When integrating WebSVN with Apache-controlled Subversion repositories, the authentication system requires careful coordination between multiple configuration files. The key issue arises when trying to implement granular, repository-specific permissions while maintaining WebSVN accessibility.
First, let's examine the proper Apache configuration structure. This setup assumes you're using SVNParentPath with multiple repositories:
For WebSVN to respect these permissions, you need to modify its configuration (typically config.php):
$config->useAuthenticationFile('/var/lib/svn/conf/.dav_svn.passwd');
$config->setAuthzSVNAccessFile('/var/lib/svn/conf/svnaccess.conf');
The common mistake is incorrect path specification in svnaccess.conf. For repository-specific access:
[groups]
sysadmin = joebloggs, jimsmith
developers = mickmurphy, sarahjones
[repository1:/]
@sysadmin = rw
@developers = r
[repository2:/trunk]
@developers = rw
jimsmith = r
When encountering 403 errors, check these critical points:
- Ensure Apache has read access to all config files
- Verify paths in svnaccess.conf match repository names exactly
- Check WebSVN's cache isn't serving stale permission data
For complex setups, you might need repository-specific Location blocks:
DAV svn
SVNPath /var/lib/svn/repository/repository1
Include /var/lib/svn/conf/default_auth.conf
Require user joebloggs jimsmith
Enable these Apache directives to troubleshoot:
LogLevel debug
SVNPathAuthz on
This will generate detailed logs showing exactly where permission checks fail.
When setting up WebSVN with multiple Subversion repositories, we often need to implement differential access control. The standard Apache authentication (via htpasswd) only handles global access, while we need per-repository permissions.
Here's the proper structure that works in production environments:
<VirtualHost *:80>
# Global SVN configuration
<Location /svn>
DAV svn
SVNParentPath /var/lib/svn/repository
SVNListParentPath On
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /var/lib/svn/conf/.dav_svn.passwd
AuthzSVNAccessFile /var/lib/svn/conf/svnaccess.conf
Require valid-user
</Location>
# WebSVN configuration
<Location /websvn>
AuthType Basic
AuthName "WebSVN Access"
AuthUserFile /var/lib/svn/conf/.dav_svn.passwd
AuthzSVNAccessFile /var/lib/svn/conf/svnaccess.conf
Require valid-user
</Location>
</VirtualHost>
The svnaccess.conf file requires specific syntax for repository-level permissions:
# Repository-specific permissions
[sysadmin:/]
joebloggs = rw
jimsmith = r
* =
[webdev:/]
mickmurphy = rw
* =
When encountering 403 errors, check these common pitfalls:
1. Path Mismatch: The repository name in [] must match exactly what Apache sees
2. Inheritance Rules: More specific paths override parent permissions
3. User Credentials: Always clear browser cache when testing permission changes
For proper WebSVN integration, ensure this in your websvn/config.php:
$config->useAuthenticationFile('/var/lib/svn/conf/.dav_svn.passwd');
$config->setAuthzSVNAccessFile('/var/lib/svn/conf/svnaccess.conf');
A proper test sequence would be:
- Verify raw SVN access via command line
- Test basic WebDAV access through browser
- Check WebSVN permissions separately
For complex setups, consider distinct location blocks:
<Location /svn/sysadmin>
DAV svn
SVNPath /var/lib/svn/repository/sysadmin
AuthType Basic
AuthName "Sysadmin Repo"
AuthUserFile /var/lib/svn/conf/.dav_svn.passwd
Require user joebloggs jimsmith
</Location>
This provides clearer separation but becomes unwieldy with many repositories.