Platform: Windows Server 2008 R2
Apache 2.2.23 (win32)/SSL 1.0.0j upgrading to Apache 2.4.23 (win32)/SSL 1.0.2h
CollabNet Subversion Client SVNServe 1.7.8
Trac 1.0.9 (win32)
Python 2.7.1
On a Windows server, I had Subversion and Trac interacting nicely when running Apache 2.2.23, Subversion 1.7.8 with Trac 1.0.9 and the mod_python module. Access to Trac projects was permitted based on access control groups defined in the subversion access control file. The setting of the AuthzSVNAccessFile variable in the httpd.conf file pointed to the subversion access control file, e:/etc/.svnaccess. If the user had access to a subversion repo, then they had access to the associated Trac project, otherwise access was denied.
The httpd.conf file contained the following:
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir e:\trac
PythonOption TracUriRoot /trac
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "UTAS TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
I then had to upgrade Apache/SSL to 2.4.23, 1.0.2h. With this upgrade, mod_python was obsoleted so I had to switch to use mod_wsgi load module. I added in the mod_wsgi.so load module and modified the config file to remove the Python-related settings (keeping the AuthzSVNAccessFile setting), and adding in mod_wsgi info.
After the Apache upgrade, the httpd.conf file contained:
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "UTAS TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
WSGIScriptAlias /trac e:/trac/trac.wsgi
<Directory "e:/trac">
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
The e:/trac/trac.wsgi has the following in it:
import os
import trac.web.main
import site
site.addsitedir('e:\Python\Lib\site-packages')
os.environ['PYTHON_EGG_CACHE'] = r'c:\Trac-Python-Egg-Cache'
def application(environ, start_response):
environ['trac.env_parent_dir'] = r'e:\trac'
return trac.web.main.dispatch_request(environ, start_response)
The trac.ini file (for Beth_test project) has these critical sections, same as before the Apache upgrade:
[components]
tracopt.versioncontrol.svn.* = enabled
tracstats.* = enabled
[repositories]
Beth_test.dir = e:\svn_repository\Beth_test
Beth_test.description = This is the ‘Beth_test’ project repository on the Test svn server.
Beth_test.type = svn
Beth_test.url = https://<my_server>/svn/Beth_test
Beth_test.hidden = true
tsvn = tsvn: Interact with TortoiseSvn
[trac]
authz_file = E:\etc\.svnaccess
permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
permission_store = DefaultPermissionStore
repository_dir = e:\svn_repository\Beth_test
repository_type = svn
…plus a bunch of other settings
My directory structure on the server is:
E:\svn_repository\
Beth_test
SVN_test
E:\trac\
Beth_test
SVN_test
When I bring up the Trac url after entering my active directory credentials, I see the 2 Trac projects listed. However when I click on a project, it gives me access to it even though I have not added my id to the access control group associated with the subversion Beth_test repo. With TortoiseSVN I am properly blocked, but with Trac using the mod_wsgi module, I can (erroneously) access the Trac project and subsequently browse the subversion source.
There is nothing useful in the Apache or Trac log files.
Any idea why Trac no longer follows the subversion access control permissions after upgrading Apache and switching from mod_python to mod_wsgi?
