Mixed authentication and WebSVN on same host

[Pier-Luc Petitclerc]

Hello everyone!

I've been struggling with a configuration problem for a few days and I can't
seem to find an acceptable solution. I'll try to explain as clearly as I
can!

The host I've set up for SVN repositories is svn.eratech.ca.
I'd really like to have visual access to my repositories from anywhere, so
I've set up WebSVN as well.

Here is the configuration for apache's virtual host (which is the only one
of my host that's SSL-enabled, if it's relevant):

NameVirtualHost *:443
> 
> ServerAdmin p...@fusi0n.org
> ServerName svn.eratech.ca
> DocumentRoot /usr/share/websvn
> DirectoryIndex wsvn.php index.php
> Alias /templates /usr/share/websvn/templates
> Alias / /usr/share/websvn/wsvn.php/
> 
> Options -Indexes +FollowSymlinks +MultiViews
> *Satisfy Any
> Require valid-user*
> AuthType Digest
> AuthName "Subversion Repositories"
> *AuthUserFile /var/repos/.svnpasswd.htdigest*
> AuthDigestDomain / /repos
> 
> 
> DAV svn
> SVNListParentPath on
> SVNParentPath /var/repos
> *AuthzSVNAccessFile /var/repos/.svnpasswd*
> *Satisfy Any
> Require valid-user*
> AuthType Digest
> *AuthDigestDomain / /repos*
> AuthName "Subversion Repositories"
> *AuthUserFile /var/repos/.svnpasswd.htdigest*
> SSLRequireSSL
> 
> ErrorLog /var/www/eratech.ca/svn/logs/error.log
> LogLevel warn
> CustomLog /var/www/eratech.ca/svn/logs/access.log combined
> SSLEngine on
> SSLCertificateFile /etc/ssl/svn.eratech.ca.crt
> SSLCertificateKeyFile /etc/ssl/svn.eratech.ca.key
> SSLCertificateChainFile /etc/ssl/PositiveSSL.ca-bundle
> 
>


So, as you can see, I have WebSVN running on / requests and Subversion
intercepting the requests made to /repos.

The problem I have with that is related to the user authentication. I have
read that mixed authentication (anonymous vs "registered") is possible with
authz and that's what I tried implementing.

However, the problem I'm having now is that Apache does *not* ask users for
credentials presumably due to the "Satisfy Any" statement. Unless I am
mistaken, that is how Authz work - to grab usernames off Apache's
authentication and associate it with the ACL specified in
AuthzSVNAccessFile... well, that's not working. I've tried many combinations
to no avail... so is there someone who has configured something similar?

Thanks for your time!!


-- 
- pL

No trees were killed to send this message, but a large number of electrons
were terribly inconvenienced.

Re: Mixed authentication and WebSVN on same host

[Pier-Luc Petitclerc]

Hi Konstantin,

Thanks for your reply! I ended up settling for black-and-white access for
WebSVN, manually hiding private repositories

This is what I ended up doing:


>   ServerAdmin p...@fusi0n.org
>   ServerName svn.eratech.ca
>   DocumentRoot /usr/share/websvn
>   DirectoryIndex wsvn.php
>   Alias /templates /usr/share/websvn/templates
>   Alias / /usr/share/websvn/wsvn.php/
>   
> Options -Indexes +FollowSymlinks +MultiViews
> #Require valid-user
> #Satisfy Any
> #AuthType Digest
> #AuthName "Subversion Repositories"
> #AuthUserFile /var/repos/.svnpasswd.htdigest
> #AuthzSVNAccessFile /var/repos/.svnpasswd
>   
> 
>
> NameVirtualHost *:443
> 
>   ServerAdmin p...@fusi0n.org
>   ServerName svn.eratech.ca
>   SSLEngine on
>   SSLCertificateFile /etc/ssl/svn.eratech.ca.crt
>   SSLCertificateKeyFile /etc/ssl/svn.eratech.ca.key
>   SSLCertificateChainFile /etc/ssl/PositiveSSL.ca-bundle
>   
> DAV svn
> SVNListParentPath on
> SVNParentPath /var/repos
> AuthzSVNAccessFile /var/repos/.svnpasswd
> Satisfy Any
> Require valid-user
> AuthType Digest
> AuthName "Subversion Repositories"
> AuthUserFile /var/repos/.svnpasswd.htdigest
> SSLRequireSSL
>   
> 
>

On Thu, Jun 9, 2011 at 3:32 AM, Konstantin Kolinko
wrote:

> 2011/6/9 Pier-Luc Petitclerc :
> > The problem I have with that is related to the user authentication. I
> have
> > read that mixed authentication (anonymous vs "registered") is possible
> with
> > authz and that's what I tried implementing.
>
> Read The Book [1], as well as HTTPD manuals. [2]
>
> 1) To mix anonymous and non-anonymous auth (i.e. allow read-only svn
> access for anons) you configure different access rules for different
> HTTP methods. I.e. GET etc. will go without authentication, but
> REPORT, PUT, ... will require authentication.  [1] has an example.
>
> 2) "Satisfy Any" is wrong. You should be careful with it. (If you have
> Allow/Deny statements elsewhere it will be enough to satisfy auth
> requirements).
> See [2] and you'd better configure "Satisfy All".
>
>  [1]: http://svnbook.red-bean.com/
>  [2]: http://httpd.apache.org/docs/
>
> >
> > However, the problem I'm having now is that Apache does not ask users for
> > credentials presumably due to the "Satisfy Any" statement. Unless I am
> > mistaken, that is how Authz work - to grab usernames off Apache's
> > authentication and associate it with the ACL specified in
> > AuthzSVNAccessFile... well, that's not working. I've tried many
> combinations
> > to no avail... so is there someone who has configured something similar?
> >
> You can configure an access log and look there for what requests and
> responses are. When apache requests auth it is HTTP response code 401.
>
> Best regards,
> Konstantin Kolinko
>



-- 
- pL

No trees were killed to send this message, but a large number of electrons
were terribly inconvenienced.