- From: Greg Stein <gstein@lyra.org>
- Date: Thu, 27 Jan 2000 01:33:53 -0800 (PST)
- To: "Geoffrey M. Clemm" <geoffrey.clemm@rational.com>
- cc: w3c-dist-auth@w3.org
On Wed, 26 Jan 2000, Geoffrey M. Clemm wrote: >... > The authentication mechanisms are not specified by HTTP (although WebDAV > does specify Digest and Basic for secured connections), but the > authentication header is used by WebDAV to identify the user agent making > the request, and it is this header that is used to determine if the > requestor is the owner of the lock. > > I have found no reference to an "authentication header" in rfc2518, > neither in terms of defining it, nor in terms of using it. > > I have made this point in several postings ... and will continue > to do so until acknowledged or refuted (:-). Section 6.3, last paragraph. It mentions that the use of the lock token must also be enforced through the server's authentication mechanism. That mechanism may or may not be a header, but the RFC is quite clear (in my mind) that simply holding a token is not enough. You must have the token and you must have the same authentication as that used when the lock was created. Given these two pieces of state, you are allowed to operate on the target resource. > For the purposes of the user deciding whether to cancel an > existing lock, the DAV:owner information should be sufficient. Many clients may not set that field. I don't think that you can necessarily depend upon it. But: I tend to agree that there is nothing better, and that field *is* intended for human consumption (and, therefore, for asking whether a lock should be cancelled). Cheers, -g -- Greg Stein, http://www.lyra.org/
Received on Thursday, 27 January 2000 04:33:56 UTC