W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2002

Re: Collections and Request-URIs

From: Roy T. Fielding <fielding@apache.org>
Date: Thu, 20 Jun 2002 13:13:48 -0700
Cc: w3c-dist-auth@w3c.org
To: "Clemm, Geoff" <gclemm@rational.com>
Message-Id: <3AE2EE84-848A-11D6-A7CE-000393753936@apache.org>

On Wednesday, June 19, 2002, at 08:04  PM, Clemm, Geoff wrote:
>    From: Roy T. Fielding [mailto:fielding@apache.org]
>
>    ... the ONLY interoperable behavior when faced with a slashless
>    collection request is to perform an external redirect, even if that
>    means existing WebDAV clients will puke and die.
>
> I would have thought that interoperability should take into account
> reality (:-).

Operations must fail safe rather than operating unsafe.  I should have
forced the client to puke and die -- it would have been fixed faster.

> I can see why you wouldn't want the spec to require that a server
> treat identically URIs with and without a trailing slash, but I cannot
> see on what basis you would require a server to not make this
> equivalence.  A client cannot count on them being different
> resources, since the mapping of URIs to resources is up to the
> server, but if a server decided to map trailing URIs with and without
> a trailing slash to the same resource, it should be free to do so. For
> that matter, if it wanted to map every URL in its URL space to the
> same resource, it should be free to do so (although it probably
> wouldn't be an especially popular web site unless that was a really
> interesting resource :-).

You aren't thinking at the right scale.  An "origin server" is a role
played in the communication between client and server over HTTP.  The
trivial case is that there is one server and one client, each residing
within one process and fully aware of the entire request-handling process.
The most common case is a general HTTP server consisting of an array of
resource handlers that are invoked according to a configurable set of
conditions based on elements of the request.  In the complex case, an
origin server consists of a hierarchy of HTTP servers that are selected
based on elements of the request, each of which in turn is made up of
configurable modules ...

The point being that, if the request URI needs to change in order
to handle the request correctly (meaning with the correct server selection,
module selection, and access control checks), a redirect to the correct
URI is necessary because the general-purpose HTTP server cannot know
whether it is the entire origin server or just one cog within a complex
assortment of HTTP servers.  Furthermore, because the hierarchy change
to the URI will change the interpretation of relative URI, none of the
intermediary servers can step in the way of the external redirect
before it gets to the client.

Yes, it is certainly possible for an HTTP server to treat both as
the same resource and not perform a redirect.  However, such software
is a bad HTTP server because it is trading-off a temporary inconvenience
for a potential security hole and a source of broken links.

None of this is an issue for WebDAV if collections are presented to the
client with the correct URL, ending with a slash.  The only time this
does not occur on a regular basis is when the representation of a
collection fails to use the correct URL in its own references.
Under normal circumstances, the only time that a WebDAV client will
need to request the wrong URL is when it is typed into the client
by hand on the very first entry of a Save As dialog.  I don't give a
rat's ass if that one case results in a redirect, and neither does
the user.

....Roy
Received on Thursday, 20 June 2002 16:29:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:00 GMT