Re: Aligning grouping of resources in POWDER and WAF Access Control.

Jonas Sicking wrote:
[..]
> 
> This sounds good to me. With that I would be more happy with saying that 
> *.foo.com should match only www.foo.com but not foo.com. That would make 
> it intuitive with rules like:
> 
> allow <foo.com> exclude <*.foo.com>
> and
> allow <foo.com> exclude <users.foo.com>
> 
> I'm not sure I see much use for the '?' syntax suggested. What 
> situations would that help, and are they very common?

OK, forget the ? notation. Your examples are very clear and we seem in 
full alignment that <foo.com> includes sub domains but <*.foo.com> 
wouldn't include foo.com itself.

[..]
> My question is, are there any concrete parts 
> of respective specs that would make sense to share? Other than the URI 
> syntax? Could access-control be implemented using POWDER even, and if 
> so, what would the resulting syntax be for an author publishing 
> shareable documents on his website?

The short answer is that I doubt it, simply because the work required to 
make it so is unlikely to be justified by the use cases. In theory, yes, 
a Resource Set, in the sense POWDER means, could be useful in access 
control. So one might have a Resource Set like:

<wdr:ResourceSet rdf:ID="RS1">
   <wdr:includeHosts>example.org example.com</wdr:includeHosts.
   <wdr:excludePathStartsWith>/sandbox</wdr:excludePathStartsWith>
</wdr:ResourceSet>


Linking to this RS in an access control header would grant access to 
requests from anywhere on example.org and .net except where the path of 
the requesting URI began with /sandbox. But you can't (sensibly) put all 
that in an HTTP Header, you'd have to put the URI of the Resource Set 
from which access was allowed exactly where right now an Access Control 
Header has actual data, so we'd have something very much like an HTTP 
Link Header:

Content-Access-Control: allow 
<http://www.example.net/resourceset.rdf#RS1> type="application/rdf+xml"

which is well outside what WAF has in mind.

We do see POWDER being used to grant/deny access to content to 
individual users (or groups of users) for a variety of reasons but not 
in the way envisaged here.

Cheers

Phil.

Received on Monday, 23 July 2007 13:52:41 UTC