On 01/04/2011 02:57 PM, Avalon wrote: > I now this is a little bit off topic. > But since SVN seems to be the only solution which has this feature, i hope > for any insight from you. > >>> SVN features a mixed authentication/anonymous access (see >>> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir.ex-3). >>> >>> >>> >>> I want to achieve the same functionality using a PHP script: allow anonymous >>> access until accessing some special content and than request >>> authentification which should be checked according to a htaccess-file. >>> As far as i understand the SVN example the authentification is performed by >>> the Apache modules. >> >> The svnbook section you refer to above isn't *wrong*, but it certainly could >> be misleading in terms of what is and isn't supported. (Which is why I >> wrote the "workaround" blog post to which you were pointed by my peer here.) >> For a better chance at getting a direct response with information you can >> immediately apply, I would suggest consulting another PHP-centric community >> for how they do this. (The Drupal community comes to mind.) > > I asked the same question on the PHP and Apache mailing list some months ago > - without any success. > The auth-stuff should NOT be implemented in PHP but being handled by the > Apache. > The PHP script should only decide when anonymous access is not sufficient > (e.g. by sending a WWW-Authenticate header). > Therefore i doubt that consulting other PHP projects would be helpful... > > The key question for me is how SVN triggers the "escalation" from anonymous > usage to authentification. > Are the two following scenarios correctly described? > > Anonymous access: > A1: Anonymous user requests SVN > A2: Apache asks authz-provider and it allows anonymous access > A3: SVN delivers the requested content > > Escalation from anonymous to authentificated access: > B1: Anonymous user requests restricted stuff from SVN > B2: Apache asks authz-provider and it blocks anonymous access > B3: According to "satisfy any" and the not-working anonymous access (and > missing credentials) Apache sends WWW-Authenticate header to authenticate user > B4: User enters username and passwort to browser dialog and requests > restricted stuff from SVN again (this time with credentials) > B5: Apache asks authz-provider and it blocks anonymous access > B6: According to "satisfy any" and the not-working anonymous access Apache > passes the credentials to authz, with the provided credential the user is > authentificated and passed > B3: SVN delivers the requested content > > The request to escalate from anonymous access in step B3 is initiated from > SVN, but still the Apache does the authentification. > Any details how this is performed might help to understand, if it is > possible to trigger this from e.g. a PHP script. > Is this only possible to due the implementation as an authz-module?
I believe you've summarized the scenarios accurately (but confess I'm a bit fuzzy on this stuff). Apache modules can register themselves as relevant for various "phases" of request processing, authentication and authorization being two such examples. mod_authz_svn's register_hooks() function calls ap_hook_access_checker(), ap_hook_check_user_id(), ap_hook_auth_checker(), and so on to register its relevance to those phases. I would imagine that a PHP-based CGI script would be limited to utility only in the phases for which Apache's CGI handler module registers itself. An embedded PHP interpreter module (mod_php5, or somesuch) might offer different hooks at different request phases to the scripts it runs, but I know nothing of the details there. -- C. Michael Pilato <cmpil...@collab.net> CollabNet <> www.collab.net <> Distributed Development On Demand
signature.asc
Description: OpenPGP digital signature
