Refactoring the Authorization API in Apache 2.1

Posted: April 5th, by darix

Tags: svn

A point people dislike is the integration of mod_authz_svn into the Apache API.
At the moment you are restricted to the file format of mod_authz_svn. This makes it hard to integrate Subversion with existing authorization setups.

The problem

Currently mod_authz_svn is required for path/group based authorisation.
Other authorization modules are circumvent by the svn special paths &#8221;PROPFIND /svn/path/!svn/vcc/default HTTP/1.1&#8221;. Furthermore mod_authz_svn takes care of the various WebDAV methods and it combinations.
You could argue that apache can handle this methods too, but mod_authz_svn is more convienent on configuring this.

Compare

[groups]
somegroup = user1, user2

[/]
* = r
somegroup = rw

with

&lt;LimitExcept GET PROPFIND OPTIONS REPORT&gt;
    Require valid-user
    Require group somegroup
&lt;/LimitExcept&gt;

Solution

Justin Erenkrantz refactored the Authentication API for Apache 2.1 to allow different backends for HTTP Basic Auth and HTTP Digest Auth.
I used this new API for my modauthnsvn.

I discussed a better integration with Justin. We came to the conclusion that the best solution would be to refactor the Authorization API along the way of the Authentication API.

The solution would allow us:

use different backends for the storage sql/ldap/db
reuse the backends for different authorization modules.

What does this mean for mod_authz_svn?

the group managment goes into the available mod_authz_groups
path managment can be done by other modules too.
mod_authz_svn mainly remains for taking care of the WebDAV methods handling. (compare req_check_access() in mod_authz_svn.c)

Path managment

As already mentioned in the problem description mod_authz_svn is a convinient way to describe access control to paths. IMHO this is much more readable than the Apache Â´<Limit* /> directives. It would be a nice idea to still use a similar way, but allow storage in other backends. Furthermore i would like to see mod_authz_svn working outside of svn locations. But this is a minor bugfix. :)

Article TODO:

mention that authz_svn needs to resolve the paths for underlying authz modules
doing this patch would allow authz_Svn to enforce ssl inside of parent paths. might be nice for hosters.