Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

svn and webauth

Russ Allbery eagle at windlord.stanford.edu
Mon Apr 9 21:15:42 PDT 2007


Carolyn Fairman <cfairman at epgy.Stanford.edu> writes:

> I have a subversion 1.4.3 server running webauth but I can't get to it
> from the command line.  Webauth is working fine from Safari so that's
> not a problem.

> On whisk I have run just kinit, then I try to connect to the svn server.

> [cfairman at whisk ~]$ svn list https://spoon.stanford.edu/repos/project1

> I get

> svn: PROPFIND request failed on '/repos/project1'
> svn: PROPFIND of '/repos/project1': 401 Authorization Required  
> (https://spoon.stanford.edu)

> Over on spoon:

> [Mon Apr 09 20:35:16 2007] [warn] mod_webauth:  
> redirect_request_token: no auth during PROPFIND, denying request

> I'm sure I'm missing something obvious.  Do I need to do something else
> besides kinit?  Something about the keytab for spoon?

The Subversion client isn't going to know how to speak WebAuth.  WebAuth
requires being able to process redirects and display HTML forms to the
user, which is way beyond the capability of the svn command-line utility.
On top of that, WebAuth itself isn't going to know what to do with WebDAV
protocol commands (and has to know in order to construct good return
URLs).

Unfortunately, WebAuth is really only usable as an authentication
mechanism for user-driven browsers.  For Subversion and for WebDAV clients
in general, you have to look at other authentication mechanisms.  I'm not
sure if Subversion is capable of doing Negotiate-Auth yet; you could check
the documentation for that.  Failing that, you'll need to either use
client-side certificates or HTTP Basic-Auth over TLS/SSL.

If you have control over your Subversion clients, an even better route to
take with a current version of Subversion is to not use the Apache module
at all and instead run svnserve.  Then you can use Subversion's native
support for GSSAPI, which is a much better option than any of the
authentication methods supported by WebDAV.  This will only work if you're
using Subversion's clients for everything; if you're trying to use
Subversion as a backend for regular WebDAV clients, they'll require a web
server backend.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Unix Systems and Applications, Stanford University



More information about the webauth-info mailing list