W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2002

RE: A case for GETSRC (or other mechanism to that effect)

From: Eric Sedlar <Eric.Sedlar@oracle.com>
Date: Wed, 27 Feb 2002 22:18:51 -0800
To: <w3c-dist-auth@w3c.org>
Actually, I think Lisa & I convinced Geoff (the big holdout against the
Translate header) to give in at the last IETF meeting.  Are there any other
holdouts with good reason to have a problem with the translate header?


> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of CJ Holmes
> Sent: Wednesday, February 27, 2002 9:59 PM
> To: w3c-dist-auth@w3c.org
> Subject: A case for GETSRC (or other mechanism to that effect)
> I've been reading the archives, and following the long-running and
> sometimes contentious conversation over retrieval of source
> documents.  Maybe bringing this up will get me kicked off the list,
> but we'll see.
> First, I appreciate what the DAV working group is trying to do by
> allowing multiple sources for a given document, and making each
> source a separate resource.  I won't bother denying that it is useful
> to some people and interesting in its own right.  I totally see the
> logic in it.  But it is an abstraction that is useful only to a small
> minority of users, and is very difficult to implement.  If you doubt
> that, I direct you to the total lack of implementations.  But I'll
> make a case on other grounds, as well.
> With any DAV request except GET the process is rather straightforward:
> 	A virtual host is selected
> 	Security determines what rights the user has on the URL.  In
> the Apache universe that means PUT, POST, MKCOL, GET, etc..  In our
> universe (WebSTAR) that means read, write, list, mkdir, etc..
> 	We figure out what file the URL maps to.
> 	In deciding which plug-in will handle the request, a DAV
> plug-in simply claims anything with a DAV-specific method.  If it is
> MKCOL, DELETE, etc. then the DAV plug-in claims it.
> 	DAV handles the request, within the limits set by the
> security plug-in.
> All of this works great, until we get to the GET method.  Plug-ins
> have no way of knowing the difference between a normal GET that
> should be handled normally, and a GET that is intended to retrieve
> the source of a document and requires special permissions.  In effect
> we have TWO semantics for GET.  And so we start creating fake URL
> spaces.  But we quickly run into security and configuration hassles.
> The bottom line is that there's no way to provide good DAV access
> without some special configuration on the server.  And it isn't the
> result of some kind of design error by the implementor, but a basic
> issue with how the protocol is designed.  Unless you are only dealing
> with static content you MUST set up a whole new URL space to do DAV
> at all.
> In practice setting this up is such a bother that what most
> administrators do is create a whole new virtual host with all
> plug-ins disabled in order to get it done.  Is it just me, or is it
> entirely ridiculous that server administrators have to double the
> number of virtual hosts they support just to give decent DAV access
> to their users?
> And all of this is so complicated for something that *should* be
> really simple!  From most servers' point of view DAV is a way to let
> web authors access their .php, .cgi, .ssi, .shtml, and other dynamic
> files and edit them and save them back onto the server.  All of this
> business about an arbitrary number of sources of arbitrary types as
> properties of a single resource don't do our users one bit of good,
> but the implementation is quite burdensome.
> What we really need from the DAV protocol is a way to know that a
> given request is intended to retrieve the source of a document,
> without having to also posses knowledge about the DAV configuration,
> or which URL spaces have been quarantined for use exclusively for
> WebDAV, and without having to create special areas in the URL space
> that don't actually map to anything else in the universe just so we
> can turn off all the plug-ins for a few requests.  Thus the
> suggestion for a GETSRC property.
> I've read the arguments that ask about FINDPROP and other methods
> that act on a resource, and having to double the number of methods to
> support FINDPROP and FINDPROPSRC, etc..  But in most server
> implementations when you get the properties of a .php or .ssi file
> right now, what are you getting?  In practice you're getting the
> author and lastmod date and other information about the SOURCE, not
> the output.  I don't know of anybody who is executing a .php file and
> then returning the properties of the output -- it (a) isn't practical
> because of all the side-effects it would cause like CPU load and
> errors and code running that you didn't really intend to run and (b)
> isn't useful because nobody cares one whit about the DAV properties
> of PHP output.
> I suggest that we just stop considering GET to be a DAV method at
> all.  GET has nothing to do with DAV any more than POST does.
> Instead of GET, we should be using GETSRC (or whatever you want to
> call it), always.  If you want the output of a source which has been
> run through PHP or SSI or whatever, then fire up your web browser and
> use a GET or POST method.  Otherwise, use your DAV client and GETSRC
> (or whatever).
> When you work with the properties of a resource, you are working with
> the properties of the resource you receive from a GETSRC command.
> When you GETSRC, you receive the same data that you PUT.  When you
> GET or POST, you receive what the server generates from the source
> and your input.  In some cases that happens to be the same as the
> source (static files).
> If OPTIONS does not indicate that GETSRC is avialable, then a DAV
> client may use GET instead.
> Does not preclude a document from having multiple sources at
> different URIs, for the 5% of implementations that need such
> functionality.
> Advantages of this approach:
> 	Works well with existing security modules for Apache and
> other servers.  Just add GETSRC to the list of methods a user is
> allowed to use.
> 	Provides one semantic for GET (the existing semantic from
> HTTP/1.1 spec) and only one semantic.
> 	Is far more likely to be implemented, and implemented WIDELY,
> than the src property ever will be.
> This is a major, major problem with the protocol.  This is in not an
> indictment of anybody's abilities.  Even as a prospective implementor
> reading the spec carefully I didn't appreciate the magnitude of the
> problem until I set out to really implement it, and then it became
> nearly intractable.  Even the reference implementation doesn't
> implement it.
> The DAV group can take this issue in hand and come up with a solution
> people are willing to implement, or the ad-hoc solutions will become
> de-facto standards.  (ie: Translate).  Personally, I would rather see
> this solved by the DAV working group.
> cjh
> --
Received on Thursday, 28 February 2002 01:19:09 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:25 UTC