W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2002


From: Clemm, Geoff <gclemm@rational.com>
Date: Fri, 11 Jan 2002 08:30:39 -0500
Message-ID: <3906C56A7BD1F54593344C05BD1374B1056E139F@SUS-MA1IT01>
To: w3c-dist-auth@w3c.org
   From: Stefan Eissing [mailto:stefan.eissing@greenbytes.de]

   > From: Clemm, Geoff
   > In general, the user will not map 1-1 with a "principal", but rather
   > a user will "match" one or more principals.  Therefore I do not see
   > that it is feasible or desireable to try to identify a particular
   > principal for the current user.

   I do not fully understand. There is always a principal for a request
   (and be it {DAV:}anonymous), so it would be easy for a server to keep
   this information with an active lock.

No, there are credentials for a request, but those credentials
can match a variety of principals in a variety of different
principal spaces relevant to the ACL on a resource.

   When there is a ACL privilege {DAV:}can-unlock and this is granted
   to a particular principal on the locked resource, the usualy ACL
   matching of principals would apply.

It is not matching of principals that takes place, but rather the
matching of the client credentials against the principals identified
in the ACE of an ACL.

   So, I do not see the problem with reporting a locking-principal
   as part of an active lock. What am I missing? Servers without ACL?

I think the only thing being missed is that a client has credentials,
and that these credentials match a variety of principals, as opposed
to identifying the client as *being* a particular principal.

Received on Friday, 11 January 2002 08:31:42 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:24 UTC