W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2000

Re: RFC-2518 LOCK-TOKEN: header

From: Greg Stein <gstein@lyra.org>
Date: Thu, 27 Jan 2000 01:33:53 -0800 (PST)
To: "Geoffrey M. Clemm" <geoffrey.clemm@rational.com>
cc: w3c-dist-auth@w3.org
Message-ID: <Pine.LNX.4.10.10001270128440.8827-100000@nebula.lyra.org>
On Wed, 26 Jan 2000, Geoffrey M. Clemm wrote:
>    The authentication mechanisms are not specified by HTTP (although WebDAV
>    does specify Digest and Basic for secured connections), but the
>    authentication header is used by WebDAV to identify the user agent making
>    the request, and it is this header that is used to determine if the
>    requestor is the owner of the lock.
> I have found no reference to an "authentication header" in rfc2518,
> neither in terms of defining it, nor in terms of using it.
> I have made this point in several postings ... and will continue
> to do so until acknowledged or refuted (:-).

Section 6.3, last paragraph. It mentions that the use of the lock token
must also be enforced through the server's authentication mechanism.

That mechanism may or may not be a header, but the RFC is quite clear (in
my mind) that simply holding a token is not enough. You must have the
token and you must have the same authentication as that used when the lock
was created. Given these two pieces of state, you are allowed to operate
on the target resource.

> For the purposes of the user deciding whether to cancel an
> existing lock, the DAV:owner information should be sufficient.

Many clients may not set that field. I don't think that you can
necessarily depend upon it. But: I tend to agree that there is nothing
better, and that field *is* intended for human consumption (and,
therefore, for asking whether a lock should be cancelled).


Greg Stein, http://www.lyra.org/
Received on Thursday, 27 January 2000 04:33:56 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:21 UTC