You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Keith Lawless <ke...@gmail.com> on 2006/04/25 20:53:09 UTC
Using External Security Provider with Subversion 1.3.1+Apache
Hi,
I have set Subversion with Apache integration and have it working both with
and without basic authentication via AuthType basic. Now, I want to wrap the
whole thing up so that it is protected by Siteminder. So I have configured
Siteminder, let it know what all the WebDAV verbs are, and set up the
policies. From a security point of view, everything is working. My question
is: now that an external provider is handling security, how do I pass the
author's username to Subversion to make sure the history is updated
correctly? Currently, it looks like everything is done by Anonymous. Is
there an HTTP header I can set, or a variable I can append to the URL?
Thanks,
Keith
Re: Using External Security Provider with Subversion 1.3.1+Apache
Posted by Keith Lawless <ke...@gmail.com>.
Here's the answer to my own question for posterity. I cloned the Siteminder
Web Agent configuration in the policy server to create a WebDAV agent with
the additional verbs that Subversion uses. Doing this copies the
configuration of the agent, but there is no way to copy the special
*functionality* of the SM web agent. When writing my security policy, I
explicitly set the REMOTE_USER header to the user name that was
authenticated, and everything is working fine now. This would have happened
under the covers when using the built-in web agent.
On 4/26/06, Rafael Caceres <rc...@aasa.com.pe> wrote:
>
> What Apache will do when the user is authenticated is set the
> 'request->remote_user'. I would think that any application willing to
> learn who the user is can obtain the data from the request object.
>
> On Wed, 2006-04-26 at 08:18 -0400, Andy Levy wrote:
> > On 4/25/06, Keith Lawless <ke...@gmail.com> wrote:
> > > I have set Subversion with Apache integration and have it working both
> with
> > > and without basic authentication via AuthType basic. Now, I want to
> wrap the
> > > whole thing up so that it is protected by Siteminder. So I have
> configured
> > > Siteminder, let it know what all the WebDAV verbs are, and set up the
> > > policies. From a security point of view, everything is working. My
> question
> > > is: now that an external provider is handling security, how do I pass
> the
> > > author's username to Subversion to make sure the history is updated
> > > correctly? Currently, it looks like everything is done by Anonymous.
> Is
> > > there an HTTP header I can set, or a variable I can append to the URL?
> >
> > >From what I recall about Siteminder (it's been a couple years since I
> > had the pleasure of working with it), the web server itself does see
> > all users as anonymous - but the ID and other credentials are stashed
> > in a cookie and/or some custom HTTP headers (I think you can configure
> > how it does this). The security happens before the web server proper
> > even sees the request (in IIS/Windows parlance, SM is an ISAPI filter
> > that catches the HTTP request before anything else sees it).
> >
> > Not having used SM with Apache, nor am I an Apache guru - but it seems
> > like the missing link is that somehow the credentials need to get
> > passed out of SM along with the rest of the request.
> >
> > Have you asked the SM folks about it?
> >
> > Don't know if I helped or just regurgitated things you already knew;
> > hopefully the former, if it's the latter I apologize.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
> >
> > Analizado por ThMailServer para Linux.
> >
> >
> > !DSPAM:444f656a115181718616930!
> >
>
>
> Analizado por ThMailServer para Linux.
>
Re: Using External Security Provider with Subversion 1.3.1+Apache
Posted by Rafael Caceres <rc...@aasa.com.pe>.
What Apache will do when the user is authenticated is set the
'request->remote_user'. I would think that any application willing to
learn who the user is can obtain the data from the request object.
On Wed, 2006-04-26 at 08:18 -0400, Andy Levy wrote:
> On 4/25/06, Keith Lawless <ke...@gmail.com> wrote:
> > I have set Subversion with Apache integration and have it working both with
> > and without basic authentication via AuthType basic. Now, I want to wrap the
> > whole thing up so that it is protected by Siteminder. So I have configured
> > Siteminder, let it know what all the WebDAV verbs are, and set up the
> > policies. From a security point of view, everything is working. My question
> > is: now that an external provider is handling security, how do I pass the
> > author's username to Subversion to make sure the history is updated
> > correctly? Currently, it looks like everything is done by Anonymous. Is
> > there an HTTP header I can set, or a variable I can append to the URL?
>
> >From what I recall about Siteminder (it's been a couple years since I
> had the pleasure of working with it), the web server itself does see
> all users as anonymous - but the ID and other credentials are stashed
> in a cookie and/or some custom HTTP headers (I think you can configure
> how it does this). The security happens before the web server proper
> even sees the request (in IIS/Windows parlance, SM is an ISAPI filter
> that catches the HTTP request before anything else sees it).
>
> Not having used SM with Apache, nor am I an Apache guru - but it seems
> like the missing link is that somehow the credentials need to get
> passed out of SM along with the rest of the request.
>
> Have you asked the SM folks about it?
>
> Don't know if I helped or just regurgitated things you already knew;
> hopefully the former, if it's the latter I apologize.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
> Analizado por ThMailServer para Linux.
>
>
> !DSPAM:444f656a115181718616930!
>
Analizado por ThMailServer para Linux.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Using External Security Provider with Subversion 1.3.1+Apache
Posted by Andy Levy <an...@gmail.com>.
On 4/25/06, Keith Lawless <ke...@gmail.com> wrote:
> I have set Subversion with Apache integration and have it working both with
> and without basic authentication via AuthType basic. Now, I want to wrap the
> whole thing up so that it is protected by Siteminder. So I have configured
> Siteminder, let it know what all the WebDAV verbs are, and set up the
> policies. From a security point of view, everything is working. My question
> is: now that an external provider is handling security, how do I pass the
> author's username to Subversion to make sure the history is updated
> correctly? Currently, it looks like everything is done by Anonymous. Is
> there an HTTP header I can set, or a variable I can append to the URL?