You are viewing a plain text version of this content. The canonical link for it is here.

Posted to slide-user@jakarta.apache.org by Jacob Lund <jl...@qualiware.com> on 2002/10/04 12:27:47 UTC

Verifying access

Hi,

How do I check if I have access to a given resource, in case it has a
lock on it?

I have a resource with an exclusive lock on it, and now I want to check
it I have access to this resource! 

What I do is retrieve the lock-token and now I need to check if the user
owns this lock! I then add this lock-token to a request header and then
test if I can operate on the resource by adding a new meta-tag and then
remove it again! 

But is there an easier way to verify if current user owns the lock on a
given resource?

/Jacob 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Plan for slide 2

Posted by Ganael LAPLANCHE <gl...@jouve.fr>.

Oups... Sorry for the reply Jamin...
Just a mistake
I'm gonna repost my *own* mail ;-)

----- Original Message -----
From: "Ganael LAPLANCHE" <gl...@jouve.fr>
To: "Slide Users Mailing List" <sl...@jakarta.apache.org>
Sent: Wednesday, October 09, 2002 4:50 PM
Subject: Re: Plan for slide 2


> Hi all,
>
> I'm new to slide, and tried to install it.
> Everything seems to work fine but if I try to upload a file with cadaver,
I
> get
> a "500 internal server error" message. I'm running slide with the basic
> configuration,
> with root user...
>
> Could someone help me ?
>
> Gan.
>
> ----- Original Message -----
> From: "jamin rubio" <jr...@jouve.fr>
> To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
> Sent: Wednesday, October 09, 2002 2:47 PM
> Subject: Plan for slide 2
>
>
> > Hi all,
> >
> > Is there any idea here of the slide 2 release schedule date...it seems
> that
> > there is a lot of things done throw cvs...
> >
> > Thanks for this excellent piece of work
> >
> > Jamin
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Plan for slide 2

Posted by Ganael LAPLANCHE <gl...@jouve.fr>.

Hi all,

I'm new to slide, and tried to install it.
Everything seems to work fine but if I try to upload a file with cadaver, I
get
a "500 internal server error" message. I'm running slide with the basic
configuration,
with root user...

Could someone help me ?

Gan.

----- Original Message -----
From: "jamin rubio" <jr...@jouve.fr>
To: "'Slide Users Mailing List'" <sl...@jakarta.apache.org>
Sent: Wednesday, October 09, 2002 2:47 PM
Subject: Plan for slide 2


> Hi all,
>
> Is there any idea here of the slide 2 release schedule date...it seems
that
> there is a lot of things done throw cvs...
>
> Thanks for this excellent piece of work
>
> Jamin
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Plan for slide 2

Posted by jamin rubio <jr...@jouve.fr>.

Hi all,

Is there any idea here of the slide 2 release schedule date...it seems that
there is a lot of things done throw cvs...

Thanks for this excellent piece of work

Jamin


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Verifying access

Posted by Julian Reschke <ju...@gmx.de>.

> From: Andreas Probst [mailto:andpro77@gmx.net]
> Sent: Wednesday, October 09, 2002 12:18 PM
> To: Slide Users Mailing List
> Subject: RE: Verifying access
>
>
> Hi all,
>
> please see intermixed.
>
> Andreas
>
>
> On 8 Oct 2002 at 14:47, Julian Reschke wrote:
>
> > > From: Jacob Lund [mailto:jl@qualiware.com]
> > > Sent: Tuesday, October 08, 2002 2:42 PM
> > > To: 'Slide Users Mailing List'
> > > Subject: RE: Verifying access
> > >
> > >
> > > Thanks for the reply!
> > >
> > > From what I can see in the thread you referred to, they do not verify
> > > that they have access rights!
> > >
> > > You where right about the lock-token! In the case where a
> user asks for
> > > a lock-token (lockdiscovery or propfind) on a resource where another
> > > user took out the lock - the locktoken will be:
> > > opaquelocktoken:faketoken! However this response does not seem to be
> >
> > If this is indeed returned, it's a severe bug in Slide that needs to be
> > fixed.
>
> I thought the faketoken was returned to prevent users from
> stealing other users' locks.

That may be the intent, but it breaks the protocol. The URI returned as lock
token

- must be a legal URI (this one isn't, because it doesn't follow the
syntactic rules for the opaquelocktoken scheme)

- must identity the lock.

Prevention of other principals (ab)using the lock token is a completely
separate issue that needs to be treated somewhere else.

> > > described in the webdav or the deltaV documentation! Is this slide
> > > sprcific??
> > >
> > > Basically what I need is some command the verifies write-access to a
> > > resource! Are there any commands beside PUT and PROPPATCH that are
> > > denied when a lock is taken on a resource?

DELETE, RENAME, ...:

--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Verifying access

Posted by Andreas Probst <an...@gmx.net>.

Hi all,

please see intermixed.

Andreas


On 8 Oct 2002 at 14:47, Julian Reschke wrote:

> > From: Jacob Lund [mailto:jl@qualiware.com]
> > Sent: Tuesday, October 08, 2002 2:42 PM
> > To: 'Slide Users Mailing List'
> > Subject: RE: Verifying access
> >
> >
> > Thanks for the reply!
> >
> > From what I can see in the thread you referred to, they do not verify
> > that they have access rights!
> >
> > You where right about the lock-token! In the case where a user asks for
> > a lock-token (lockdiscovery or propfind) on a resource where another
> > user took out the lock - the locktoken will be:
> > opaquelocktoken:faketoken! However this response does not seem to be
> 
> If this is indeed returned, it's a severe bug in Slide that needs to be
> fixed.

I thought the faketoken was returned to prevent users from 
stealing other users' locks.
> 
> > described in the webdav or the deltaV documentation! Is this slide
> > sprcific??
> >
> > Basically what I need is some command the verifies write-access to a
> > resource! Are there any commands beside PUT and PROPPATCH that are
> > denied when a lock is taken on a resource?
> 
> --
> <green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760
> 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Verifying access

Posted by Julian Reschke <ju...@gmx.de>.

> From: Jacob Lund [mailto:jl@qualiware.com]
> Sent: Tuesday, October 08, 2002 2:42 PM
> To: 'Slide Users Mailing List'
> Subject: RE: Verifying access
>
>
> Thanks for the reply!
>
> From what I can see in the thread you referred to, they do not verify
> that they have access rights!
>
> You where right about the lock-token! In the case where a user asks for
> a lock-token (lockdiscovery or propfind) on a resource where another
> user took out the lock - the locktoken will be:
> opaquelocktoken:faketoken! However this response does not seem to be

If this is indeed returned, it's a severe bug in Slide that needs to be
fixed.

> described in the webdav or the deltaV documentation! Is this slide
> sprcific??
>
> Basically what I need is some command the verifies write-access to a
> resource! Are there any commands beside PUT and PROPPATCH that are
> denied when a lock is taken on a resource?

--
<green/>bytes GmbH -- http://www.greenbytes.de -- tel:+492512807760


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Verifying access

Posted by Jacob Lund <jl...@qualiware.com>.

Thanks for the reply!

>From what I can see in the thread you referred to, they do not verify
that they have access rights!

You where right about the lock-token! In the case where a user asks for
a lock-token (lockdiscovery or propfind) on a resource where another
user took out the lock - the locktoken will be:
opaquelocktoken:faketoken! However this response does not seem to be
described in the webdav or the deltaV documentation! Is this slide
sprcific??

Basically what I need is some command the verifies write-access to a
resource! Are there any commands beside PUT and PROPPATCH that are
denied when a lock is taken on a resource?

/Jacob 

-----Original Message-----
From: Andreas Probst [mailto:andpro77@gmx.net] 
Sent: 8. oktober 2002 13:36
To: Slide Users Mailing List
Subject: RE: Verifying access

Hi Jacob,

I think Slide2 gives you the lock token only if the client user 
is the one that locked a resource. Otherwise an opaque lock 
token is returned. So if you get a proper lock token and the 
logged-in user has write permission, you should be able to write 
the resource. 

I did not test this, but I wrote a servlet that unlocks a locked 
resource by using Slide client methods to connect to Slide's 
WebdavServlet. This works only if the logged-in user was the one 
that locked the resource before. 

Maybe the following archived discussion helps you. Get it by 
sending an e-mail to slide-user-thread.2463@jakarta.apache.org

Andreas

On 8 Oct 2002 at 11:53, Jacob Lund wrote:

> Sorry for reposting - but I cannot believe that I am the only one 
> having this problem!
> 
> What I have is a client that can "reconnect" to a locked resource! 
> This is interesting if the client or server crashes and the need to 
> reconnect afterward! I do not wish to store additional info about the 
> lock on the server or the client!
> 
> Therefore I need to retrieve the locktoken and then try to see if I 
> can access the resource! The only way, that I could think of, is to 
> try and add/remove a property on the resource - and thereby verify 
> that I have write-access to the resource!
> 
> Is this the way all of you do this, or am I missing something?
> 
> Thanks
> Jacob
> 
> -----Original Message-----
> From: Jacob Lund [mailto:jl@qualiware.com]
> Sent: 4. oktober 2002 12:28
> To: slide-user@jakarta.apache.org
> Subject: Verifying access
> 
> 
> Hi,
> 
> How do I check if I have access to a given resource, in case it has a 
> lock on it?
> 
> I have a resource with an exclusive lock on it, and now I want to 
> check it I have access to this resource!
> 
> What I do is retrieve the lock-token and now I need to check if the 
> user owns this lock! I then add this lock-token to a request header 
> and then test if I can operate on the resource by adding a new 
> meta-tag and then remove it again!
> 
> But is there an easier way to verify if current user owns the lock on 
> a given resource?
> 
> /Jacob
> 
> 

--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Verifying access

Posted by Andreas Probst <an...@gmx.net>.

Hi Jacob,

I think Slide2 gives you the lock token only if the client user 
is the one that locked a resource. Otherwise an opaque lock 
token is returned. So if you get a proper lock token and the 
logged-in user has write permission, you should be able to write 
the resource. 

I did not test this, but I wrote a servlet that unlocks a locked 
resource by using Slide client methods to connect to Slide's 
WebdavServlet. This works only if the logged-in user was the one 
that locked the resource before. 

Maybe the following archived discussion helps you. Get it by 
sending an e-mail to slide-user-thread.2463@jakarta.apache.org

Andreas


On 8 Oct 2002 at 11:53, Jacob Lund wrote:

> Sorry for reposting - but I cannot believe that I am the only one having
> this problem!
> 
> What I have is a client that can "reconnect" to a locked resource! This
> is interesting if the client or server crashes and the need to reconnect
> afterward! I do not wish to store additional info about the lock on the
> server or the client! 
> 
> Therefore I need to retrieve the locktoken and then try to see if I can
> access the resource! The only way, that I could think of, is to try and
> add/remove a property on the resource - and thereby verify that I have
> write-access to the resource!
> 
> Is this the way all of you do this, or am I missing something?
> 
> Thanks
> Jacob
> 
> -----Original Message-----
> From: Jacob Lund [mailto:jl@qualiware.com] 
> Sent: 4. oktober 2002 12:28
> To: slide-user@jakarta.apache.org
> Subject: Verifying access
> 
> 
> Hi,
> 
> How do I check if I have access to a given resource, in case it has a
> lock on it?
> 
> I have a resource with an exclusive lock on it, and now I want to check
> it I have access to this resource! 
> 
> What I do is retrieve the lock-token and now I need to check if the user
> owns this lock! I then add this lock-token to a request header and then
> test if I can operate on the resource by adding a new meta-tag and then
> remove it again! 
> 
> But is there an easier way to verify if current user owns the lock on a
> given resource?
> 
> /Jacob 
> 
> 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: Verifying access

Posted by Jacob Lund <jl...@qualiware.com>.

Sorry for reposting - but I cannot believe that I am the only one having
this problem!

What I have is a client that can "reconnect" to a locked resource! This
is interesting if the client or server crashes and the need to reconnect
afterward! I do not wish to store additional info about the lock on the
server or the client! 

Therefore I need to retrieve the locktoken and then try to see if I can
access the resource! The only way, that I could think of, is to try and
add/remove a property on the resource - and thereby verify that I have
write-access to the resource!

Is this the way all of you do this, or am I missing something?

Thanks
Jacob

-----Original Message-----
From: Jacob Lund [mailto:jl@qualiware.com] 
Sent: 4. oktober 2002 12:28
To: slide-user@jakarta.apache.org
Subject: Verifying access


Hi,

How do I check if I have access to a given resource, in case it has a
lock on it?

I have a resource with an exclusive lock on it, and now I want to check
it I have access to this resource! 

What I do is retrieve the lock-token and now I need to check if the user
owns this lock! I then add this lock-token to a request header and then
test if I can operate on the resource by adding a new meta-tag and then
remove it again! 

But is there an easier way to verify if current user owns the lock on a
given resource?

/Jacob 


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>