httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Schober <peter.scho...@univie.ac.at>
Subject Re: [users@httpd] authentication question
Date Tue, 12 May 2009 16:44:02 GMT
* Ross Boylan <ross@biostat.ucsf.edu> [2009-05-12 18:17]:
> > Where is the SVN access
> > happening? From the Smalltalk app? From httpd?
>
> Both, though the smalltalk app is only going to talk to svn via http.
> There are potentially several scenarios (though I could probably
> dispense with some of them):
> 1) Someone with a subversion client on another machine accesses the svn
> server via http.
> 2) Someone uses a web browser views the respository through a web
> interface like ViewCVS or Trac.
> 3) Someone browses to our custom app which redirects tham to 2) or else
> presents material from 2) as an embedded page.
> 4) Someone using our custom app triggers some logic which causes the
> custom app to access the repository as a svn client (e.g., to get a
> changelog).  The custom web app processes the results in some way and
> displays the results.  The custom web app would also be accessing svn
> via http.

OK, clients other than full (but unmodified, without any plugins)
webbowsers generally don't implement the neccessary parts (following
HTTP 302, HTTP cookies) needed for WebSSO. That very probably also
includes svn command line clients, eclipse, etc.
  So either all mechanisms utilizing redirects and cookies are out of
the equation (which doesn't leave much), or you fall back to hacks to
get a token via the browser and feed it to the client (like OAuth).
  Or you cancel non-browser clients (which cancels commit access, I
assume).

> Ideally, I want the same id/password, and I want it only asked once.
> 
> Incidentally, solutions requiring the human clients to have more exotic
> technologies (certificates, ssh) are probably out.

Given the requirements I don't see how such a thing could work (I
suppose this also rules out Kerberos).
I still haven't a clear picture what this thing does and how the data
should flow, but maybe that's just me. I haven't had a look at the
SVN/DAV related parts of Apache.

> I've seen mention of apache using a login page, rather than the
> usual popup.  Is there a way to do that?  It might have a nicer feel
> for users.

In common websso systems you are being redirected to a login server,
enter your credentials there (which could also be OTPs or whatever,
since you'd only need to change a single server to accept stronger
authentication), and come back to the protected resource, which
*somehow* recognizes the fact that you've already logged in
elsewhere.
So the workings and/or aesthetics of the login form are usually not
from Apache httpd, but some other package (the "login" server).
-peter


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message