the
access control file. But - if I hit cancel on the authentication dialog,
I get another instance of the same dialog, and if I hit cancel on that,
I am in (even if I authenticate properly the first time, I get asked
again)....whereas for the repository which has access control set to
"@webdev-grp = rw" (I am in this group), I get asked only once (as I
should be), and then when I authenticate, I am in - as I should be.
I can't work out apache's logic in determining whether to challenge for
a password (does it consider the access-control settings first?) when
one is not needed, and then allows you in after you refuse to give it -
twice! Very strange.
- thomas beale
>
> Here is the Location block for my server configuration, which works fine
> in the scenario you describe (with the ad-hoc authz file, which you seem
> to have):
>
> <Location /svn>
> DAV svn
> SVNParentPath /var/svn
>
> # Access control policy
> AuthzSVNAccessFile /var/svn/svn.acl
>
> # Anonymous access first, auth if necessary
> Satisfy any
> Require valid-user
>
> # Authentication mechanism
> AuthType Basic
> AuthName "Natulte subversion repositories"
> AuthUserFile /var/svn/svn.auth
> </Location>
>
> Hope that helps,
> - Dave.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache / subversion / access doesn't follow documented rules?
Posted by David Anderson <da...@calixo.net>.
Thomas Beale wrote:
> This kind of combination of repositories cannot be that strange - does
> anyone else have a solution?
A combination of SVNParentPath and an authz access control file should
work. However, I notice you never use the "Satisfy any" directive, which
indicates to apache to try anonymous access first, and then fallback to
authenticated access if required. Perhaps this could be the source of
your problems?
Here is the Location block for my server configuration, which works fine
in the scenario you describe (with the ad-hoc authz file, which you seem
to have):
<Location /svn>
DAV svn
SVNParentPath /var/svn
# Access control policy
AuthzSVNAccessFile /var/svn/svn.acl
# Anonymous access first, auth if necessary
Satisfy any
Require valid-user
# Authentication mechanism
AuthType Basic
AuthName "Natulte subversion repositories"
AuthUserFile /var/svn/svn.auth
</Location>
Hope that helps,
- Dave.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org