[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 'owner' in dav LOCK request. (Julian Reschke, you out there?)

From: Julian Reschke <julian.reschke_at_gmx.de>
Date: 2004-12-01 22:28:00 CET

Yes, I'm listening :-)

Ben Collins-Sussman wrote:
> I'm confused about the WebDAV spec (rfc 2518), specifically in regard
> to how the 'owner' field works in LOCK requests.
> According to the rfc, the 'owner' field of a dav lock is completely
> optional. It might or might not be in the body of a LOCK request.


> And if it's present, it seems to bear no relationship to
> authentication or lock enforcement. The rfc descibes it as just a
> piece of optional metadata -- like, somebody to phone when you want to
> talk about locking out-of-band.


RFC2518bis (based on real-world experience) adds the requirement that
servers round-trip whatever clients did send in DAV:owner -- including
arbitrary XML -- as part of the LOCK request (some clients will
otherwise think they lost the lock).

> As a real-world example of this, I notice that my Mac does basic http
> authentication when mounting a DAV share, but in its LOCK requests the
> owner is always "default-owner".

I'd report that as a bug (to Jim Luther at Apple).

> I'm worried, because this doesn't mesh with Subversion's locking
> semantics at all. To make use of a lock, Subversion requires *both*
> the lock-token (which is publically available) AND that the user be
> authenticated as the lock's owner.

That's fine. The DAV:owner element in the lock request is just
client-controlled metadata. Servers may associate locks with
authenticated users, but in this case, the user information needs to be
obtained from the HTTP authentication details, not the LOCK request body.

> If WebDAV doesn't have this same double-authentication requirement,
> then I don't understand how locks are supposed to be enforced:
> User A authenticates, does a LOCK, gets a token.
> User B authenticates, does a PROPFIND, discovers the token.
> User B then does a PUT using the token.
> What's the point of locking something if there's no
> authentication/owner enforcement? It like locking the door, and then
> leaving the key taped to the door.
> Maybe I misunderstand what's going on here. Julian, can you clarify?

As a matter of fact, servers may do exactly that. Locking is orthogonal
to access privileges (which has it's own spec, RFC3744). You can have
locks without the locks being associated with any user information, and
you can also have servers support WebDAV ACLs (RFC3744), but no locks.

Best regards, Julian

<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Dec 1 22:31:18 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.