I had added the *mod_access_compat*
<https://httpd.apache.org/docs/current/mod/mod_access_compat.html> load
module which was supposed to allow me to use the old Deny/Order type
commands. Right now I'm having an issue with the server, so I can't test
removing the mod_access_compat and trying the Require statement.
Regarding mod_python...all the research I did indicated there wasn't a
version of the mod_python load module for Apache 2.4 compatible with Python
2.7.1 for Windows Server 2008. Everything indicated to use mod_wsgi
instead. If you know where I can get the mod_python load module (I can't be
compiling it myself), then please provide the url. Thanks.
On Tuesday, August 23, 2016 at 5:20:42 PM UTC-4, RjOllos wrote:
>
>
> On Tuesday, August 23, 2016 at 8:59:05 AM UTC-7, Mary Loftis wrote:
>>
>> Platform: Windows Server 2008 R2
>> Apache 2.2.23 (win32)/SSL 1.0.0j upgrading to Apache 2.4.23 (win32)/SSL
>> 1.0.2h
>> CollabNet Subversion Client SVNServe 1.7.8
>> Trac 1.0.9 (win32)
>> Python 2.7.1
>>
>> On a Windows server, I had Subversion and Trac interacting nicely when
>> running Apache 2.2.23, Subversion 1.7.8 with Trac 1.0.9 and the mod_python
>> module. Access to Trac projects was permitted based on access control
>> groups defined in the subversion access control file. The setting of the
>> AuthzSVNAccessFile variable in the httpd.conf file pointed to the
>> subversion access control file, e:/etc/.svnaccess. If the user had access
>> to a subversion repo, then they had access to the associated Trac project,
>> otherwise access was denied.
>>
>> The httpd.conf file contained the following:
>>
>> <Location /trac>
>> SVNParentPath e:/svn_repository
>> AuthzSVNAccessFile "E:/etc/.svnaccess"
>> SetHandler mod_python
>> PythonHandler trac.web.modpython_frontend
>> PythonOption TracEnvParentDir e:\trac
>> PythonOption TracUriRoot /trac
>> AuthType SSPI
>> SSPIAuth On
>> SSPIOfferSSPI Off
>> SSPIAuthoritative On
>> SSPIDomain <domaincontroller>
>> SSPIOmitDomain Off
>> SSPIUsernameCase lower
>> SSPIPerRequestAuth On
>> SSPIOfferBasic On
>> AuthName "UTAS TRAC Login (Use domain\userid format)"
>> Require valid-user
>> </Location>
>>
>> I then had to upgrade Apache/SSL to 2.4.23, 1.0.2h. With this upgrade,
>> mod_python was obsoleted so I had to switch to use mod_wsgi load module. I
>> added in the mod_wsgi.so load module and modified the config file to remove
>> the Python-related settings (keeping the AuthzSVNAccessFile setting), and
>> adding in mod_wsgi info.
>>
>
>
> mod_python is still actively developed. Do you mean that it was obsoleted
> in the package management system for your OS?
>
>
>> After the Apache upgrade, the httpd.conf file contained:
>>
>> <Location /trac>
>> SVNParentPath e:/svn_repository
>> AuthzSVNAccessFile "E:/etc/.svnaccess"
>> AuthType SSPI
>> SSPIAuth On
>> SSPIOfferSSPI Off
>> SSPIAuthoritative On
>> SSPIDomain <domaincontroller>
>> SSPIOmitDomain Off
>> SSPIUsernameCase lower
>> SSPIPerRequestAuth On
>> SSPIOfferBasic On
>> AuthName "UTAS TRAC Login (Use domain\userid format)"
>> Require valid-user
>> </Location>
>>
>> WSGIScriptAlias /trac e:/trac/trac.wsgi
>>
>> <Directory "e:/trac">
>> WSGIApplicationGroup %{GLOBAL}
>> Order deny,allow
>> Allow from all
>> </Directory>
>>
>>
>> The e:/trac.wsgi has the following in it:
>>
>> import os
>> import trac.web.main
>> import site
>>
>> site.addsitedir('e:\Python\Lib\site-packages')
>>
>> os.environ['PYTHON_EGG_CACHE'] = r'c:\Trac-Python-Egg-Cache'
>>
>> def application(environ, start_response):
>> environ['trac.env_parent_dir'] = r'e:\trac'
>> return trac.web.main.dispatch_request(environ, start_response)
>>
>> The trac.ini file (for Beth_test project) has these critical sections,
>> same as before the Apache upgrade:
>>
>> [components]
>> tracopt.versioncontrol.svn.* = enabled
>> tracstats.* = enabled
>>
>> [repositories]
>> Beth_test.dir = e:\svn_repository\Beth_test
>> Beth_test.description = This is the ‘Beth_test’ project repository on the
>> Test svn server.
>> Beth_test.type = svn
>> Beth_test.url = https://<my_server>/svn/Beth_test
>> Beth_test.hidden = true
>> tsvn = tsvn: Interact with TortoiseSvn
>>
>> [trac]
>> authz_file = E:\etc\.svnaccess
>> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy,
>> LegacyAttachmentPolicy
>> permission_store = DefaultPermissionStore
>> repository_dir = e:\svn_repository\Beth_test
>> repository_type = svn
>> …plus a bunch of other settings
>>
>>
>> My directory structure on the server is:
>>
>>
>> E:\svn_repository\
>>
>> Beth_test
>>
>> SVN_test
>>
>>
>> E:\trac\
>>
>> Beth_test
>>
>> SVN_test
>>
>>
>> When I bring up the Trac url after entering my active directory
>> credentials, I see the 2 Trac projects listed. However when I click on a
>> project, it gives me access to it even though I have not added my id to the
>> access control group associated with the subversion Beth_test repo. With
>> TortoiseSVN I am properly blocked, but with Trac using the mod_wsgi module,
>> I can (erroneously) access the Trac project and subsequently browse the
>> subversion source.
>>
>>
>> There is nothing useful in the Apache or Trac log files.
>>
>>
>> Any idea why Trac no longer follows the subversion access control
>> permissions after upgrading Apache and switching from mod_python to
>> mod_wsgi?
>>
>>
> In Apache 2.4 you need to use "Require all granted" rather than "Order
> deny,allow" and "Allow from all".
> https://trac.edgewall.org/wiki/TracModWSGI#Mappingrequeststothescript
> https://httpd.apache.org/docs/current/upgrading.html#run-time
>
> - Ryan
>
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
