subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Krah <krah...@gmail.com>
Subject Re: Apache SVN module and LUA authentification hook
Date Mon, 22 Jan 2018 12:05:33 GMT
Am Freitag, den 05.01.2018, 16:29 +0100 schrieb Branko ─îibej:
> Are you really changing the username stored in the request in your
> authentication script? That could certainly be the problem, AFAIK
> there's no guarantee that that change gets propagated back to
> mod_authz_svn.
> 
> (It's also a horribly wrong approach to authentication.)

Just curious - why should that be a problem.

Its a normal authentication hook provided via mod_lua since Apache HTTPD
2.4.

Look here [1].

Even the example in the docs sets that user in the auth phase:

..
if auth ~= nil then
     -- fake the user
     r.user = 'foo'
   end
...

So to me this should not make a problem and other httpd 2.4 resources do
not exhibit any problem with that documented approach to authenticate
users (you could even hard code a user like in the example done here by
the OP, should work regarding to svn).

And if it is - its a bug in mod_authz_svn imho, don't you agree?

What's so horribly wrong?
Its the auth phase module - its what the basic_auth or any other auth
module probably does, it sets r.user - the only difference here is, that
a lua script is used to be the auth handler - can you explain what's
wrong with a auth hook that it sets r.user - seems legit to be done and
the docs [1] do agree here - don't you think?

thanks and kind regards

Torsten

[1]
https://httpd.apache.org/docs/2.4/mod/mod_lua.html#luahookauthchecker

Mime
View raw message