WebSVN user access control

What I wanted

So I didn’t have our subversion configured with HTTP+SVN it was only configured for local access using the svn commands and also allowing specified IP’s to connect to the subversion process port to use SVN clients.  WebSVN was requested by our programmers not to use to add content or edit the repos but just for viewing for people who may want to view the code to submit bug reports and such.  However with multiple repos, the users didn’t want other subversion users to be able to view their code so I had to use the SVN access file to restrict who could “see” what.

To resolve this, I added Apache authorization on the websvn site, I created a redirect from http:// to https:// so that usernames and passwords wouldn’t be in clear text and I used the svn access file to allow access to the repos.

Note: With the way I did this, users must be authenticated to even view the listing of the repositories.  There is a SatisfyAny command you can use in Apache to allow the listing of the repositories but we didn’t need that.


* Download it from http://websvn.tigris.org/servlets/ProjectDocumentList;jsessionid=24F17B3F5279F7DE3BB39F064A2C4A03

* Extract the archive into any directory within your Apache DocumentRoot



Under the installation directory for WebSVN in the includes folder copy the file distconfig.php to config.php and edit as follows:

Add the following lines, one for each repository:

$config->addRepository(‘Repo Display Name’, ‘file:///path/to/svn/repositories/reponame’);

Modify the following line to include the path to the subversion repositories:


Choose the template file you would like to use:


Tell WebSVN to use the Subversion Access file to restrict access on repository viewing through WebSVN.  $config->useAuthenticationFile(‘/path/to/svn_access’);

Subversion Access File

Located at /path/to/svn_access. The access file below will allow every authenticated user read access for a listing of all the repos.  By selecting repo1, user1 and user2 will be able to view the entire repo1 but user3 and user4 cannot.


admins = admin1, admin2, admin3


@admins = rw

* = r


@admins = r

user1 = r

user2 = r


@admins = r

user3 = r

user4 = r

Apache Subversion.conf

Add the following location directive to Apache’s subversion.conf file.

Add the following:

<Location “/websvn/”>
RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}/%{REQUEST_URI} [L]
# Require SSL connection for password protection.
SSLOptions +StrictRequire
# Allow access to users from a local file on the web server created with htpasswd or users from our AD
AuthBasicProvider file ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthUserFile /path/to/htpasswd/file
AuthName “Restricted Access”
AuthLDAPURL “ldap://domaincontroller.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
AuthLDAPBindDN “authorizebindldapuser@example.com”
AuthLDAPBindPassword “bindusers password”
Require valid-user

NOTE: If we were serving our subversion repository via HTTP or HTTPS we would need a section in Apache like the following. You would need these options to configure HTTP(S)+SVN access

<Location “/svn”>

DAV svn


SVNParentPath /path/to/svn/repositories

SVNListParentPath on

# Our access control policy SVNPathAuthz on

AuthzSVNAccessFile /path/to/svn_access



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s