Re: Allow header after Authentication from Дилян Палаузов on 2018-06-25 (ietf-http-wg@w3.org from April to June 2018)

From: Дилян Палаузов <dilyan.palauzov@aegee.org>
Date: Mon, 25 Jun 2018 23:53:45 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: ietf-http-wg@w3.org
Message-ID: <b5a3b56bd6fa8717a4fc4a7dbc989141886ef7ae.camel@aegee.org>

Hello,

how is Allow: different from WebDAV ACL "DAV:current-user-privilege-
set" [
https://tools.ietf.org/html/rfc3744#section-5.4 ]: "DAV:current-user-
privilege-set is a protected property containing the exact set of
privileges (as computed by the server) granted to the currently
authenticated HTTP user."?

The WebDav privileges can also change depending on the time of the day,
or have different effective permissions being called from laptop or
watch, or use other means to authenticate, after the PROPFIND for the
resoure was called.

Why does it make sense to return DAV:unbind depending on the
authentication, but not Allow: DELETE under the same conditions?

Regards
  Дилян

On Mon, 2018-06-25 at 15:44 -0700, Roy T. Fielding wrote:
> > On Jun 25, 2018, at 2:29 PM, Дилян Палаузов <dilyan.palauzov@aegee.
> > org> wrote:
> > 
> > Hello,
> > 
> > https://tools.ietf.org/html/rfc7231#section-7.4.1 "Allow header"
> > says:
> > [
> > 
> > The "Allow" header field lists the set of methods advertised as
> > supported by the target resource. The purpose of this field is
> > strictly
> > to inform the recipient of valid request methods associated with
> > the
> > resource.
> > 
> > ] Because the text above does not say anything about authorizaion,
> > one
> > possible implementation of Allow is to return the same method list
> > to
> > all - authenticated and not authenticated - clients.
> 
> It says nothing about it because that is a choice for the resource in
> question.
> 
> > What would be the use of a returned
> >  Allow: GET, HEAD, DELETE
> > to a client, if the client is authenticated at the time the request
> > is
> > made and the server knows that with the provided
> > authentication/authorization the client cannot perform DELETE?
> 
> Because they might do their DELETE using a different set of
> credentials than
> in the initial GET.  Or maybe the authorization is based on time-of-
> day instead
> of fixed roles.  Or maybe the DELETE only works when initiated by
> their watch
> instead of their laptop.  Or maybe the server just doesn't care that
> an unauthorized
> DELETE will encounter a 401 response.  Or maybe it's a honey trap.
> 
> The Allow field doesn't talk about access control or authorization
> because
> they are not part of its definition. However, a server can choose to
> advertise
> whatever method it wants, for whatever reason it chooses to do so.
> 
> ....Roy
>

Received on Monday, 25 June 2018 23:54:18 UTC