You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ben Johnson <be...@indietorrent.org> on 2012/09/07 19:24:48 UTC
Re: [users@httpd] Apache authentication - require group AND (not
OR) user
On 8/23/2012 1:12 PM, Ben Johnson wrote:
>
>
> On 8/22/2012 3:48 PM, Ben Johnson wrote:
>>
>>
>> On 8/22/2012 2:39 PM, Eric Covener wrote:
>>>> http://www.svnforum.org/threads/37237-AuthzSVNAccessFile-Require-ldap-group
>>>
>>> That thread predates the authorization containers from 2.4 recommended
>>> in this thread. Maybe there are plans for AuthzSVN to interoperate,
>>> or maybe it already does.
>>
>> Thanks, Eric. Your attention to detail is much appreciated.
>>
>> I didn't notice that these containers were introduced in a version later
>> than the one I'm using (I'm using 2.2.14 and they were introduced in
>> 2.3). No wonder they didn't work as expected. Shame on me.
>>
>> I'll set-up a VM with the required version and see if it makes a difference.
>>
>> And, of course, I'll report my findings to the list.
>>
>> If in the meantime somebody reads this and believes that
>> interoperability between the two modules was introduced with 2.3 or
>> later, please do speak-up. :)
>>
>> Thanks again,
>>
>> -Ben
>
> I need a stop-gap solution until I have a chance to test the new
> authorization containers in Apache >= 2.3 and see if they "play nicely"
> with AuthzSVN.
>
> So, it's back to using simply "Require valid-user" in the
> <Location></Location> block and handling everything else in the
> AuthzSVNAccessFile.
>
> One "problem" I've noticed is that when a user who does not have any
> access to the repository via the AuthzSVNAccessFile, but who does meet
> "Require valid-user" requirement, attempts to access this <Location>,
> Apache gets stuck in a redirect loop, logging the following with each
> request until the user-agent (browser) puts a stop to it:
>
> Access denied: 'user' GET repo:/
>
> The Apache configuration directives are:
>
> --------------------
> <Location /svn/repo>
> AuthType Basic
> AuthName "SVN Repository"
> AuthBasicProvider dbm
> AuthDBMType DB
> AuthDBMUserFile "/var/www/apache-users"
> AuthDBMGroupFile "/var/www/apache-users"
> Require valid-user
> DAV svn
> AuthzSVNAccessFile /var/www/projects/svn-access-control-v2.cfg
> SVNPath /var/www/svn/repo
> </Location>
> --------------------
>
> The AuthzSVNAccessFile contents are:
>
> --------------------
> [groups]
> admins = joe
> programmers = john, sam, sally
> clients = larry
>
> [/]
> @admins = rw
> @programmers = r
> @clients = r
> --------------------
>
> If I authenticate as "joe", for example, I am able to navigate the
> repository without issue.
>
> But, if I authenticate as a user does not appear anywhere in the
> AuthzSVNAccessFile, I am hit with the infinite redirect loop.
>
> Am I doing something silly? Or is this a known issue (perhaps one that's
> been fixed)?
>
> Thanks for any help!
>
> -Ben
>
I finally resolved the redirection loop with the help of this post:
http://stackoverflow.com/questions/264676/how-to-enable-mod-dav-svn-in-the-root-directory-of-a-named-virtual-host
.
In particular, yurique's comment:
"Found this in /etc/apache2/conf.d/subversion.conf (need to map error
documents to defaults)".
This resolved the problem for me, given my configuration:
<LocationMatch ^/svn>
ErrorDocument 400 default
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 408 default
ErrorDocument 410 default
ErrorDocument 411 default
ErrorDocument 412 default
ErrorDocument 413 default
ErrorDocument 414 default
ErrorDocument 415 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 502 default
ErrorDocument 503 default
</LocationMatch>
I didn't mention that I had the following line in my
<Location></Location> block (because it didn't seem relevant at the time):
<Location /svn/repo>
[...]
SSLOptions +StrictRequire
SSLRequireSSL
ErrorDocument 403 https://example.com/svn/repo/
[...]
</Location>
The intention here was to FORCE access over SSL, while at the same time
eliminating the "double-login problem" and mitigating the potential for
users to expose their credentials over a plaintext connection.
In hindsight, it makes sense that the ErrorDocument directive was
causing a loop.
The unfortunate consequence of "fixing" this is that users will no
longer be asked for credentials when attempting the access the
repository over a plaintext connection. Instead, they'll simply receive
a "403 Forbidden" response.
I'm on Apache 2.2, so I can't try something like the following (because
conditional logic requires Apache >= 2.3); I have no idea if it would
work, anyway:
<Location /svn/repo>
[...]
SSLOptions +StrictRequire
SSLRequireSSL
<If "%{HTTPS} == 'off'">
ErrorDocument 403 https://example.com/svn/repo/
</If>
[...]
</Location>
Just thought I'd share the solution to the loop issue.
-Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org