- From: Clemm, Geoff <gclemm@rational.com>
- Date: Fri, 11 Jan 2002 08:30:39 -0500
- To: w3c-dist-auth@w3c.org
From: Stefan Eissing [mailto:stefan.eissing@greenbytes.de]
> From: Clemm, Geoff
>
> In general, the user will not map 1-1 with a "principal", but rather
> a user will "match" one or more principals. Therefore I do not see
> that it is feasible or desireable to try to identify a particular
> principal for the current user.
I do not fully understand. There is always a principal for a request
(and be it {DAV:}anonymous), so it would be easy for a server to keep
this information with an active lock.
No, there are credentials for a request, but those credentials
can match a variety of principals in a variety of different
principal spaces relevant to the ACL on a resource.
When there is a ACL privilege {DAV:}can-unlock and this is granted
to a particular principal on the locked resource, the usualy ACL
matching of principals would apply.
It is not matching of principals that takes place, but rather the
matching of the client credentials against the principals identified
in the ACE of an ACL.
So, I do not see the problem with reporting a locking-principal
as part of an active lock. What am I missing? Servers without ACL?
I think the only thing being missed is that a client has credentials,
and that these credentials match a variety of principals, as opposed
to identifying the client as *being* a particular principal.
Cheers,
Geoff
Received on Friday, 11 January 2002 08:31:42 UTC