Re: RFC-2518 LOCK-TOKEN: header

   From: bill@carpenter.ORG (WJCarpenter)

   gmc> Section 6.3 of RFC-2518 states that you can get the lock token
   gmc> through the lock discovery property:

   Yeah, that's what I was thinking (especially as the lock discovery
   property is the prescribed payload returned after a successful LOCK
   request).  But Jim Amsden is right that that's not sufficient.
   ...  The DAV:owner
   property is just so much commentary by the LOCK requester.  It
   explicitly has no bearing on the out-of-band authentication.  In
   short, it can be a complete lie or completely irrelevant.  I think the
   idea of DAV:owner was for human consumption, in case you want to track
   down the LOCK owner and beat him/her with a stick until s/he releases
   the LOCK.  It is by design not at all helpful to the server in
   deciding whether the principal attempting a change is the LOCK holder
   or not.

There seem to be two issues here.  The first is whether a server
should authenticate that the principal specifying the lock token in an
IF header is the same principal that created the lock token in a lock
request.  This is not required by WebDAV, since it is pretty pointless
to carefully guard a lock token when as soon as you UNLOCK the
resource, anyone can come in and trash the resource.  Lock tokens are
for avoiding merges, not for security.

So if you want interoperable security, you should become active in the
WebDAV ACL's effort.  If you try to get it from WebDAV locking and
lock tokens, you will be doomed to disappointment.  But that's not
because WebDAV locking is broken (it in fact does a great job
of avoiding merges), but rather that it doesn't do what it wasn't
designed to do.

The second issue is whether a client other than the lock requesting
client should be able to use the lock token to get access to a
resource.  Doing so would violate the whole design of the lock token
scheme, which is to have a protocol for reliably deciding whether a
*particular* client has the authority granted by the lock token.  The
protocol only works if only the client that made the LOCK request uses
the generated lock token.  The fact that the lock token was issued to
a particular principal is irrelevant.

So a client should always get its own lock token, not appropriate
an existing one.  If a resource is already exclusively locked,
it first will need to UNLOCK the resource.  This then guarantees
that if the other client (that issued the LOCK request) is still
around, it will notice the "cancellation" by the failure of its next
update request.

   For exclusive LOCKs, you can assume from the lock discovery part of a
   successful response that you got the applicable token mentioned.  For
   shared LOCKs, you need the LOCK-TOKEN: header or some additional goop
   in lock discovery conveying "authenticated" ownership.

There is even less point in authenticating shared lock ownership
(which I guess makes it a negative number, since I argue above
that there is no point in authenticating exclusive lock ownership :-).
If you are a principal that has the right to take out a shared
lock, you can just get one - you don't need to use some existing shared lock.

   For the
   problem you mention, of multiple clients being run by the same
   principal, there is no sanctioned, unambiguous way to do lock
   discovery.

There is a sanctioned unambiguous way to do lock discovery ... there
just is (by design) no sanctioned way to do lock appropriation (:-).

Cheers,
Geoff

P.S. I may be all wrong about this, since my livelihood is versioning,
not locking, but I don't think so (:-).

Received on Tuesday, 25 January 2000 16:24:56 UTC