W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2006

Re: multistatus and BIND

From: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
Date: Mon, 2 Oct 2006 23:08:51 -0400
To: "Tim Olsen" <tolsen718@gmail.com>
Cc: w3c-dist-auth@w3.org, w3c-dist-auth-request@w3.org
Message-ID: <OF99121900.9AF25E47-ON852571FC.0010EBCD-852571FC.00114C86@us.ibm.com>
You could do either, but I'd suggest a 401 for each URL, to not expose to 
the client the information that x.gif and y.gif refer to the same 
resource.

For example, suppose you had a collection with each of the nominees for a 
position, and a binding named "selected" to the one that was selected. But 
you didn't want to give anyone read access yet to see who was selected 
(but you wanted to let them see the collection, so they could see who was 
running).  If you returned only one of the bindings, and that was the 
binding to "selected", then someone who new who was nominated could figure 
out who was selected by seeing which name was omitted in the 401 report.

Cheers,
Geoff

Tim wrote on 10/02/2006 06:22:21 PM:

> Hello,
> 
> Here is an example from the BIND draft.

> 
>  Root Collection  
>   bindings:       
>   CollX           
> 
>    | 
> 
>    | 
>    | 
>  
>  Collection C1  
>  bindings:      
>  x.gif    y.gif  
> 
>    |         | 
>    |         | 
>   
>   Resource R1 
> 
>  
> 
> Let's say I do an infinite-depth copy on /CollX to /CollY, and I 
> have read permission on Collection C1, but not on Resource R1.  In 
> my multistatus response, do I have to specify a 401 for each URL for
> Resource R1 (/CollX/x.gif and /CollX/y.gif), or for just one of them? 
> 
> thanks,
> Tim
Received on Tuesday, 3 October 2006 03:08:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT