Tips on HTTP authentication & anonymous access? Help!

171 views
Skip to first unread message

Karsten Dambekalns

unread,
May 4, 2011, 4:50:47 PM5/4/11
to Gerrit and Discussion Repo
Hi.

We have Gerrit up and running using the HTTP authentication. Our Apache proxies and handles authentication using a custom script that checks against a database of users.

Now we would like to give anyone access to the review server to fetch changes and hand in review results. But the first thing people see is the login popup of their browser, and if they cancel or click ok without having an account, they've met a dead end. Either they get access denied from Apache or the login popup comes back.

If I specifically allow access to "/" in addition to the restriction on "/login/", I see an error screen by Gerrit that tells me:
"The HTTP server did not provide the username in the Authorization header when it forwarded the request to Gerrit Code Review."

Does anyone have pointers or own experience on how to solve this? Is this a limitation with Gerrit or Apache or basic auth?

Thanks,
Karsten

Shawn Pearce

unread,
May 16, 2011, 10:00:05 PM5/16/11
to Karsten Dambekalns, Gerrit and Discussion Repo

The correct thing is to limit access only to the /login/ directory,
leaving / open for everyone.

The error you quoted often happens because users are accessing the
Gerrit port directly, rather than going through the Apache proxy. I
would make sure the Gerrit server is only listening on 127.0.0.1 and
that the canonicalWebUrl is configured to point to the Apache server
and not the private port Gerrit receives connections from Apache on.

Karsten Dambekalns

unread,
May 17, 2011, 6:01:14 AM5/17/11
to Gerrit and Discussion Repo
Hi Shawn.

On 17.05.2011, at 04:00, Shawn Pearce wrote:
> The correct thing is to limit access only to the /login/ directory,
> leaving / open for everyone.

I tried that (I think, at least), but when hitting the URL it immediately redirects to /login/...

Puzzled,
Karsten

Peter Niederlag

unread,
May 21, 2011, 1:27:39 PM5/21/11
to repo-d...@googlegroups.com
Hello,

Am 17.05.2011 04:00, schrieb Shawn Pearce:
> On Wed, May 4, 2011 at 13:50, Karsten Dambekalns
> <karsten.d...@gmail.com> wrote:

[...]


> The correct thing is to limit access only to the /login/ directory,
> leaving / open for everyone.

We have done/tried that, it just won't work as in contrast to LDAP and
OPENID gerrit will keep on routing to the login action with HTTP auth type.

In doc for sso [1] it even clearly states that there won't be any "sign
in" and "sign out" actions available in HTTP auth type and a user *must*
be provided via the Authorization data.

I don't really see a technical reason why it wouldn't be possible for
HTTP as it is for OPENID and LDAP.

Greets,
Peter

[1]
http://gerrit.googlecode.com/svn/documentation/2.1.7/config-sso.html#_http_basic_digest_authentication

Reply all
Reply to author
Forward
0 new messages