Cannot setting up path based authentication in subversion

Question

I've followed the subversion book countless times to try and set proper path authorization on our subversion server, but I haven't been able to make this work. Here is my access rules file :

    [groups]
    sales-admin = alexa, miked, chrism

    [/]
    $authenticated = rw

    [Product_Sales:/]
    ~@sales-admin =

What this should do is give all authenticated users access to every repository hosted on this server, but restrict read and write access of the Product_Sales repository to the sales-admin group. However, this is not the case in practice, none of my permissions are working properly. Here is what happens in each use case:

1. When I try to update, commit, or checkout from any other repository, I get an "Access is Forbidden" error, and am given no option to authenticate even after clearing my saved credentials from TortoiseSVN.

2. The $authenticated token doesn't work. If I replace "$authenticated = rw" with "* = rw", I regain access again but am no longer asked to log in even though I have not supplied any credentials. Trying to commit does forces me to log in, but I need authentication to always occur when interacting with a repository, including on read-only operations.

3. Setting permissions on the Product_Sales repository doesn't give me access to Product_Sales at all, even if I have * = rw set on the root of the server.

I need to know what is wrong with my access rules. I've tried several times to make path based authorization work over the past few years, but to no avail. If anybody can give me a hand here, I would really appreciate it. I just want to know what I'm misunderstanding about path based authentication explanation in the Subversion Book.

http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

EDIT: Here is my subversion server information

Collabnet Subversion Edge 3.2.2-3395.103

Subversion 1.7.8-3395.103

Answer 1

I have not definitive answer (yet), only some ideas

If I replace "$authenticated = rw" with "* = rw", I regain access again but am no longer asked to log in even though I have not supplied any credentials

* = rw means exactly "Everybody can read and write", everybody is "even anonymous". Do you have Apache-based or svnserve'd SVN-server? In case of Apache you have (must) restrict access to repository at the Apache layer, before path-based access

And, BTW, magic tokens are applicable for SVN 1.5+ (any chances to have older version?)

Update

The course of debugging

• Get "authenticated only" access to all your repos (anonymous can't even read). For svn-related location in httpd.conf it will be (minimal version, basic auth - bad)

DAV svn

SVNListParentPath on

SVNParentPath ...

AuthName ...

AuthType Basic

AuthBasicProvider file

AuthUserFile ...

# AuthzSVNAccessFile ...

Require valid-user

in this config only users, listed in AuthUserFile can give full access to any repo, any part of repo

• Add path-based checks, uncomment AuthzSVNAccessFile. Because with used config anonymous users will not have any access to any repo, $authenticated token becomes excessive, $authenticated == * in this restricted area

• For [Product_Sales:/] for rule "Only one group have access", I'll prefer bullet-proof, overloaded definition

[Product_Sales:/]

* =

@sales-admin = rw

I.e all access is explicitly disabled, only one group in the same explicit style enabled