Network Working Group M. Rose Request for Comments: 3341 Dover Beach Consulting, Inc. Category: Standards Track G. Klyne Clearswift Corporation D. Crocker Brandenburg InternetWorking July 2002
Network Working Group M. Rose Request for Comments: 3341 Dover Beach Consulting, Inc. Category: Standards Track G. Klyne Clearswift Corporation D. Crocker Brandenburg InternetWorking July 2002
The Application Exchange (APEX) Access Service
应用程序交换(APEX)访问服务
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
Abstract
摘要
This memo describes the Application Exchange (APEX) access service, addressed as the well-known endpoint "apex=access". The access service is used to control use of both the APEX "relaying mesh" and other APEX services.
本备忘录描述了应用程序交换(APEX)访问服务,称为众所周知的端点“APEX=access”。接入服务用于控制APEX“中继网”和其他APEX服务的使用。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Use and Management of Access Information . . . . . . . . . . . 3 2.1 Querying Access Information . . . . . . . . . . . . . . . . . 3 2.2 Retrieval of Access Information . . . . . . . . . . . . . . . 4 2.3 Update of Access Information . . . . . . . . . . . . . . . . . 5 3. Format of Access Entries . . . . . . . . . . . . . . . . . . . 9 3.1 Finding the Appropriate Entry: Matching Owners and Actors . . 11 3.2 Creating and Updating Access Entries . . . . . . . . . . . . . 14 4. The Access Service . . . . . . . . . . . . . . . . . . . . . . 14 4.1 Use of XML and MIME . . . . . . . . . . . . . . . . . . . . . 15 4.2 The Query Operation . . . . . . . . . . . . . . . . . . . . . 16 4.3 The Get Operation . . . . . . . . . . . . . . . . . . . . . . 17 4.4 The Set Operation . . . . . . . . . . . . . . . . . . . . . . 18 4.5 The Reply Operation . . . . . . . . . . . . . . . . . . . . . 20 5. Registration: The Access Service . . . . . . . . . . . . . . . 20 6. The Access Service DTD . . . . . . . . . . . . . . . . . . . . 21
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Use and Management of Access Information . . . . . . . . . . . 3 2.1 Querying Access Information . . . . . . . . . . . . . . . . . 3 2.2 Retrieval of Access Information . . . . . . . . . . . . . . . 4 2.3 Update of Access Information . . . . . . . . . . . . . . . . . 5 3. Format of Access Entries . . . . . . . . . . . . . . . . . . . 9 3.1 Finding the Appropriate Entry: Matching Owners and Actors . . 11 3.2 Creating and Updating Access Entries . . . . . . . . . . . . . 14 4. The Access Service . . . . . . . . . . . . . . . . . . . . . . 14 4.1 Use of XML and MIME . . . . . . . . . . . . . . . . . . . . . 15 4.2 The Query Operation . . . . . . . . . . . . . . . . . . . . . 16 4.3 The Get Operation . . . . . . . . . . . . . . . . . . . . . . 17 4.4 The Set Operation . . . . . . . . . . . . . . . . . . . . . . 18 4.5 The Reply Operation . . . . . . . . . . . . . . . . . . . . . 20 5. Registration: The Access Service . . . . . . . . . . . . . . . 20 6. The Access Service DTD . . . . . . . . . . . . . . . . . . . . 21
7. Security Considerations . . . . . . . . . . . . . . . . . . . 23 References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26
7. Security Considerations . . . . . . . . . . . . . . . . . . . 23 References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26
This memo describes an access service that is built upon the APEX [1] "relaying mesh". The APEX access service is used to control use of both the relaying mesh and other APEX services.
本备忘录描述了一种基于APEX[1]“中继网格”的访问服务。APEX接入服务用于控制中继网和其他APEX服务的使用。
APEX, at its core, provides a best-effort datagram service. Within an administrative domain, all relays must be able to handle messages for any endpoint within that domain. APEX services are logically defined as endpoints but given their ubiquitous semantics they do not necessarily need to be associated with a single physical endpoint. As such, they may be provisioned co-resident with each relay within an administrative domain, even though they are logically provided on top of the relaying mesh, i.e.,
APEX的核心是提供尽力而为的数据报服务。在管理域内,所有中继必须能够处理该域内任何端点的消息。APEX服务在逻辑上定义为端点,但鉴于其普遍存在的语义,它们不一定需要与单个物理端点关联。因此,它们可以与管理域内的每个中继共同驻留,即使它们在逻辑上被提供在中继网的顶部,即。,
+----------+ +----------+ +----------+ +---------+ | APEX | | APEX | | APEX | | | | access | | presence | | report | | ... | | service | | service | | service | | | +----------+ +----------+ +----------+ +---------+ | | | | | | | | +----------------------------------------------------------------+ | | | APEX core | | | +----------------------------------------------------------------+
+----------+ +----------+ +----------+ +---------+ | APEX | | APEX | | APEX | | | | access | | presence | | report | | ... | | service | | service | | service | | | +----------+ +----------+ +----------+ +---------+ | | | | | | | | +----------------------------------------------------------------+ | | | APEX core | | | +----------------------------------------------------------------+
That is, applications communicate with an APEX service by exchanging data with a "well-known endpoint" (WKE).
也就是说,应用程序通过与“已知端点”(WKE)交换数据来与APEX服务通信。
APEX applications communicate with the access service by exchanging data with the well-known endpoint "apex=access" in the corresponding administrative domain, e.g., "apex=access@example.com" is the endpoint associated with the access service in the "example.com" administrative domain.
APEX应用程序通过与相应管理域(例如“APEX”)中的知名端点“APEX=access”交换数据来与访问服务通信=access@example.com是与“example.com”管理域中的访问服务关联的端点。
Note that within a single administrative domain, the relaying mesh makes use of the APEX access service in order to determine if an originator is allowed to transmit data to a recipient (c.f., Step 5.3 of Section 4.4.4.1 of [1]).
注意,在单个管理域内,中继网利用APEX接入服务来确定是否允许发端人向接收方传输数据(c.f.[1]第4.4.4.1节第5.3步)。
Access information is organized around access entries, each of which contains:
访问信息围绕访问条目组织,每个条目包含:
o an owner: an APEX address with which the entry is associated;
o 所有者:与条目关联的顶点地址;
o an actor: an APEX address that is granted permission to perform some action in the context of the owner;
o 参与者:被授予在所有者上下文中执行某些操作的权限的APEX地址;
o a list of actions; and,
o 行动清单;和
o a timestamp indicating when the service last created or modified the access entry.
o 指示服务上次创建或修改访问条目的时间戳。
The access entry for a given owner controls access to a potentially large range of different APEX services, such as data delivery, access control, and presence information. In addition, Section 4.5 of [1] discusses APEX access policies that govern such activities as peer authentication, message relaying, and so on.
给定所有者的访问条目控制对可能大范围不同APEX服务的访问,例如数据交付、访问控制和状态信息。此外,[1]的第4.5节讨论了管理对等身份验证、消息中继等活动的APEX访问策略。
Management of access information falls into three categories:
访问信息的管理分为三类:
o applications may query the access service to see if one or more actions are allowed;
o 应用程序可以查询访问服务,查看是否允许一个或多个操作;
o applications may retrieve access information associated with an owner/actor combination; and,
o 应用程序可以检索与所有者/参与者组合相关联的访问信息;和
o applications may modify (i.e., create, replace, or delete) access information associated with an owner/actor combination.
o 应用程序可以修改(即,创建、替换或删除)与所有者/参与者组合相关联的访问信息。
Each is now described in turn.
现在依次描述每种方法。
When an application wants to determine whether one or more actions are allowed for an owner/actor combination, it sends a "query" element to the service, e.g.,
当应用程序想要确定所有者/参与者组合是否允许一个或多个操作时,它会向服务发送一个“查询”元素,例如。,
+-------+ +-------+ | | -- data -------> | | | appl. | | relay | | | <--------- ok -- | | +-------+ +-------+
+-------+ +-------+ | | -- data -------> | | | appl. | | relay | | | <--------- ok -- | | +-------+ +-------+
C: <data content='#Content'> <originator identity='fred@example.com' /> <recipient identity='apex=access@example.com' /> <data-content Name='Content'> <query owner='fred@example.com' transID='1' actor='barney@example.com' actions='core:data presence:subscribe' /> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='fred@example.com' /> <recipient identity='apex=access@example.com' /> <data-content Name='Content'> <query owner='fred@example.com' transID='1' actor='barney@example.com' actions='core:data presence:subscribe' /> </data-content> </data> S: <ok />
The service immediately responds with either an allow or deny operation containing the same transaction-identifier, where "allow" means that all of the actions listed in the query are permitted, e.g.,
服务立即响应包含相同事务标识符的允许或拒绝操作,其中“允许”表示允许查询中列出的所有操作,例如。,
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <allow transID='1' /> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <allow transID='1' /> </data-content> </data> S: <ok />
or
或
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <deny transID='1' /> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <deny transID='1' /> </data-content> </data> S: <ok />
When an application wants to retrieve the access entry associated with an owner/actor combination (typically in preparation for updating that access information), it sends a "get" element to the service, e.g.,
当应用程序想要检索与所有者/参与者组合相关联的访问条目时(通常是为了准备更新该访问信息),它会向服务发送一个“get”元素,例如。,
+-------+ +-------+ | | -- data -------> | | | appl. | | relay | | | <--------- ok -- | | +-------+ +-------+
+-------+ +-------+ | | -- data -------> | | | appl. | | relay | | | <--------- ok -- | | +-------+ +-------+
C: <data content='#Content'> <originator identity='fred@example.com' /> <recipient identity='apex=access@example.com' /> <data-content Name='Content'> <get transID='2' owner='fred@example.com' actor='*@example.com' /> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='fred@example.com' /> <recipient identity='apex=access@example.com' /> <data-content Name='Content'> <get transID='2' owner='fred@example.com' actor='*@example.com' /> </data-content> </data> S: <ok />
The service immediately responds with a set operation containing the access entry and the same transaction-identifier, e.g.,
服务立即响应包含访问条目和相同事务标识符的set操作,例如。,
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <set transID='2'> <access owner='fred@example.com' actor='*@example.com' actions='core:data presence:subscribe' lastUpdate='2000-05-14T13:02:00-08:00' /> </set> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <set transID='2'> <access owner='fred@example.com' actor='*@example.com' actions='core:data presence:subscribe' lastUpdate='2000-05-14T13:02:00-08:00' /> </set> </data-content> </data> S: <ok />
When an application wants to create or modify an access entry associated with an owner/actor combination, it sends a "set" element to the service containing the new access entry, e.g.,
当应用程序想要创建或修改与所有者/参与者组合关联的访问条目时,它会向包含新访问条目的服务发送一个“set”元素,例如。,
+-------+ +-------+ | | -- data -------> | | | appl. | | relay | | | <--------- ok -- | | +-------+ +-------+
+-------+ +-------+ | | -- data -------> | | | appl. | | relay | | | <--------- ok -- | | +-------+ +-------+
C: <data content='#Content'> <originator identity='wilma@example.com' /> <recipient identity='apex=access@example.com' /> <data-content Name='Content'> <set transID='1'> <access owner='fred@example.com' actor='*@example.com' actions='core:data presence:subscribe' lastUpdate='2000-05-14T13:02:00-08:00' /> </set> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='wilma@example.com' /> <recipient identity='apex=access@example.com' /> <data-content Name='Content'> <set transID='1'> <access owner='fred@example.com' actor='*@example.com' actions='core:data presence:subscribe' lastUpdate='2000-05-14T13:02:00-08:00' /> </set> </data-content> </data> S: <ok />
Note that Step 4 of Section 4.4 requires that the "lastUpdate" attribute of an access entry be supplied in order to update that entry; accordingly, applications must successfully retrieve an access entry prior to trying to modify that entry. (Naturally, administrators should ensure that applications authorized to modify an access entry are also authorized to retrieve that entry.)
注意,第4.4节的步骤4要求提供访问条目的“lastUpdate”属性,以便更新该条目;因此,应用程序必须在尝试修改访问条目之前成功检索该条目。(当然,管理员应该确保有权修改访问条目的应用程序也有权检索该条目。)
The service immediately responds with a reply operation containing the same transaction-identifier, e.g.,
服务立即响应包含相同事务标识符的应答操作,例如。,
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='wilma@example.com' /> <data-content Name='Content'> <reply code='250' transID='1' /> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='wilma@example.com' /> <data-content Name='Content'> <reply code='250' transID='1' /> </data-content> </data> S: <ok />
Note that Steps 6.2 and 9.2 of Section 4.4 require that the access service update the "lastUpdate" attribute of an access entry when it is created or modified.
请注意,第4.4节的步骤6.2和9.2要求access服务在创建或修改access条目时更新其“lastUpdate”属性。
The service also immediately sends a set operation to the owner attribute associated with the access entry, e.g.,
该服务还立即向与访问条目相关联的所有者属性发送一个set操作,例如。,
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <set transID='1'> <access owner='fred@example.com' actor='*@example.com' actions='core:data presence:subscribe' lastUpdate='2000-05-14T23:02:00-08:00' /> </set> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <set transID='1'> <access owner='fred@example.com' actor='*@example.com' actions='core:data presence:subscribe' lastUpdate='2000-05-14T23:02:00-08:00' /> </set> </data-content> </data> S: <ok />
When an application wants to delete the access entry associated with an owner/actor combination, it sends a "set" element to the service omitting the permitted actions, e.g.,
当应用程序想要删除与所有者/参与者组合相关联的访问条目时,它会向服务发送一个“set”元素,忽略允许的操作,例如。,
+-------+ +-------+ | | -- data -------> | | | appl. | | relay | | | <--------- ok -- | | +-------+ +-------+
+-------+ +-------+ | | -- data -------> | | | appl. | | relay | | | <--------- ok -- | | +-------+ +-------+
C: <data content='#Content'> <originator identity='wilma@example.com' /> <recipient identity='apex=access@example.com' /> <data-content Name='Content'> <set transID='2'> <access owner='fred@example.com' actor='*@example.com' lastUpdate='2000-05-14T13:02:00-08:00' /> </set> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='wilma@example.com' /> <recipient identity='apex=access@example.com' /> <data-content Name='Content'> <set transID='2'> <access owner='fred@example.com' actor='*@example.com' lastUpdate='2000-05-14T13:02:00-08:00' /> </set> </data-content> </data> S: <ok />
The service immediately responds with a reply operation containing the same transaction-identifier, e.g.,
服务立即响应包含相同事务标识符的应答操作,例如。,
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='wilma@example.com' /> <data-content Name='Content'> <reply code='250' transID='2' /> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='wilma@example.com' /> <data-content Name='Content'> <reply code='250' transID='2' /> </data-content> </data> S: <ok />
The service also immediately sends a set operation to the owner attribute associated with the access entry, e.g.,
该服务还立即向与访问条目相关联的所有者属性发送一个set操作,例如。,
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
+-------+ +-------+ | | <------- data -- | | | relay | |access | | | -- ok ---------> | svc. | +-------+ +-------+
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <set transID='2'> <access owner='fred@example.com' actor='*@example.com' lastUpdate='2000-05-14T13:02:00-08:00' /> </set> </data-content> </data> S: <ok />
C: <data content='#Content'> <originator identity='apex=access@example.com' /> <recipient identity='fred@example.com' /> <data-content Name='Content'> <set transID='2'> <access owner='fred@example.com' actor='*@example.com' lastUpdate='2000-05-14T13:02:00-08:00' /> </set> </data-content> </data> S: <ok />
Because there are no actions associated with this access entry, the owner knows that the entry has been deleted.
由于没有与此访问条目关联的操作,因此所有者知道该条目已被删除。
Note that because access control supported limited wildcarding of actors, deleting an access entry for a particular owner/actor combination, may modify, rather than remove, permission. Because of this, a special action, "all:none", is used.
注意,由于访问控制支持对参与者的有限通配符,因此删除特定所有者/参与者组合的访问条目可能会修改而不是删除权限。因此,使用了一项特别行动“全部:无”。
For example, consider these two access entries:
例如,考虑这两个访问条目:
<access owner='fred@example.com' actor='barney@example.com' actions='core:data presence:subscribe presence:watch' lastUpdate='2000-05-14T13:20:00-08:00' />
<access owner='fred@example.com' actor='barney@example.com' actions='core:data presence:subscribe presence:watch' lastUpdate='2000-05-14T13:20:00-08:00' />
<access owner='fred@example.com' actor='*@example.com' actions='core:data' lastUpdate='2000-05-14T13:20:00-08:00' />
<access owner='fred@example.com' actor='*@example.com' actions='core:data' lastUpdate='2000-05-14T13:20:00-08:00' />
Deleting the first access entry will not remove all permissions for for the actor "barney@example.com".
删除第一个访问条目不会删除参与者的所有权限“barney@example.com".
Instead, the first access entry should be modified thusly:
相反,应修改第一个访问条目:
<access owner='fred@example.com' actor='barney@example.com' actions='all:none' lastUpdate='2000-05-14T13:20:00-08:00' />
<access owner='fred@example.com' actor='barney@example.com' actions='all:none' lastUpdate='2000-05-14T13:20:00-08:00' />
Each administrative domain is responsible for maintaining one or more "access entries" for each of its endpoints and associated subaddresses (regardless of whether those addresses are currently attached to the relaying mesh).
每个管理域负责维护其每个端点和关联子地址的一个或多个“访问条目”(无论这些地址当前是否连接到中继网格)。
A separate access entry is required for each actor or group of actors for whom access permission is specified. Section 6 defines the syntax for access entries. Each access entry has an "owner" attribute, an "actor" attribute, an "actions" attribute, a "lastUpdate" attribute, and no content:
为其指定访问权限的每个参与者或参与者组需要单独的访问条目。第6节定义了访问条目的语法。每个访问条目都有一个“所有者”属性、一个“参与者”属性、一个“操作”属性、一个“lastUpdate”属性,并且没有内容:
o the "owner" attribute specifies the address (endpoint or subaddress) associated with the access entry;
o “所有者”属性指定与访问条目关联的地址(端点或子地址);
o the "actor" attribute specifies an entity or group of entities for whom access permissions are specified, as described below;
o “actor”属性指定为其指定访问权限的实体或实体组,如下所述;
o the "actions" attribute specifies the permissions granted to the actor in the context of the owner; and,
o “actions”属性指定在所有者上下文中授予参与者的权限;和
o the "lastUpdate" attribute specifies the date and time that the service last created or modified the access entry.
o “lastUpdate”属性指定服务上次创建或修改访问条目的日期和时间。
An action is specified as a service/operation pair, e.g., the action "presence:publish" refers to the "publish" operation of the "presence" service. Two service values are reserved:
动作被指定为服务/操作对,例如,动作“presence:publish”指的是“presence”服务的“publish”操作。保留两个服务值:
o "all" is used to refer to all services, e.g., "all:data"; and,
o “全部”用于指代所有服务,例如,“全部:数据”;和
o "core" is used to refer to the service implemented by the relaying mesh, e.g., the "core:data" permission is consulted by the relaying mesh (c.f., Step 5.3 of Section 4.4.4.1 of [1]).
o “核心”用于指中继网实现的服务,例如,中继网咨询“核心:数据”权限(c.f.[1]第4.4.4.1节第5.3步)。
Further, two operation values are reserved:
此外,保留两个操作值:
o "all" is used to refer to all operations, e.g., "presence:all"; and,
o “全部”用于指代所有操作,例如,“存在:全部”;和
o "none" is used to refer to no operations whatsoever, e.g., "all:none".
o “无”用于指任何操作,例如“全部:无”。
An actor is an APEX address and is specified using the "entity" syntax specified in Section 2.2 of [1]. However, both the "local" and "domain" parts may contain limited wildcarding:
参与者是一个顶点地址,使用[1]第2.2节中规定的“实体”语法指定。但是,“本地”和“域”部分都可能包含有限的通配符:
o The "local" part is either:
o “本地”部分为:
* a literal string (e.g., "fred");
* 文字字符串(例如,“fred”);
* a subaddress wildcard (e.g., "fred/*" or "apex=pubsub/*"); or,
* 子地址通配符(例如,“fred/*”或“apex=pubsub/*”);或
* the value "apex=*", specifying all APEX services;
* 值“apex=*”,指定所有apex服务;
* the value "*", specifying any address other than an APEX service.
* 值“*”,指定APEX服务以外的任何地址。
o The "domain" part is either:
o “域”部分为:
* a FQDN (e.g., "example.com");
* FQDN(例如,“example.com”);
* a domain wildcard (e.g., "*.example.com"); or,
* 域通配符(例如“*.example.com”);或
* the value "*", specifying all administrative domains.
* 值“*”,指定所有管理域。
Note that in the case of a domain wildcard, the wildcard itself matches zero or more subdomains, e.g., "*.example.com" matches "example.com", "foo.example.com", "bar.foo.example.com", and so on.)
注意,在域通配符的情况下,通配符本身匹配零个或多个子域,例如“*.example.com”匹配“example.com”、“foo.example.com”、“bar.foo.example.com”等。)
The following default entries are provided for each owner, but are overridden by an explicitly supplied entry with the same actor value:
为每个所有者提供以下默认条目,但由显式提供的具有相同actor值的条目覆盖:
actor='local@domain' actions='all:all' actor='apex=*@domain' actions='all:all' actor='apex=*@*' actions='core:data' actor='*@*' actions='all:none'
actor='local@domain' actions='all:all' actor='apex=*@domain' actions='all:all' actor='apex=*@*' actions='core:data' actor='*@*' actions='all:none'
where "local@domain" specifies the owner associated with the access entry.
“在哪里”local@domain“指定与访问条目关联的所有者。
For example, the explicit entry
例如,显式条目
actor='*@*' actions='core:data'
actor='*@*' actions='core:data'
allows endpoints from any domain to use the relaying mesh to send data to the owner, but does not override the default entry for "apex=*@domain", which allows all APEX services in the owner's domain access to all actions.
允许来自任何域的端点使用中继网格向所有者发送数据,但不覆盖“apex=*@domain”的默认条目,该条目允许所有者域中的所有apex服务访问所有操作。
APEX endpoint names can legitimately contain the character '*', but access entries use '*' to indicate wildcarding. Accordingly, the two-character sequence '\*' is used to avoid ambiguity in the "actor" attribute. Similarly, to explicitly specify an endpoint name containing '\' in the "actor" attribute, the two-character sequence '\\' is used.
APEX端点名称可以合法地包含字符“*”,但访问条目使用“*”表示通配符。因此,两个字符序列“\*”用于避免“actor”属性中的歧义。类似地,要在“actor”属性中显式指定包含“\”的端点名称,需要使用两个字符序列“\\”。
Note that this convention is used only for the "actor" attribute of the "get" operation and of the "access" entry that appears in the "set" operation; however, this convention is not used in the "query" operation, as this operation does not allow wildcarding.
注意,此约定仅用于“get”操作和“set”操作中出现的“access”项的“actor”属性;但是,“查询”操作中不使用此约定,因为此操作不允许通配符。
For example, to specify the endpoint named as "a\b*c@example.com" in the "get" operation or in an "access" entry, the string "a\\b\*c@example.com" is used; but in the "query" operation, the string "a\b*c@example.com" is used. (Of course, as name allocation is a local matter, these complications can be avoided by the simple expedient of not using endpoint names containing '*' or '\'.)
例如,指定名为“a\b”的端点*c@example.com在“get”操作或“access”条目中,字符串“a\\b”\*c@example.com"使用,;但在“查询”操作中,字符串“a\b”*c@example.com“使用。(当然,由于名称分配是一个局部问题,可以通过不使用包含“*”或“\”的端点名称来避免这些复杂情况。)
The use of actor wildcarding makes it possible for several access entries to apply for a given owner/actor combination. When determining which access entry to use when responding to the query operation, the algorithm is:
参与者通配符的使用使得多个访问条目可以应用于给定的所有者/参与者组合。在确定响应查询操作时使用哪个访问条目时,算法为:
o Consider only those access entries that are associated with the given owner.
o 只考虑与给定所有者关联的访问条目。
o Consider only those access entries in which the actor value matches the actor address in the query. If the wildcard character ('*') is present, then it a match is possible only if each wildcard character can be replaced with a non-empty character sequence (one or more characters) to obtain a value identical to the address in the query.
o 只考虑其中参与者值与查询中的参与者地址匹配的访问条目。如果存在通配符(“*”),则只有当每个通配符都可以替换为非空字符序列(一个或多个字符)以获得与查询中的地址相同的值时,才可能进行匹配。
o Order those remaining access entries:
o 对其余的访问条目进行排序:
* Use the exactness of the match with the domain part of the actor value as the primary key; and,
* 使用actor值的域部分匹配的精确性作为主键;和
* Use the exactness of the match with the local part of the actor value as the secondary key.
* 将匹配的精确性与actor值的局部部分用作辅助键。
o When matching with the domain part, an exact match is the best match; otherwise, the shorter the wildcard match, the higher the priority.
o 与域部分匹配时,精确匹配是最佳匹配;否则,通配符匹配越短,优先级越高。
For example, if the actor's domain is "bar.foo.example.com", a match against an entry of "*.foo.example.com" is better than a match against an entry of "*.example.com".
例如,如果参与者的域是“bar.foo.example.com”,则与“*.foo.example.com”项的匹配比与“*.example.com”项的匹配要好。
o When matching with the local part, an exact match is the best match; otherwise, the shorter the wildcard match, the higher the priority. This is true regardless of whether the wildcarding is for subaddress or service. (Note that a local part with a wildcard subaddress does not have a non-empty match with the same local part without a subaddress.)
o 与局部零件匹配时,精确匹配是最佳匹配;否则,通配符匹配越短,优先级越高。无论通配符是用于子地址还是服务,这都是正确的。(请注意,具有通配符子地址的本地部分与没有子地址的同一本地部分不具有非空匹配。)
For example, consider these access entries:
例如,考虑这些访问条目:
<access owner='fred@example.com' actor='wilma@example.com' actions='all:all' lastUpdate='2000-05-14T13:20:00-08:00' /> <access owner='fred@example.com' actor='mr.slate@example.com' actions='core:data' lastUpdate='2000-05-14T13:20:00-08:00' /> <access owner='fred/appl=wb@example.com' actor='barney/appl=wb@example.com' actions='core:data' lastUpdate='2000-05-14T13:20:00-08:00' /> <access owner='fred@example.com' actor='*@example.com' actions='core:data presence:subscribe presence:watch' lastUpdate='2000-05-14T13:20:00-08:00' />
<access owner='fred@example.com' actor='wilma@example.com' actions='all:all' lastUpdate='2000-05-14T13:20:00-08:00' /> <access owner='fred@example.com' actor='mr.slate@example.com' actions='core:data' lastUpdate='2000-05-14T13:20:00-08:00' /> <access owner='fred/appl=wb@example.com' actor='barney/appl=wb@example.com' actions='core:data' lastUpdate='2000-05-14T13:20:00-08:00' /> <access owner='fred@example.com' actor='*@example.com' actions='core:data presence:subscribe presence:watch' lastUpdate='2000-05-14T13:20:00-08:00' />
<access owner='fred@example.com' actor='*@*' actions='core:data' lastUpdate='2000-05-14T13:20:00-08:00' />
<access owner='fred@example.com' actor='*@*' actions='core:data' lastUpdate='2000-05-14T13:20:00-08:00' />
Briefly:
简要地:
o For addresses within the "example.com" administrative domain:
o 对于“example.com”管理域中的地址:
* "fred", "wilma", and all APEX services within the "example.com" administrative domain are allowed access to all operations for "fred@example.com";
* “fred”、“wilma”和“example.com”管理域中的所有APEX服务都可以访问的所有操作”fred@example.com";
* "mr.slate" is allowed access only to send data through the relaying mesh to "fred@example.com";
* “slate先生”仅允许通过中继网络将数据发送到fred@example.com";
* "barney/appl=wb" is allowed access only to send data to "fred/ appl=wb", a subaddress of "fred@example.com"; and,
* “barney/appl=wb”仅允许访问将数据发送到“fred/appl=wb”的子地址fred@example.com"; 和
* any other address within the "example.com" administrative domain is allowed access to send data and invoke the "subscribe" and "watch" operations of the APEX presence service with respect to "fred@example.com".
* “example.com”管理域中的任何其他地址都可以访问,以发送数据并调用APEX presence服务的“订阅”和“监视”操作,以fred@example.com".
o For any address outside the "example.com" administrative domain, the address is allowed access to send data, regardless of whether it is an APEX service.
o 对于“example.com”管理域之外的任何地址,无论该地址是否为APEX服务,都允许访问该地址以发送数据。
Note that although the four default entries are always available, the explicit entry for actor "*@*" overrides the corresponding default entry.
请注意,尽管四个默认条目始终可用,但actor“*@*”的显式条目将覆盖相应的默认条目。
The get and set operations are provided as a basic mechanism for creating and updating access rules, for which no special wildcard processing is performed.
get和set操作作为创建和更新访问规则的基本机制提供,不执行特殊的通配符处理。
The actor value for an access entry may contain limited wildcard characters which have special significance only when performing a query operation (cf., Section 3.1). For the purposes of retrieving and updating entries, actor values are treated simply as literal names.
访问条目的参与者值可能包含有限的通配符,只有在执行查询操作时才具有特殊意义(参见第3.1节)。为了检索和更新条目,参与者值被简单地视为文字名称。
Section 5 contains the APEX service registration for the access service:
第5节包含访问服务的APEX服务注册:
o Within an administrative domain, the service is addressed using the well-known endpoint of "apex=access".
o 在管理域中,使用众所周知的端点“apex=access”对服务进行寻址。
o Section 6 defines the syntax of the operations exchanged with the service.
o 第6节定义了与服务交换的操作的语法。
o A consumer of the service initiates communications by sending data containing a query, get, or set operation.
o 服务使用者通过发送包含查询、获取或设置操作的数据来启动通信。
o The service replies to these operations.
o 该服务答复这些操作。
o When an access entry is changed, the service sends a notification to the owner associated with the changed entry.
o 当访问条目发生更改时,服务将向与更改的条目关联的所有者发送通知。
An implementation of the service must maintain information about access entries in persistent storage.
服务的实现必须在持久性存储中维护有关访问项的信息。
Consult Section 6.1.1 of [1] for a discussion on the properties of long-lived transaction-identifiers.
有关长寿命事务标识符属性的讨论,请参阅[1]第6.1.1节。
Section 4.1 of [1] describes how arbitrary MIME content is exchanged as a BEEP [2] payload. For example, to transmit:
[1]的第4.1节描述了如何将任意MIME内容交换为蜂鸣[2]负载。例如,要传输:
<data content='...'> <originator identity='fred@example.com' /> <recipient identity='apex=access@example.com' /> </data>
<data content='...'> <originator identity='fred@example.com' /> <recipient identity='apex=access@example.com' /> </data>
where "..." refers to:
其中“…”指:
<query owner='fred@example.com' transID='1' actor='barney@example.com' actions='core:data presence:subscribe' />
<query owner='fred@example.com' transID='1' actor='barney@example.com' actions='core:data presence:subscribe' />
then the corresponding BEEP message might look like this:
然后相应的蜂鸣声消息可能如下所示:
C: MSG 1 2 . 42 1234 C: Content-Type: multipart/related; boundary="boundary"; C: start="<1@example.com>"; C: type="application/beep+xml" C: C: --boundary C: Content-Type: application/beep+xml C: Content-ID: <1@example.com> C: C: <data content='cid:2@example.com'> C: <originator identity='fred@example.com' /> C: <recipient identity='apex=access@example.com' /> C: </data> C: --boundary C: Content-Type: application/beep+xml C: Content-ID: <2@example.com> C: C: <query owner='fred@example.com' transID='1' C: actor='barney@example.com' C: actions='core:data presence:subscribe' /> C: --boundary-- C: END
C: MSG 1 2 . 42 1234 C: Content-Type: multipart/related; boundary="boundary"; C: start="<1@example.com>"; C: type="application/beep+xml" C: C: --boundary C: Content-Type: application/beep+xml C: Content-ID: <1@example.com> C: C: <data content='cid:2@example.com'> C: <originator identity='fred@example.com' /> C: <recipient identity='apex=access@example.com' /> C: </data> C: --boundary C: Content-Type: application/beep+xml C: Content-ID: <2@example.com> C: C: <query owner='fred@example.com' transID='1' C: actor='barney@example.com' C: actions='core:data presence:subscribe' /> C: --boundary-- C: END
or this:
或者这个:
C: MSG 1 1 . 42 267 C: Content-Type: application/beep+xml C: C: <data content='#Content'> C: <originator identity='fred@example.com' /> C: <recipient identity='apex=access@example.com' /> C: <data-content Name='Content'> C: <query owner='fred@example.com' transID='1' C: actor='barney@example.com' C: actions='core:data presence:subscribe' /> C: </data-content> C: </data> C: END
C: MSG 1 1 . 42 267 C: Content-Type: application/beep+xml C: C: <data content='#Content'> C: <originator identity='fred@example.com' /> C: <recipient identity='apex=access@example.com' /> C: <data-content Name='Content'> C: <query owner='fred@example.com' transID='1' C: actor='barney@example.com' C: actions='core:data presence:subscribe' /> C: </data-content> C: </data> C: END
When an application wants to see if a particular operation is allowed, it sends a "query" element to the service.
当应用程序想要查看是否允许某个特定操作时,它会向服务发送一个“query”元素。
The "query" element has an "owner" attribute, an "actor" attribute, an "actions" attribute, a "transID" attribute, and no content:
“query”元素具有“owner”属性、“actor”属性、“actions”属性、“transID”属性,并且没有内容:
o the "owner" attribute specifies the address associated with the access entry;
o “所有者”属性指定与访问条目关联的地址;
o the "actor" attribute specifies the address (without wildcarding) for which access permissions are queried;
o “actor”属性指定查询访问权限的地址(不带通配符);
o the "actions" attribute specifies one or more actions for which permission is queried; and,
o “操作”属性指定查询权限的一个或多个操作;和
o the "transID" attribute specifies the transaction-identifier associated with this operation.
o “transID”属性指定与此操作关联的事务标识符。
When the service receives a "query" element, we refer to the "owner" attribute as the "subject". The service performs these steps:
当服务接收到“query”元素时,我们将“owner”属性称为“subject”。服务将执行以下步骤:
1. If the subject is outside this administrative domain, a "reply" element having code 553 is sent to the originator.
1. 如果主题在该管理域之外,则向发端人发送代码为553的“回复”元素。
2. If the subject does not refer to a valid address, a "reply" element having code 550 is sent to the originator.
2. 如果主题未引用有效地址,则向发端人发送代码为550的“回复”元素。
3. If the subject's access entry matching the originator does not contain an "access:query" token, a "reply" element having code 537 is sent to the originator.
3. 如果与发端人匹配的受试者的访问条目不包含“访问:查询”令牌,则向发端人发送代码为537的“回复”元素。
4. The subject's access entry matching the actor attribute of the query element is selected (cf., Section 3.1).
4. 选择与查询元素的actor属性匹配的主题访问条目(参见第3.1节)。
5. If all of the permissions in the "actions" attribute of the query element are contained in the selected access entry, then an "allow" element is sent to the originator.
5. 如果查询元素的“actions”属性中的所有权限都包含在所选的访问条目中,则会向发起人发送一个“allow”元素。
6. Otherwise, a "deny" element is sent to the originator.
6. 否则,将向发起人发送一个“deny”元素。
Regardless of whether an "allow", "deny", or "reply" element is sent to the originator, the "transID" attribute is identical to the value found in the "query" element sent by the originator.
无论是“允许”、“拒绝”还是“回复”元素发送给发起者,“transID”属性都与发起者发送的“查询”元素中的值相同。
Prior to creating or updating an access entry for some owner/actor combination, an application will usually need to retrieve any existing access entry. It does so by sending a "get" element to the service. In particular, a successful response returns a "lastUpdate" value that is necessary when sending a subsequent "set" element.
在为某些所有者/参与者组合创建或更新访问条目之前,应用程序通常需要检索任何现有的访问条目。它通过向服务发送一个“get”元素来实现。特别是,成功的响应返回一个“lastUpdate”值,该值在发送后续的“set”元素时是必需的。
The "get" element has an "owner" attribute, an "actor" attribute, a "transID" attribute, and no content:
“get”元素具有“owner”属性、“actor”属性、“transID”属性,并且没有内容:
o the "owner" attribute specifies the address associated with the access entry;
o “所有者”属性指定与访问条目关联的地址;
o the "actor" attribute specifies the address (with possible wildcarding) for which access permissions are retrieved; and,
o “actor”属性指定检索访问权限的地址(可能带有通配符);和
o the "transID" attribute specifies the transaction-identifier associated with this operation.
o “transID”属性指定与此操作关联的事务标识符。
When the service receives a "get" element, we refer to the "owner" attribute as the "subject". The service performs these steps:
当服务接收到“get”元素时,我们将“owner”属性称为“subject”。服务将执行以下步骤:
1. If the subject is outside this administrative domain, a "reply" element having code 553 is sent to the originator.
1. 如果主题在该管理域之外,则向发端人发送代码为553的“回复”元素。
2. If the subject does not refer to a valid address, a "reply" element having code 550 is sent to the originator.
2. 如果主题未引用有效地址,则向发端人发送代码为550的“回复”元素。
3. If the subject's access entry matching the originator does not contain an "access:get" token, a "reply" element having code 537 is sent to the originator.
3. 如果与发端人匹配的受试者的访问条目不包含“访问:获取”令牌,则向发端人发送代码为537的“回复”元素。
4. The subject's access entry whose "actor" attribute identically matches the "actor" attribute of the "get" element is selected.
4. 选择其“actor”属性与“get”元素的“actor”属性完全匹配的主题访问条目。
5. If no such entry exists, a "reply" element having code 551 is sent to the originator.
5. 如果不存在此类条目,则将代码为551的“回复”元素发送给发起人。
6. Otherwise, a "set" element corresponding to the selected access entry is sent to the originator.
6. 否则,将向发起人发送与所选访问条目相对应的“set”元素。
Regardless of whether a "set" or "reply" element is sent to the originator, the "transID" attribute is identical to the value found in the "get" element sent by the originator.
无论是“set”还是“reply”元素发送给发起者,“transID”属性都与发起者发送的“get”元素中的值相同。
When an application wants to modify (i.e., create, replace, or delete) the access entry associated with an owner/actor combination, it sends a "set" element to the service.
当应用程序想要修改(即,创建、替换或删除)与所有者/参与者组合关联的访问条目时,它会向服务发送一个“set”元素。
The "set" element has a "transID" attribute, and contains an "access" element:
“set”元素具有“transID”属性,并包含“access”元素:
o the "transID" attribute specifies the transaction-identifier associated with this operation; and,
o “transID”属性指定与此操作关联的事务标识符;和
o the "access" element contains the access entry to be created, replaced, or deleted.
o “access”元素包含要创建、替换或删除的访问条目。
The "access" element has an "owner" attribute, an "actor" attribute, an optional "actions" attribute, an optional "lastUpdate" attribute, and no content:
“access”元素有一个“owner”属性、“actor”属性、一个可选的“actions”属性、一个可选的“lastUpdate”属性,并且没有内容:
o the "owner" attribute specifies the address associated with the access entry;
o “所有者”属性指定与访问条目关联的地址;
o the "actor" attribute specifies the address (with possible wildcarding) for which access permissions are specified;
o “actor”属性指定为其指定访问权限的地址(可能带有通配符);
o the "actions" attribute (present only to add or replace an entry) specifies one or more actions for which permission is to be determined; and,
o “操作”属性(仅用于添加或替换条目)指定要确定其权限的一个或多个操作;和
o the "lastUpdate" attribute (present only to replace or delete an entry) specifies the current timestamp of the access entry that is to be replaced.
o “lastUpdate”属性(仅用于替换或删除条目)指定要替换的访问条目的当前时间戳。
When the service receives a "set" element, we refer to the "owner" attribute of the access element as the "subject". The service performs these steps:
当服务接收到“set”元素时,我们将access元素的“owner”属性称为“subject”。服务将执行以下步骤:
1. If the subject is outside this administrative domain, a "reply" element having code 553 is sent to the originator.
1. 如果主题在该管理域之外,则向发端人发送代码为553的“回复”元素。
2. If the subject does not refer to a valid address, a "reply" element having code 550 is sent to the originator.
2. 如果主题未引用有效地址,则向发端人发送代码为550的“回复”元素。
3. If the subject's access entry matching the originator does not contain an "access:set" token, a "reply" element having code 537 is sent to the originator.
3. 如果与发端人匹配的受试者的访问条目不包含“访问:设置”令牌,则向发端人发送代码为537的“回复”元素。
4. The subject's access entry whose "actor" attribute identically matches the "actor" attribute of the "set" element is selected.
4. 选择其“actor”属性与“set”元素的“actor”属性完全匹配的主题访问条目。
5. If no such entry exists and the "lastUpdate" attribute is present in the supplied "set" element, a "reply" element having code 555 is sent to the originator.
5. 如果不存在这样的条目,并且提供的“set”元素中存在“lastUpdate”属性,则将代码为555的“reply”元素发送给发起人。
6. If no such entry exists and the "lastUpdate" attribute is absent in the supplied "set" element, then:
6. 如果不存在此类条目,并且提供的“set”元素中不存在“lastUpdate”属性,则:
1. The access entry for the owner/actor combination is created from the supplied "access" element.
1. 所有者/参与者组合的访问条目是从提供的“访问”元素创建的。
2. The "lastUpdate" attribute of that access entry set to the service's notion of the current date and time.
2. 该访问条目的“lastUpdate”属性设置为服务的当前日期和时间概念。
3. A "reply" element having code 250 is sent to the originator.
3. 将代码为250的“回复”元素发送给发起人。
4. A "set" element corresponding to the newly-created access entry is sent to the subject's address.
4. 与新创建的访问条目相对应的“set”元素被发送到主题的地址。
7. If the selected entry exists, but its "lastUpdate" attribute is not semantically identical to the "lastUpdate" attribute of the supplied "access" element, a "reply" element having code 555 is sent to the originator.
7. 如果所选条目存在,但其“lastUpdate”属性在语义上与所提供的“access”元素的“lastUpdate”属性不同,则将代码为555的“reply”元素发送给发起人。
8. If "actions" attribute of the supplied "access" element is not present, then:
8. 如果提供的“访问”元素的“操作”属性不存在,则:
1. The selected entry is deleted.
1. 所选条目将被删除。
2. A "reply" element having code 250 is sent to the originator.
2. 将代码为250的“回复”元素发送给发起人。
3. A "set" element corresponding to the owner/actor combination, but lacking an "actions" attribute is sent to the subject's address.
3. 与所有者/参与者组合相对应的“set”元素,但缺少“actions”属性,被发送到主题的地址。
9. Otherwise:
9. 否则:
1. The access entry for the owner/actor combination is updated from the supplied "access" element.
1. 所有者/参与者组合的访问条目由提供的“访问”元素更新。
2. The "lastUpdate" attribute of the updated access entry is set to the service's notion of the current date and time (which should be different from the "lastUpdate" value associated with any replaced entry).
2. 已更新的访问条目的“lastUpdate”属性被设置为服务的当前日期和时间概念(应该不同于与任何已替换条目关联的“lastUpdate”值)。
3. A "reply" element having code 250 is sent to the originator.
3. 将代码为250的“回复”元素发送给发起人。
4. A "set" element corresponding to the newly-updated access entry is sent to the subject's address.
4. 与新更新的访问条目相对应的“set”元素被发送到对象的地址。
When sending the "reply" element, the "transID" attribute is identical to the value found in the "set" element sent by the originator.
发送“reply”元素时,“transID”属性与发起者发送的“set”元素中的值相同。
While processing operations, the service may respond with a "reply" element. Consult Sections 10.2 and 6.1.2 of [1], respectively, for the definition and an exposition of the syntax of the reply element.
在处理操作时,服务可以使用“reply”元素进行响应。有关reply元素语法的定义和说明,请分别参阅[1]的第10.2节和第6.1.2节。
Well-Known Endpoint: apex=access
已知端点:apex=access
Syntax of Messages Exchanged: c.f., Section 6
交换信息的语法:c.f.,第6节
Sequence of Messages Exchanged: c.f., Section 4
交换的信息顺序:c.f.,第4节
Access Control Tokens: access:query, access:get, access:set
Access Control Tokens: access:query, access:get, access:set
Contact Information: c.f., the "Authors' Addresses" section of this memo
联系方式:c.f.,本备忘录的“作者地址”部分
<!-- DTD for the APEX access service, as of 2001-06-19
<!-- APEX接入服务的DTD,自2001年6月19日起
Refer to this DTD as:
将此DTD称为:
<!ENTITY % APEXACCESS PUBLIC "-//IETF//DTD APEX ACCESS//EN" ""> %APEXACCESS; -->
<!ENTITY % APEXACCESS PUBLIC "-//IETF//DTD APEX ACCESS//EN" ""> %APEXACCESS; -->
<!ENTITY % APEXCORE PUBLIC "-//IETF//DTD APEX CORE//EN" ""> %APEXCORE;
<!ENTITY % APEXCORE PUBLIC "-//IETF//DTD APEX CORE//EN" ""> %APEXCORE;
<!-- DTD data types:
<!-- DTD数据类型:
entity syntax/reference example ====== ================ ======= access actor ACTOR an ENDPOINT or a *@example.com wildcard
entity syntax/reference example ====== ================ ======= access actor ACTOR an ENDPOINT or a *@example.com wildcard
permitted actions ACTIONS a list of access "core:any access:query" tokens -->
允许的操作访问“核心:任何访问:查询”令牌的列表-->
<!ENTITY % ACTOR "CDATA"> <!ENTITY % ACTIONS "NMTOKENS">
<!ENTITY % ACTOR "CDATA"> <!ENTITY % ACTIONS "NMTOKENS">
<!-- Synopsis of the APEX access service
<!-- APEX接入服务简介
service WKE: apex=access
服务WKE:apex=访问权限
message exchanges:
信息交换:
consumer initiates service replies ================== ================ query allow, deny, or reply get set or reply set reply
consumer initiates service replies ================== ================ query allow, deny, or reply get set or reply set reply
service initiates consumer replies ================= ================ set (nothing)
service initiates consumer replies ================= ================ set (nothing)
access control:
访问控制:
token target ========== ====== access:query for "owner" of "access" element access:get for "owner" of "access" element access:set for "owner" of "access" element -->
token target ========== ====== access:query for "owner" of "access" element access:get for "owner" of "access" element access:set for "owner" of "access" element -->
<!ELEMENT query EMPTY> <!ATTLIST query owner %ENDPOINT; #REQUIRED actor %ACTOR; #REQUIRED actions %ACTIONS; #REQUIRED transID %UNIQID; #REQUIRED>
<!ELEMENT query EMPTY> <!ATTLIST query owner %ENDPOINT; #REQUIRED actor %ACTOR; #REQUIRED actions %ACTIONS; #REQUIRED transID %UNIQID; #REQUIRED>
<!ELEMENT get EMPTY> <!ATTLIST get owner %ENDPOINT; #REQUIRED actor %ACTOR; #REQUIRED transID %UNIQID; #REQUIRED>
<!ELEMENT get EMPTY> <!ATTLIST get owner %ENDPOINT; #REQUIRED actor %ACTOR; #REQUIRED transID %UNIQID; #REQUIRED>
<!ELEMENT set (access)> <!ATTLIST set transID %UNIQID; #REQUIRED>
<!ELEMENT set (access)> <!ATTLIST set transID %UNIQID; #REQUIRED>
<!ELEMENT allow EMPTY> <!ATTLIST allow transID %UNIQID; #REQUIRED>
<!ELEMENT allow EMPTY> <!ATTLIST allow transID %UNIQID; #REQUIRED>
<!ELEMENT deny EMPTY> <!ATTLIST deny transID %UNIQID; #REQUIRED>
<!ELEMENT deny EMPTY> <!ATTLIST deny transID %UNIQID; #REQUIRED>
<!-- access entries -->
<!-- 访问条目-->
<!ELEMENT access EMPTY> <!ATTLIST access owner %ENDPOINT; #REQUIRED actor %ACTOR; #REQUIRED actions %ACTIONS; #IMPLIED lastUpdate %TIMESTAMP; #IMPLIED>
<!ELEMENT access EMPTY> <!ATTLIST access owner %ENDPOINT; #REQUIRED actor %ACTOR; #REQUIRED actions %ACTIONS; #IMPLIED lastUpdate %TIMESTAMP; #IMPLIED>
Consult [1]'s Section 11 for a discussion of security issues.
有关安全问题的讨论,请参阅[1]的第11节。
In addition, timestamps issued by the the access service may disclose location information. If this information is considered sensitive, the special timezone value "-00:00" may be used (after converting the local time accordingly).
此外,由接入服务发布的时间戳可以公开位置信息。如果该信息被视为敏感信息,则可使用特殊时区值“-00:00”(在相应转换本地时间后)。
References
工具书类
[1] Rose, M., Klyne, G. and D. Crocker, "The Application Exchange Core", RFC 3340, July 2002.
[1] Rose,M.,Klyne,G.和D.Crocker,“应用程序交换核心”,RFC3440,2002年7月。
[2] Rose, M., "The Blocks Extensible Exchange Protocol Core", RFC 3080, March 2001.
[2] Rose,M.,“块可扩展交换协议核心”,RFC 30802001年3月。
Authors' Addresses
作者地址
Marshall T. Rose Dover Beach Consulting, Inc. POB 255268 Sacramento, CA 95865-5268 US
马歇尔T.罗斯多佛海滩咨询公司POB 255268萨克拉门托,加利福尼亚州95865-5268美国
Phone: +1 916 483 8878 EMail: mrose@dbc.mtview.ca.us
Phone: +1 916 483 8878 EMail: mrose@dbc.mtview.ca.us
Graham Klyne Clearswift Corporation 1310 Waterside Arlington Business Park Theale, Reading RG7 4SA UK
Graham Klyne Clearwift Corporation 1310水边阿灵顿商业园Theale,Reading RG7 4SA UK
Phone: +44 11 8903 8903 EMail: Graham.Klyne@MIMEsweeper.com
Phone: +44 11 8903 8903 EMail: Graham.Klyne@MIMEsweeper.com
David H. Crocker Brandenburg Consulting 675 Spruce Drive Sunnyvale, CA 94086 US
David H.Crocker Brandenburg咨询公司美国加利福尼亚州桑尼维尔市云杉大道675号,邮编94086
Phone: +1 408 246 8253 EMail: dcrocker@brandenburg.com URI: http://www.brandenburg.com/
Phone: +1 408 246 8253 EMail: dcrocker@brandenburg.com URI: http://www.brandenburg.com/
The authors gratefully acknowledge the contributions of: Neil Cook, Darren New, Chris Newman, Scott Pead, and Bob Wyman.
作者衷心感谢Neil Cook、Darren New、Chris Newman、Scott Pead和Bob Wyman的贡献。
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2002). All Rights Reserved.
版权所有(C)互联网协会(2002年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。