We have been using a mixed authentication setup to allow configuration of
anonymous access within authz files. When testing svn 1.7, we have found that
using "satisfy any" in the httpd configuration but not granting anonymous read
permissions in the authz file is preventing access by users with credentials as
well.
Sample configuration:
httpd.conf:
<Location /svn>
DAV svn
SVNPath /var/svn
SVNAutoversioning on
AuthzSVNAccessFile /var/access/svn_authz
AuthName "Subversion Login"
AuthType Basic
AuthUserFile /var/access/htpasswd
Satisfy any
Require valid-user
</Location>
svn_authz:
[/]
* =
user = rw
When running this configuration on a svn 1.6.x server, when a checkout is
performed the user is prompted for a password and they are able to retrieve the
full directory tree. With a svn 1.7.x server running the same configuration,
the client is still prompted for a password, but then receives the error "svn:
E220000: Not authorized to open root of edit operation".
In the server logs for svn 1.6.x, a checkout would show an initial OPTIONS
request getting a 401 authentication request, then all subsequent requests
would come in as the user:
- - [11/Apr/2013:04:52:28 -0400] "OPTIONS /repo1 HTTP/1.1" 401 401
- testuser [11/Apr/2013:04:52:28 -0400] "OPTIONS /repo1 HTTP/1.1" 200 185
- testuser [11/Apr/2013:04:52:29 -0400] "PROPFIND /repo1 HTTP/1.1" 207 641
- testuser [11/Apr/2013:04:52:29 -0400] "PROPFIND /repo1/!svn/vcc/default
HTTP/1.1" 207 392
- testuser [11/Apr/2013:04:52:29 -0400] "PROPFIND /repo1/!svn/bln/0 HTTP/1.1"
207 443
- testuser [11/Apr/2013:04:52:29 -0400] "PROPFIND /repo1 HTTP/1.1" 207 641
- testuser [11/Apr/2013:04:52:30 -0400] "PROPFIND /repo1/!svn/vcc/default
HTTP/1.1" 207 443
- testuser [11/Apr/2013:04:52:30 -0400] "PROPFIND /repo1/!svn/bc/0 HTTP/1.1"
207 651
- - [11/Apr/2013:04:52:30 -0400] "OPTIONS /repo1 HTTP/1.1" 401 401
- testuser [11/Apr/2013:04:52:30 -0400] "OPTIONS /repo1 HTTP/1.1" 200 185
- testuser [11/Apr/2013:04:52:31 -0400] "PROPFIND /repo1 HTTP/1.1" 207 641
- testuser [11/Apr/2013:04:52:31 -0400] "PROPFIND /repo1 HTTP/1.1" 207 641
- testuser [11/Apr/2013:04:52:31 -0400] "PROPFIND /repo1/!svn/vcc/default
HTTP/1.1" 207 392
- testuser [11/Apr/2013:04:52:31 -0400] "PROPFIND /repo1/!svn/bln/0 HTTP/1.1"
207 443
- testuser [11/Apr/2013:04:52:32 -0400] "REPORT /repo1/!svn/vcc/default
HTTP/1.1" 200 604
In the server logs for svn 1.7.x, a checkout shows only one PROPFIND request
being sent with credentials. All other requests do not have a username in the
logs:
- - [11/Apr/2013:04:50:47 -0400] "OPTIONS /repo1 HTTP/1.1" 200 185
- - [11/Apr/2013:04:50:47 -0400] "OPTIONS /repo1 HTTP/1.1" 200 185
- - [11/Apr/2013:04:50:48 -0400] "PROPFIND /repo1/!svn/rvr/0 HTTP/1.1" 401 401
- testuser [11/Apr/2013:04:50:48 -0400] "PROPFIND /repo1/!svn/rvr/0 HTTP/1.1"
207 652
- - [11/Apr/2013:04:50:48 -0400] "OPTIONS /repo1 HTTP/1.1" 200 185
- - [11/Apr/2013:04:50:48 -0400] "OPTIONS /repo1 HTTP/1.1" 200 185
- - [11/Apr/2013:04:50:49 -0400] "REPORT /repo1/!svn/me HTTP/1.1" 500 241
Using SVNParentPath instead of SVNPath does appears to work:
- - [11/Apr/2013:05:02:38 -0400] "OPTIONS /parent/repo1 HTTP/1.1" 401 401
- testuser [11/Apr/2013:05:02:38 -0400] "OPTIONS /parent/repo1 HTTP/1.1" 200 192
- testuser [11/Apr/2013:05:02:38 -0400] "OPTIONS /parent/repo1 HTTP/1.1" 200 192
- testuser [11/Apr/2013:05:02:38 -0400] "PROPFIND /parent/repo1/!svn/rvr/0
HTTP/1.1" 207 666
- - [11/Apr/2013:05:02:39 -0400] "OPTIONS /parent/repo1 HTTP/1.1" 401 401
- testuser [11/Apr/2013:05:02:39 -0400] "OPTIONS /parent/repo1 HTTP/1.1" 200 192
- testuser [11/Apr/2013:05:02:39 -0400] "OPTIONS /parent/repo1 HTTP/1.1" 200 192
- testuser [11/Apr/2013:05:02:40 -0400] "REPORT /parent/repo1/!svn/me HTTP/1.1"
200 593
Is this expected behavior with the current version of SVN, and are there any
workarounds?
We do have a virtual server set up for testing which is running both versions
of SVN on different ports if it helps.
