Apache 2.4 + SVN authz authentication with mixed authenticated/anonymous access

I'm using Apache 2.4, and I wish to use it without mod_access_compat.

I'm trying to serve SVN repositories, with access control handled by mod_authz_svn.

I want some repos or locations within repos to have read-only anonymous access. I want other repos or locations to require basic authentication.

Apache 2.4 no longer supports the Satisfy all syntax, however, mod_authz_svn seems to expect it. How is this supposed to be configured on Apache 2.4?

Apache config:

 <Location /svn>
        DAV svn
        SVNParentPath /usr/projects/svn
        AuthType Basic
        AuthName "SVN repository"
        AuthUserFile /usr/project-config/etc/svn-auth-file
        AuthzSVNAccessFile /usr/project-config/etc/svn-access-control
        Require valid-user
 </Location>

svn-access-control:

# cat etc/svn-access-control
[/]
antiduh = rw

[openprojects:/]
* = r
antiduh = rw

I have 5 repos, openprojects is the only one I want to have anonymous read-only access to. I cannot seem to get this to work. Even the most recent documentation I could find for mod_authz_svn continues to use Satisfy all.


Solution 1:

Poking around in mod_authz_svn's source, it's looking like it has a hard dependency on ap_satisfies(r) == SATISFY_ANY. I'm not entirely familiar with the Apache API model, but this would appear to indicate that mod_authz_svn does not currently support Apache 2.4's new authentication model.

Since nobody else has come up with an answer or with contrary evidence, I'm going to mark this as the answer.

To make this work under Apache 2.4, load the mod_access_compat module:

LoadModule access_compat_module libexec/apache24/mod_access_compat.so

And then add the Satisfy any clause, just as the documentation currently indicates.

 <Location /svn>
    DAV svn
    SVNParentPath /usr/home/antiduh/svn
    AuthType Basic
    AuthName "SVN repository"
    AuthUserFile /usr/home/antiduh/svn/etc/svn-auth-file
    AuthzSVNAccessFile /usr/home/antiduh/svn/etc/svn-access-control
    Satisfy any
    Require valid-user
 </Location>