- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Wed, 18 Sep 2002 10:23:29 +0200
- To: "Lisa Dusseault" <lisa@xythos.com>
- Cc: "'Clemm, Geoff'" <gclemm@rational.com>, "'Webdav WG'" <w3c-dist-auth@w3c.org>
Am Mittwoch den, 18. September 2002, um 08:14, schrieb Lisa Dusseault: > > >> Actually, I'd suggest a simple logical contradition, i.e.: >> >> If: ("A" Not "A") >> > .... >> >> etag support isn't required, and locking support isn't required, >> but support for the If header is required. > > I'm not so sure a server will implement the If header if it doesn't > implement locking. I'd agree it's required, but it may not be there. > And there's certainly no requirement now that servers do authentication > checks when they do If checks. That's not required by RFC2518 -- e.g. > if the If test fails because it's logically impossible, then why bother > authenticating? First, I bet that 100% of all non-broken, existing servers do authentication checks before looking at the request resource and its properities like locks. It's the sensible thing to do, as a user might not even have read permission on the resource. So one probably should prevent him/her from finding out about the lock status of the resource. Second, there is no requirement at the moment. But then, we are talking about new requirements for servers. The orginal proposal wants to introduce a new HTTP header, if I remember correctly. If checking authentication first is the sensible thing to do for security reasons, then 2518 bis should say so. If you compare the two existing proposal, you'd find that the invalid IF Header will work against all current servers which: 1) check IF header (that will be all servers with locking) 2) check authentication before everything else whereas the new Enforce Header will only work against future servers which implement the feature. It would therefore be interesting to hear what client implementors think about the two proposals. > This seems like trying to fit a round peg in a square hole. Engineering answer: that is no problem if the diameter is equal or less than the side of the square. //Stefan >> >> So I suggest we check whether any server which does the If check >> before it does an authentication check. It certainly shouldn't, >> since the success or failure of the If check tells you something >> about the resource which you probably shouldn't know if you are >> not authenticated. >> >> I would have no objection to adding a statement to 2518bis that >> states that a server SHOULD do authentication checks before any >> If checks. >> >> Cheers, >> Geoff > >
Received on Wednesday, 18 September 2002 04:24:10 UTC