- From: Daniel Brotsky <dbrotsky@adobe.com>
- Date: Tue, 25 Sep 2001 09:48:03 -0700
- To: "Julian Reschke" <julian.reschke@gmx.de>
- Cc: "Webdav WG" <w3c-dist-auth@w3c.org>
At 11:11 PM +0200 9/24/01, Julian Reschke wrote:
>Interesting.
>
>So both Adobe clients and MS Webfolders assume that in a LOCK response, the
>DAV:owner will be identical with what they have submitted?
As far as I know. This was discussed at the interop event and a spec
clarification item was added about it. My memory of the item is
roughly that "lock owner strings belong to clients, not servers, so
servers should not mess with them." :^)
>
>I think this is a bug. Has it been reported? (I know that at least Adobe
>occasionally is following this list).
Adobe follows this list closely. We don't always have as much time
to respond as we would like, but you can be sure we read everything.
As far as the behavior of relying on owner strings to be "dead" being
a bug, I don't think so, and even if I did it's quite unlikely to
change.
My interpretation of the current spec is that the owner string is
intended for use by clients to allow for conventions around
cooperating over locked resources. In the section you quoted, there
is an unfortunate ambiguity in the passive voice about "information
sufficient for contacting" because it doesn't say who is supposed to
be doing the contacting - other clients or the server. Adobe's
interpretation is that it was other clients who would be doing the
contacting, and thus the owner string should be meaningful to (and
under the control of) clients. Servers, after all, have the
authenticated username of the agent who obtained the lock, so they
have resources not available to the clients to know whom to contact.
Another way of seeing the dilemma here is to ask: suppose clients
wanted to store conventional information about lock owners with the
locked resource, how would they do that? As we considered that
question at Adobe, there seemed to be three fairly straightforward
answers:
1. put it in the lock owner string, which the client sets anyway when
obtaining the lock.
2. put it on another dead property. this has three disadvantages
relative to (1): it requires another round trip (PROPPATCH) in
addition to the LOCK; there's no way to guarantee that the server
supports any other given property as a dead property (many have good
reasons for making all properties live and that's completely allowed
by the spec); and other clients have to know the convention *and*
know which kind of client client obtained the lock in order to get
this information [so you're back to (1) on the "who obtained it"
anyway].
3. put it in the resource content. I'm sure you can come up with
just as many good reasons for not doing this as we did :^). It's the
clear loser.
Thus Adobe's bottom line was: clients need a dead property for
storing conventional owner information, and the OWNER string is
something you already set when locking (so no extra roundtrip) that
seems in the spec to be under client control. So let's use that.
What came out of the interop event was that (a) Adobe wasn't the only
client doing this, and (b) clarifing the spec so that OWNER strings
are definitely under client control would not break any servers.
Hence the issue as I wrote it up above.
By the way, servers are currently not required to return owner
information on lock discovery. I think we need to fold this into the
issue as well, and force them to return it. Clients who don't want
it returned can simply not put sensitive things in the string (or
leave it empty).
dan
P.S. I'm still trying to find time to respond at length to the
UNLOCK-NOT-OWNER issue; which I believe is related because in my
earlier response I raised this whole question of "clients can't know
who has a resource locked." I'll see if I can get to that this week.
But until then, I just want to point out that there's a security
problem with requiring servers to tell clients who (as in the
server-side uname) has locked a given resource: it provides a way for
clients to discover unames through which the server can be attacked.
This is one of the many considerations that cause administrative
protocols to be structured quite differently from
individual-contributor protocols, and one of the reasons that I
resist pushing DAV in administrative directions (such as being able
to unlock someone else's lock). -d.
>
>Julian
>
>> -----Original Message-----
>> From: w3c-dist-auth-request@w3.org
>> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Lisa Dusseault
>> Sent: Monday, September 24, 2001 8:18 PM
>> To: Julian Reschke; Webdav WG
>> Subject: RE: RFC2518 issue with lockdiscovery/activelock/owner
>>
>>
>> Actually, the DAV Interop showed that you just can't mess with
>> the contents
>> of lock owner as it is now. Adobe clients rely on setting the lock owner
>> specifically to their own string. DAV:owner value must be set by the
>> client.
>>
>> RFC2518 could extend lockdiscovery in a couple ways:
>> - create a new element of some kind for clients to use, to contain a URI
>> pointing to the owner. Make a clearer specification about what
>> this element
>> contains.
>>
>> - create a new element of some kind for servers to use to put their
>> conception of who created the lock. Probably this is a PrincipalID from
>> ACLs.
>>
>> lisa
>>
>> > -----Original Message-----
>> > From: w3c-dist-auth-request@w3.org
>> > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Julian Reschke
>> > Sent: Monday, September 24, 2001 5:26 AM
>> > To: Webdav WG
>> > Subject: RFC2518 issue with lockdiscovery/activelock/owner
>> >
>> >
>> > Hi,
>> >
>> > in WebDAV, the owner of a lock can be reported using the
>> DAV:owner element
>> > (<http://www.greenbytes.de/tech/webdav/rfc2518.html#ELEMENT_owner>):
>> >
>> > <quote>
>> >
> > > The owner XML element provides information sufficient for
>> either directly
>> > contacting a principal (such as a telephone number or Email URI), or for
>> > discovering the principal (such as the URL of a homepage) who
> > owns a lock.
>> >
>> > <!ELEMENT owner ANY>
>> >
>> > </quote>
>> >
>> > It is documented to have ANY content, while the examples (for instance,
>> > <http://www.greenbytes.de/tech/webdav/rfc2518.html#rfc.section.8.1
>> > 0.8>) use
>> > an embedded DAV:href element:
>> >
>> > <quote>
>> >
>> > <D:lockdiscovery>
>> > <D:activelock>
>> > <D:locktype><D:write/></D:locktype>
>> > <D:lockscope><D:exclusive/></D:lockscope>
>> > <D:depth>Infinity</D:depth>
>> > <D:owner>
>> > <D:href>
>> > http://www.ics.uci.edu/~ejw/contact.html
>> > </D:href>
>> > </D:owner>
>> > <D:timeout>Second-604800</D:timeout>
>> > <D:locktoken>
>> > <D:href>
>> > opaquelocktoken:e71d4fae-5dec-22d6-fea5-00a0c91e6be4
>> > </D:href>
>> > </D:locktoken>
>> > </D:activelock>
>> > </D:lockdiscovery>
>> >
>> > </quote>
>> >
>> >
>> > While this isn't a problem per se, it seems to have created a situation
>> > where implementors are unsure how to set and process the owner element.
>> >
>> > For instance, the WebDAV library used in Microsoft Office 2000 seems to
>> > compare the (text) contents of the owner element (as returned in the
>> > response) with the value it has sent. If they don't match, it
>> assumes that
>> > the LOCK operation has failed and reports that the document was
>> opened as
>> > "read only" (which I'd say is clearly a bug).
>> >
>> > I think to "fix" this, we whould collect more implementation data. Maybe
>> > this is a case where we could take advantage of XLink
>> > (<http://www.w3.org/TR/xlink/>)...:
>> >
>> > <D:owner>
>> > <D:href xlink:role="DAV:principal-homepage"
>> > DAV:href="http://www.ics.uci.edu/~ejw/contact.html">
>> > Jim Whitehead
>> > </D:href>
>> > <D:href xlink:role="DAV:principal-email"
>> > DAV:href="mailto:ejw@foobar.com">
>> > Jim Whitehead
>> > </D:href>
>> > <D:href xlink:role="DAV:principal-resource"
>> > DAV:href="/users/ejw">
>> > Jim Whitehead
>> > </D:href>
>> > </D:owner>
>> >
>> > or a simpler version that probably wouldn't "break" Office:
>> >
>> > <D:owner xlink:role="DAV:principal-resource"
>> > DAV:href="/users/ejw">
> > > Jim Whitehead
>> > </D:owner>
>> >
>> >
>> >
>> >
>> > Julian
>> >
>> >
>> >
>> >
>> >
>>
--
Daniel Brotsky, Adobe Systems
tel 408-536-4150, pager 877-704-4062
2-way pager email: <mailto:page-dbrotsky@adobe.com>
Received on Tuesday, 25 September 2001 12:49:13 UTC