Network Working Group G. Clemm Request for Comments: 3744 IBM Category: Standards Track J. Reschke greenbytes E. Sedlar Oracle Corporation J. Whitehead U.C. Santa Cruz May 2004
Network Working Group G. Clemm Request for Comments: 3744 IBM Category: Standards Track J. Reschke greenbytes E. Sedlar Oracle Corporation J. Whitehead U.C. Santa Cruz May 2004
Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol
Web分布式创作和版本控制(WebDAV)访问控制协议
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This document specifies a set of methods, headers, message bodies, properties, and reports that define Access Control extensions to the WebDAV Distributed Authoring Protocol. This protocol permits a client to read and modify access control lists that instruct a server whether to allow or deny operations upon a resource (such as HyperText Transfer Protocol (HTTP) method invocations) by a given principal. A lightweight representation of principals as Web resources supports integration of a wide range of user management repositories. Search operations allow discovery and manipulation of principals using human names.
本文档指定了一组方法、标题、消息体、属性和报告,用于定义WebDAV分布式创作协议的访问控制扩展。此协议允许客户端读取和修改访问控制列表,这些列表指示服务器是否允许或拒绝给定主体对资源的操作(例如超文本传输协议(HTTP)方法调用)。主体作为Web资源的轻量级表示支持广泛的用户管理存储库的集成。搜索操作允许使用人名发现和操纵主体。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terms. . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 8 2. Principals . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. DAV:read Privilege . . . . . . . . . . . . . . . . . . . 10 3.2. DAV:write Privilege. . . . . . . . . . . . . . . . . . . 10 3.3. DAV:write-properties Privilege . . . . . . . . . . . . . 10 3.4. DAV:write-content Privilege. . . . . . . . . . . . . . . 11 3.5. DAV:unlock Privilege . . . . . . . . . . . . . . . . . . 11 3.6. DAV:read-acl Privilege . . . . . . . . . . . . . . . . . 11 3.7. DAV:read-current-user-privilege-set Privilege. . . . . . 12 3.8. DAV:write-acl Privilege. . . . . . . . . . . . . . . . . 12 3.9. DAV:bind Privilege . . . . . . . . . . . . . . . . . . . 12 3.10. DAV:unbind Privilege . . . . . . . . . . . . . . . . . . 12 3.11. DAV:all Privilege. . . . . . . . . . . . . . . . . . . . 13 3.12. Aggregation of Predefined Privileges . . . . . . . . . . 13 4. Principal Properties . . . . . . . . . . . . . . . . . . . . . 13 4.1. DAV:alternate-URI-set. . . . . . . . . . . . . . . . . . 14 4.2. DAV:principal-URL. . . . . . . . . . . . . . . . . . . . 14 4.3. DAV:group-member-set . . . . . . . . . . . . . . . . . . 14 4.4. DAV:group-membership . . . . . . . . . . . . . . . . . . 14 5. Access Control Properties. . . . . . . . . . . . . . . . . . . 15 5.1. DAV:owner. . . . . . . . . . . . . . . . . . . . . . . . 15 5.1.1. Example: Retrieving DAV:owner . . . . . . . . . . 15 5.1.2. Example: An Attempt to Set DAV:owner. . . . . . . 16 5.2. DAV:group. . . . . . . . . . . . . . . . . . . . . . . . 18 5.3. DAV:supported-privilege-set. . . . . . . . . . . . . . . 18 5.3.1. Example: Retrieving a List of Privileges Supported on a Resource . . . . . . . . . . . . . 19 5.4. DAV:current-user-privilege-set . . . . . . . . . . . . . 21 5.4.1. Example: Retrieving the User's Current Set of Assigned Privileges . . . . . . . . . . . . . . . 22 5.5. DAV:acl. . . . . . . . . . . . . . . . . . . . . . . . . 23 5.5.1. ACE Principal . . . . . . . . . . . . . . . . . . 23 5.5.2. ACE Grant and Deny. . . . . . . . . . . . . . . . 25 5.5.3. ACE Protection. . . . . . . . . . . . . . . . . . 25 5.5.4. ACE Inheritance . . . . . . . . . . . . . . . . . 25 5.5.5. Example: Retrieving a Resource's Access Control List. . . . . . . . . . . . . . . . . . . . . . . 25 5.6. DAV:acl-restrictions . . . . . . . . . . . . . . . . . . 27 5.6.1. DAV:grant-only. . . . . . . . . . . . . . . . . . 27 5.6.2. DAV:no-invert ACE Constraint. . . . . . . . . . . 28 5.6.3. DAV:deny-before-grant . . . . . . . . . . . . . . 28 5.6.4. Required Principals . . . . . . . . . . . . . . . 28 5.6.5. Example: Retrieving DAV:acl-restrictions. . . . . 28
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terms. . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 8 2. Principals . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. DAV:read Privilege . . . . . . . . . . . . . . . . . . . 10 3.2. DAV:write Privilege. . . . . . . . . . . . . . . . . . . 10 3.3. DAV:write-properties Privilege . . . . . . . . . . . . . 10 3.4. DAV:write-content Privilege. . . . . . . . . . . . . . . 11 3.5. DAV:unlock Privilege . . . . . . . . . . . . . . . . . . 11 3.6. DAV:read-acl Privilege . . . . . . . . . . . . . . . . . 11 3.7. DAV:read-current-user-privilege-set Privilege. . . . . . 12 3.8. DAV:write-acl Privilege. . . . . . . . . . . . . . . . . 12 3.9. DAV:bind Privilege . . . . . . . . . . . . . . . . . . . 12 3.10. DAV:unbind Privilege . . . . . . . . . . . . . . . . . . 12 3.11. DAV:all Privilege. . . . . . . . . . . . . . . . . . . . 13 3.12. Aggregation of Predefined Privileges . . . . . . . . . . 13 4. Principal Properties . . . . . . . . . . . . . . . . . . . . . 13 4.1. DAV:alternate-URI-set. . . . . . . . . . . . . . . . . . 14 4.2. DAV:principal-URL. . . . . . . . . . . . . . . . . . . . 14 4.3. DAV:group-member-set . . . . . . . . . . . . . . . . . . 14 4.4. DAV:group-membership . . . . . . . . . . . . . . . . . . 14 5. Access Control Properties. . . . . . . . . . . . . . . . . . . 15 5.1. DAV:owner. . . . . . . . . . . . . . . . . . . . . . . . 15 5.1.1. Example: Retrieving DAV:owner . . . . . . . . . . 15 5.1.2. Example: An Attempt to Set DAV:owner. . . . . . . 16 5.2. DAV:group. . . . . . . . . . . . . . . . . . . . . . . . 18 5.3. DAV:supported-privilege-set. . . . . . . . . . . . . . . 18 5.3.1. Example: Retrieving a List of Privileges Supported on a Resource . . . . . . . . . . . . . 19 5.4. DAV:current-user-privilege-set . . . . . . . . . . . . . 21 5.4.1. Example: Retrieving the User's Current Set of Assigned Privileges . . . . . . . . . . . . . . . 22 5.5. DAV:acl. . . . . . . . . . . . . . . . . . . . . . . . . 23 5.5.1. ACE Principal . . . . . . . . . . . . . . . . . . 23 5.5.2. ACE Grant and Deny. . . . . . . . . . . . . . . . 25 5.5.3. ACE Protection. . . . . . . . . . . . . . . . . . 25 5.5.4. ACE Inheritance . . . . . . . . . . . . . . . . . 25 5.5.5. Example: Retrieving a Resource's Access Control List. . . . . . . . . . . . . . . . . . . . . . . 25 5.6. DAV:acl-restrictions . . . . . . . . . . . . . . . . . . 27 5.6.1. DAV:grant-only. . . . . . . . . . . . . . . . . . 27 5.6.2. DAV:no-invert ACE Constraint. . . . . . . . . . . 28 5.6.3. DAV:deny-before-grant . . . . . . . . . . . . . . 28 5.6.4. Required Principals . . . . . . . . . . . . . . . 28 5.6.5. Example: Retrieving DAV:acl-restrictions. . . . . 28
5.7. DAV:inherited-acl-set. . . . . . . . . . . . . . . . . . 29 5.8. DAV:principal-collection-set . . . . . . . . . . . . . . 30 5.8.1. Example: Retrieving DAV:principal-collection-set. 30 5.9. Example: PROPFIND to retrieve access control properties. 32 6. ACL Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 36 7. Access Control and existing methods. . . . . . . . . . . . . . 37 7.1. Any HTTP method. . . . . . . . . . . . . . . . . . . . . 37 7.1.1. Error Handling. . . . . . . . . . . . . . . . . . 37 7.2. OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . 38 7.2.1. Example - OPTIONS . . . . . . . . . . . . . . . . 39 7.3. MOVE . . . . . . . . . . . . . . . . . . . . . . . . . . 39 7.4. COPY . . . . . . . . . . . . . . . . . . . . . . . . . . 39 7.5. LOCK . . . . . . . . . . . . . . . . . . . . . . . . . . 39 8. Access Control Methods . . . . . . . . . . . . . . . . . . . . 40 8.1. ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . 40 8.1.1. ACL Preconditions . . . . . . . . . . . . . . . . 40 8.1.2. Example: the ACL method . . . . . . . . . . . . . 42 8.1.3. Example: ACL method failure due to protected ACE conflict. . . . . . . . . . . . . . . . . . . 43 8.1.4. Example: ACL method failure due to an inherited ACE conflict. . . . . . . . . . . . . . 44 8.1.5. Example: ACL method failure due to an attempt to set grant and deny in a single ACE . . . . . . 45 9. Access Control Reports . . . . . . . . . . . . . . . . . . . . 46 9.1. REPORT Method. . . . . . . . . . . . . . . . . . . . . . 46 9.2. DAV:acl-principal-prop-set Report. . . . . . . . . . . . 47 9.2.1. Example: DAV:acl-principal-prop-set Report. . . . 48 9.3. DAV:principal-match REPORT . . . . . . . . . . . . . . . 49 9.3.1. Example: DAV:principal-match REPORT . . . . . . . 50 9.4. DAV:principal-property-search REPORT . . . . . . . . . . 51 9.4.1. Matching. . . . . . . . . . . . . . . . . . . . . 53 9.4.2. Example: successful DAV:principal-property-search REPORT. . . . . . . . . . . . . . . . . . . . . . 54 9.5. DAV:principal-search-property-set REPORT . . . . . . . . 56 9.5.1. Example: DAV:principal-search-property-set REPORT. . . . . . . . . . . . . . . . . . . . . . 58 10. XML Processing . . . . . . . . . . . . . . . . . . . . . . . . 59 11. Internationalization Considerations. . . . . . . . . . . . . . 59 12. Security Considerations. . . . . . . . . . . . . . . . . . . . 60 12.1. Increased Risk of Compromised Users. . . . . . . . . . . 60 12.2. Risks of the DAV:read-acl and DAV:current-user-privilege-set Privileges. . . . . . . . 60 12.3. No Foreknowledge of Initial ACL. . . . . . . . . . . . . 61 13. Authentication . . . . . . . . . . . . . . . . . . . . . . . . 61 14. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 62 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 62
5.7. DAV:inherited-acl-set. . . . . . . . . . . . . . . . . . 29 5.8. DAV:principal-collection-set . . . . . . . . . . . . . . 30 5.8.1. Example: Retrieving DAV:principal-collection-set. 30 5.9. Example: PROPFIND to retrieve access control properties. 32 6. ACL Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 36 7. Access Control and existing methods. . . . . . . . . . . . . . 37 7.1. Any HTTP method. . . . . . . . . . . . . . . . . . . . . 37 7.1.1. Error Handling. . . . . . . . . . . . . . . . . . 37 7.2. OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . 38 7.2.1. Example - OPTIONS . . . . . . . . . . . . . . . . 39 7.3. MOVE . . . . . . . . . . . . . . . . . . . . . . . . . . 39 7.4. COPY . . . . . . . . . . . . . . . . . . . . . . . . . . 39 7.5. LOCK . . . . . . . . . . . . . . . . . . . . . . . . . . 39 8. Access Control Methods . . . . . . . . . . . . . . . . . . . . 40 8.1. ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . 40 8.1.1. ACL Preconditions . . . . . . . . . . . . . . . . 40 8.1.2. Example: the ACL method . . . . . . . . . . . . . 42 8.1.3. Example: ACL method failure due to protected ACE conflict. . . . . . . . . . . . . . . . . . . 43 8.1.4. Example: ACL method failure due to an inherited ACE conflict. . . . . . . . . . . . . . 44 8.1.5. Example: ACL method failure due to an attempt to set grant and deny in a single ACE . . . . . . 45 9. Access Control Reports . . . . . . . . . . . . . . . . . . . . 46 9.1. REPORT Method. . . . . . . . . . . . . . . . . . . . . . 46 9.2. DAV:acl-principal-prop-set Report. . . . . . . . . . . . 47 9.2.1. Example: DAV:acl-principal-prop-set Report. . . . 48 9.3. DAV:principal-match REPORT . . . . . . . . . . . . . . . 49 9.3.1. Example: DAV:principal-match REPORT . . . . . . . 50 9.4. DAV:principal-property-search REPORT . . . . . . . . . . 51 9.4.1. Matching. . . . . . . . . . . . . . . . . . . . . 53 9.4.2. Example: successful DAV:principal-property-search REPORT. . . . . . . . . . . . . . . . . . . . . . 54 9.5. DAV:principal-search-property-set REPORT . . . . . . . . 56 9.5.1. Example: DAV:principal-search-property-set REPORT. . . . . . . . . . . . . . . . . . . . . . 58 10. XML Processing . . . . . . . . . . . . . . . . . . . . . . . . 59 11. Internationalization Considerations. . . . . . . . . . . . . . 59 12. Security Considerations. . . . . . . . . . . . . . . . . . . . 60 12.1. Increased Risk of Compromised Users. . . . . . . . . . . 60 12.2. Risks of the DAV:read-acl and DAV:current-user-privilege-set Privileges. . . . . . . . 60 12.3. No Foreknowledge of Initial ACL. . . . . . . . . . . . . 61 13. Authentication . . . . . . . . . . . . . . . . . . . . . . . . 61 14. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 62 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 62
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 16.1. Normative References . . . . . . . . . . . . . . . . . . 62 16.2. Informative References . . . . . . . . . . . . . . . . . 63 Appendices A. WebDAV XML Document Type Definition Addendum . . . . . . . . . 64 B. WebDAV Method Privilege Table (Normative). . . . . . . . . . . 67 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 71 Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 72
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 16.1. Normative References . . . . . . . . . . . . . . . . . . 62 16.2. Informative References . . . . . . . . . . . . . . . . . 63 Appendices A. WebDAV XML Document Type Definition Addendum . . . . . . . . . 64 B. WebDAV Method Privilege Table (Normative). . . . . . . . . . . 67 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 71 Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 72
The goal of the WebDAV access control extensions is to provide an interoperable mechanism for handling discretionary access control for content and metadata managed by WebDAV servers. WebDAV access control can be implemented on content repositories with security as simple as that of a UNIX file system, as well as more sophisticated models. The underlying principle of access control is that who you are determines what operations you can perform on a resource. The "who you are" is defined by a "principal" identifier; users, client software, servers, and groups of the previous have principal identifiers. The "operations you can perform" are determined by a single "access control list" (ACL) associated with a resource. An ACL contains a set of "access control entries" (ACEs), where each ACE specifies a principal and a set of privileges that are either granted or denied to that principal. When a principal submits an operation (such as an HTTP or WebDAV method) to a resource for execution, the server evaluates the ACEs in the ACL to determine if the principal has permission for that operation.
WebDAV访问控制扩展的目标是为处理WebDAV服务器管理的内容和元数据的自主访问控制提供一种可互操作的机制。WebDAV访问控制可以在内容存储库上实现,其安全性与UNIX文件系统一样简单,也可以在更复杂的模型上实现。访问控制的基本原则是,您是谁决定了您可以对资源执行哪些操作。“你是谁”由“主体”标识符定义;用户、客户端软件、服务器和以前的组具有主要标识符。“您可以执行的操作”由与资源关联的单个“访问控制列表”(ACL)确定。ACL包含一组“访问控制项”(ACE),其中每个ACE指定一个主体和一组授予或拒绝该主体的权限。当主体向资源提交操作(如HTTP或WebDAV方法)以执行时,服务器将评估ACL中的ACE,以确定主体是否具有该操作的权限。
Since every ACE contains the identifier of a principal, client software operated by a human must provide a mechanism for selecting this principal. This specification uses http(s) scheme URLs to identify principals, which are represented as WebDAV-capable resources. There is no guarantee that the URLs identifying principals will be meaningful to a human. For example, http://www.example.com/u/256432 and http://www.example.com/people/Greg.Stein are both valid URLs that could be used to identify the same principal. To remedy this, every principal resource has the DAV:displayname property containing a human-readable name for the principal.
由于每个ACE都包含一个主体的标识符,因此由人工操作的客户端软件必须提供一种选择该主体的机制。此规范使用http(s)方案URL来标识主体,主体表示为支持WebDAV的资源。无法保证标识主体的URL对人来说是有意义的。例如http://www.example.com/u/256432 和http://www.example.com/people/Greg.Stein 都是可用于标识同一主体的有效URL。为了解决这个问题,每个主体资源都有DAV:displayname属性,其中包含主体的可读名称。
Since a principal can be identified by multiple URLs, it raises the problem of determining exactly which principal is being referenced in a given ACE. It is impossible for a client to determine that an ACE granting the read privilege to http://www.example.com/people/ Greg.Stein also affects the principal at http://www.example.com/u/ 256432. That is, a client has no mechanism for determining that two
Since a principal can be identified by multiple URLs, it raises the problem of determining exactly which principal is being referenced in a given ACE. It is impossible for a client to determine that an ACE granting the read privilege to http://www.example.com/people/ Greg.Stein also affects the principal at http://www.example.com/u/ 256432. That is, a client has no mechanism for determining that two
URLs identify the same principal resource. As a result, this specification requires clients to use just one of the many possible URLs for a principal when creating ACEs. A client can discover which URL to use by retrieving the DAV:principal-URL property (Section 4.2) from a principal resource. No matter which of the principal's URLs is used with PROPFIND, the property always returns the same URL.
URL标识相同的主体资源。因此,此规范要求客户端在创建ACE时仅使用主体的多个可能URL中的一个。客户端可以通过从主体资源检索DAV:principal URL属性(第4.2节)来发现要使用的URL。无论主体的哪个URL与PROPFIND一起使用,该属性始终返回相同的URL。
With a system having hundreds to thousands of principals, the problem arises of how to allow a human operator of client software to select just one of these principals. One approach is to use broad collection hierarchies to spread the principals over a large number of collections, yielding few principals per collection. An example of this is a two level hierarchy with the first level containing 36 collections (a-z, 0-9), and the second level being another 36, creating collections /a/a/, /a/b/, ..., /a/z/, such that a principal with last name "Stein" would appear at /s/t/Stein. In effect, this pre-computes a common query, search on last name, and encodes it into a hierarchy. The drawback with this scheme is that it handles only a small set of predefined queries, and drilling down through the collection hierarchy adds unnecessary steps (navigate down/up) when the user already knows the principal's name. While organizing principal URLs into a hierarchy is a valid namespace organization, users should not be forced to navigate this hierarchy to select a principal.
对于一个拥有成百上千个主体的系统,问题在于如何允许客户端软件的人工操作人员仅选择其中一个主体。一种方法是使用广泛的集合层次结构将主体分布在大量集合上,每个集合产生很少的主体。这方面的一个例子是两级层次结构,第一级包含36个集合(a-z,0-9),第二级是另36个集合,创建集合/a/a/,/a/b/,…,/a/z/,这样姓氏为“Stein”的主体将出现在/s/t/Stein处。实际上,这预先计算了一个公共查询,搜索姓氏,并将其编码到一个层次结构中。此方案的缺点是,它只处理一小部分预定义的查询,当用户已经知道主体的名称时,向下钻取集合层次结构会添加不必要的步骤(向下/向上导航)。虽然将主体URL组织到层次结构中是有效的命名空间组织,但不应强制用户浏览此层次结构以选择主体。
This specification provides the capability to perform substring searches over a small set of properties on the resources representing principals. This permits searches based on last name, first name, user name, job title, etc. Two separate searches are supported, both via the REPORT method, one to search principal resources (DAV:principal-property-search, Section 9.4), the other to determine which properties may be searched at all (DAV:principal-search-property-set, Section 9.5).
此规范提供了在表示主体的资源上的一小组属性上执行子字符串搜索的能力。这允许基于姓氏、名字、用户名、职务等进行搜索。支持两个单独的搜索,都通过报告方法,一个用于搜索主要资源(DAV:主要属性搜索,第9.4节),另一个用于确定可以搜索哪些属性(DAV:主要搜索属性集,第9.5节)。
Once a principal has been identified in an ACE, a server evaluating that ACE must know the identity of the principal making a protocol request, and must validate that that principal is who they claim to be, a process known as authentication. This specification intentionally omits discussion of authentication, as the HTTP protocol already has a number of authentication mechanisms [RFC2617]. Some authentication mechanism (such as HTTP Digest Authentication, which all WebDAV compliant implementations are required to support) must be available to validate the identity of a principal.
一旦在ACE中识别了主体,评估该ACE的服务器必须知道发出协议请求的主体的身份,并且必须验证该主体是他们声称的主体,这一过程称为身份验证。本规范有意省略对身份验证的讨论,因为HTTP协议已经有许多身份验证机制[RFC2617]。某些身份验证机制(如HTTP摘要身份验证,所有符合WebDAV的实现都需要支持该机制)必须可用以验证主体的身份。
The following issues are out of scope for this document:
以下问题超出了本文件的范围:
o Access control that applies only to a particular property on a resource (excepting the access control properties DAV:acl and DAV:current-user-privilege-set), rather than the entire resource,
o 仅应用于资源上特定属性的访问控制(访问控制属性DAV:acl和DAV:current user privilege set除外),而不是整个资源,
o Role-based security (where a role can be seen as a dynamically defined group of principals),
o 基于角色的安全性(其中角色可以被视为动态定义的主体组),
o Specification of the ways an ACL on a resource is initialized,
o 资源上ACL初始化方式的说明,
o Specification of an ACL that applies globally to all resources, rather than to a particular resource.
o 全局应用于所有资源而不是特定资源的ACL规范。
o Creation and maintenance of resources representing people or computational agents (principals), and groups of these.
o 创建和维护代表人员或计算代理(主体)及其组的资源。
This specification is organized as follows. Section 1.1 defines key concepts used throughout the specification, and is followed by a more in-depth discussion of principals (Section 2), and privileges (Section 3). Properties defined on principals are specified in Section 4, and access control properties for content resources are specified in Section 5. The ways ACLs are to be evaluated is described in Section 6. Client discovery of access control capability using OPTIONS is described in Section 7.2. Interactions between access control functionality and existing HTTP and WebDAV methods are described in the remainder of Section 7. The access control setting method, ACL, is specified in Section 8. Four reports that provide limited server-side searching capabilities are described in Section 9. Sections on XML processing (Section 10), Internationalization considerations (Section 11), security considerations (Section 12), and authentication (Section 13) round out the specification. An appendix (Appendix A) provides an XML Document Type Definition (DTD) for the XML elements defined in the specification.
本规范组织如下。第1.1节定义了整个规范中使用的关键概念,随后对主体(第2节)和特权(第3节)进行了更深入的讨论。主体上定义的属性在第4节中指定,内容资源的访问控制属性在第5节中指定。第6节描述了评估ACL的方法。第7.2节描述了使用选项的客户端访问控制能力发现。访问控制功能与现有HTTP和WebDAV方法之间的交互将在第7节的其余部分中描述。第8节规定了访问控制设置方法ACL。第9节介绍了四个提供有限服务器端搜索功能的报告。关于XML处理(第10节)、国际化注意事项(第11节)、安全注意事项(第12节)和身份验证(第13节)的章节完善了规范。附录(附录A)提供了规范中定义的XML元素的XML文档类型定义(DTD)。
This document uses the terms defined in HTTP [RFC2616] and WebDAV [RFC2518]. In addition, the following terms are defined:
本文档使用HTTP[RFC2616]和WebDAV[RFC2518]中定义的术语。此外,定义了以下术语:
principal
最重要的
A "principal" is a distinct human or computational actor that initiates access to network resources. In this protocol, a principal is an HTTP resource that represents such an actor.
“主体”是发起对网络资源访问的独特的人类或计算参与者。在这个协议中,主体是表示这样一个参与者的HTTP资源。
group
组
A "group" is a principal that represents a set of other principals.
“组”是表示一组其他主体的主体。
privilege
特权
A "privilege" controls access to a particular set of HTTP operations on a resource.
“特权”控制对资源上特定HTTP操作集的访问。
aggregate privilege
聚合特权
An "aggregate privilege" is a privilege that contains a set of other privileges.
“聚合特权”是包含一组其他特权的特权。
abstract privilege
抽象特权
The modifier "abstract", when applied to a privilege on a resource, means the privilege cannot be set in an access control element (ACE) on that resource.
修饰符“abstract”应用于资源上的权限时,表示无法在该资源上的访问控制元素(ACE)中设置该权限。
access control list (ACL)
访问控制列表(ACL)
An "ACL" is a list of access control elements that define access control to a particular resource.
“ACL”是定义对特定资源的访问控制的访问控制元素的列表。
access control element (ACE)
访问控制单元(ACE)
An "ACE" either grants or denies a particular set of (non-abstract) privileges for a particular principal.
“ACE”为特定主体授予或拒绝特定(非抽象)权限集。
inherited ACE
继承王牌
An "inherited ACE" is an ACE that is dynamically shared from the ACL of another resource. When a shared ACE changes on the primary resource, it is also changed on inheriting resources.
“继承的ACE”是从另一资源的ACL动态共享的ACE。当主资源上的共享ACE更改时,继承资源上的共享ACE也会更改。
protected property
受保护财产
A "protected property" is one whose value cannot be updated except by a method explicitly defined as updating that specific property. In particular, a protected property cannot be updated with a PROPPATCH request.
“受保护属性”是指其值不能更新的属性,除非通过显式定义为更新该特定属性的方法进行更新。特别是,无法使用PROPPATCH请求更新受保护的属性。
The augmented BNF used by this document to describe protocol elements is described in Section 2.1 of [RFC2616]. Because this augmented BNF uses the basic production rules provided in Section 2.2 of [RFC2616], those rules apply to this document as well.
[RFC2616]第2.1节描述了本文件用于描述协议元素的扩充BNF。由于此扩充BNF使用[RFC2616]第2.2节中提供的基本生产规则,因此这些规则也适用于本文档。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
Definitions of XML elements in this document use XML element type declarations (as found in XML Document Type Declarations), described in Section 3.2 of [REC-XML]. When an XML element type in the "DAV:" namespace is referenced in this document outside of the context of an XML fragment, the string "DAV:" will be prefixed to the element name.
本文档中的XML元素定义使用XML元素类型声明(如XML文档类型声明中所示),如[REC-XML]第3.2节所述。当“DAV:”命名空间中的XML元素类型在XML片段上下文之外的文档中被引用时,字符串“DAV:”将作为元素名称的前缀。
A principal is a network resource that represents a distinct human or computational actor that initiates access to network resources. Users and groups are represented as principals in many implementations; other types of principals are also possible. A URI of any scheme MAY be used to identify a principal resource. However, servers implementing this specification MUST expose principal resources at an http(s) URL, which is a privileged scheme that points to resources that have additional properties, as described in Section 4. So, a principal resource can have multiple URIs, one of which has to be an http(s) scheme URL. Although an implementation SHOULD support PROPFIND and MAY support PROPPATCH to access and modify information about a principal, it is not required to do so.
主体是一种网络资源,它表示发起对网络资源访问的不同的人或计算参与者。在许多实现中,用户和组被表示为主体;其他类型的主体也是可能的。任何方案的URI都可用于标识主体资源。但是,实现此规范的服务器必须在http(s)URL上公开主体资源,这是一种特权方案,指向具有附加属性的资源,如第4节所述。因此,主体资源可以有多个URI,其中一个必须是http(s)方案URL。尽管实现应该支持PROPFIND,并且可能支持PROPPATCH来访问和修改关于主体的信息,但不需要这样做。
A principal resource may be a group, where a group is a principal that represents a set of other principals, called the members of the group. If a person or computational agent matches a principal resource that is a member of a group, they also match the group. Membership in a group is recursive, so if a principal is a member of group GRPA, and GRPA is a member of group GRPB, then the principal is also a member of GRPB.
主体资源可以是组,其中组是表示一组其他主体(称为组成员)的主体。如果个人或计算代理匹配作为组成员的主体资源,则他们也匹配该组。组中的成员身份是递归的,因此如果主体是组GRPA的成员,且GRPA是组GRPB的成员,则主体也是GRPB的成员。
Ability to perform a given method on a resource MUST be controlled by one or more privileges. Authors of protocol extensions that define new HTTP methods SHOULD specify which privileges (by defining new privileges, or mapping to ones below) are required to perform the method. A principal with no privileges to a resource MUST be denied any HTTP access to that resource, unless the principal matches an ACE
对资源执行给定方法的能力必须由一个或多个权限控制。定义新HTTP方法的协议扩展的作者应指定执行该方法所需的权限(通过定义新权限或映射到以下权限)。必须拒绝对资源没有权限的主体对该资源的任何HTTP访问,除非该主体与ACE匹配
constructed using the DAV:all, DAV:authenticated, or DAV:unauthenticated pseudo-principals (see Section 5.5.1). Servers MUST report a 403 "Forbidden" error if access is denied, except in the case where the privilege restricts the ability to know the resource exists, in which case 404 "Not Found" may be returned.
使用DAV:all、DAV:authenticated或DAV:unauthenticated伪主体构建(参见第5.5.1节)。如果访问被拒绝,服务器必须报告403“禁止”错误,除非特权限制了解资源存在的能力,在这种情况下,可能返回404“未找到”。
Privileges may be containers of other privileges, in which case they are termed "aggregate privileges". If a principal is granted or denied an aggregate privilege, it is semantically equivalent to granting or denying each of the aggregated privileges individually. For example, an implementation may define add-member and remove-member privileges that control the ability to add and remove a member of a group. Since these privileges control the ability to update the state of a group, these privileges would be aggregated by the DAV:write privilege on a group, and granting the DAV:write privilege on a group would also grant the add-member and remove-member privileges.
特权可以是其他特权的容器,在这种情况下,它们被称为“聚合特权”。如果主体被授予或拒绝聚合特权,则在语义上等同于分别授予或拒绝每个聚合特权。例如,实现可以定义“添加成员”和“删除成员”权限,以控制添加和删除组成员的能力。由于这些权限控制更新组状态的能力,因此这些权限将由组上的DAV:write权限聚合,并且对组授予DAV:write权限也将授予添加成员和删除成员权限。
Privileges may be declared to be "abstract" for a given resource, in which case they cannot be set in an ACE on that resource. Aggregate and non-aggregate privileges are both capable of being abstract. Abstract privileges are useful for modeling privileges that otherwise would not be exposed via the protocol. Abstract privileges also provide server implementations with flexibility in implementing the privileges defined in this specification. For example, if a server is incapable of separating the read resource capability from the read ACL capability, it can still model the DAV:read and DAV:read-acl privileges defined in this specification by declaring them abstract, and containing them within a non-abstract aggregate privilege (say, read-all) that holds DAV:read, and DAV:read-acl. In this way, it is possible to set the aggregate privilege, read-all, thus coupling the setting of DAV:read and DAV:read-acl, but it is not possible to set DAV:read, or DAV:read-acl individually. Since aggregate privileges can be abstract, it is also possible to use abstract privileges to group or organize non-abstract privileges. Privilege containment loops are not allowed; therefore, a privilege MUST NOT contain itself. For example, DAV:read cannot contain DAV:read.
特权可以声明为给定资源的“抽象”,在这种情况下,不能在该资源的ACE中设置特权。聚合和非聚合权限都可以是抽象的。抽象权限对于建模权限非常有用,否则这些权限将不会通过协议公开。抽象权限还为服务器实现提供了实现本规范中定义的权限的灵活性。例如,如果服务器无法将读取资源功能与读取ACL功能分离,它仍然可以通过将本规范中定义的DAV:read和DAV:read ACL权限声明为抽象权限,并将其包含在保存DAV:read和DAV:read ACL的非抽象聚合权限(例如,全部读取)中来建模。通过这种方式,可以设置聚合权限read all,从而耦合DAV:read和DAV:read acl的设置,但不能单独设置DAV:read或DAV:read acl。由于聚合权限可以是抽象的,因此也可以使用抽象权限对非抽象权限进行分组或组织。不允许特权包含循环;因此,特权不能包含自身。例如,DAV:read不能包含DAV:read。
The set of privileges that apply to a particular resource may vary with the DAV:resourcetype of the resource, as well as between different server implementations. To promote interoperability, however, this specification defines a set of well-known privileges (e.g., DAV:read, DAV:write, DAV:read-acl, DAV:write-acl, DAV:read-current-user-privilege-set, and DAV:all), which can at least be used to classify the other privileges defined on a particular resource. The access permissions on null resources (defined in [RFC2518], Section 3) are solely those they inherit (if any), and they are not discoverable (i.e., the access control properties specified in
应用于特定资源的权限集可能因资源的DAV:resourcetype以及不同的服务器实现而异。然而,为了促进互操作性,本规范定义了一组众所周知的特权(例如,DAV:read、DAV:write、DAV:read acl、DAV:write acl、DAV:read current user privilege set和DAV:all),这些特权至少可用于对特定资源上定义的其他特权进行分类。对空资源的访问权限(在[RFC2518]第3节中定义)仅为它们继承的权限(如果有),并且它们是不可发现的(即,中指定的访问控制属性)
Section 5 are not defined on null resources). On the transition from null to stateful resource, the initial access control list is set by the server's default ACL value policy (if any).
第5节未对空资源进行定义)。在从null资源转换为有状态资源时,初始访问控制列表由服务器的默认ACL值策略(如果有)设置。
Server implementations MAY define new privileges beyond those defined in this specification. Privileges defined by individual implementations MUST NOT use the DAV: namespace, and instead should use a namespace that they control, such as an http scheme URL.
服务器实现可以定义超出本规范中定义的权限的新权限。单个实现定义的权限不能使用DAV:命名空间,而应该使用它们控制的命名空间,例如http方案URL。
The read privilege controls methods that return information about the state of the resource, including the resource's properties. Affected methods include GET and PROPFIND. Any implementation-defined privilege that also controls access to GET and PROPFIND must be aggregated under DAV:read - if an ACL grants access to DAV:read, the client may expect that no other privilege needs to be granted to have access to GET and PROPFIND. Additionally, the read privilege MUST control the OPTIONS method.
读取权限控制返回资源状态信息的方法,包括资源的属性。受影响的方法包括GET和PROPFIND。任何也控制GET和PROPFIND访问的实现定义的特权都必须聚合在DAV:read下-如果ACL授予对DAV:read的访问权,则客户端可能希望不需要授予其他特权就可以访问GET和PROPFIND。此外,读取权限必须控制OPTIONS方法。
<!ELEMENT read EMPTY>
<!ELEMENT read EMPTY>
The write privilege controls methods that lock a resource or modify the content, dead properties, or (in the case of a collection) membership of the resource, such as PUT and PROPPATCH. Note that state modification is also controlled via locking (see section 5.3 of [RFC2518]), so effective write access requires that both write privileges and write locking requirements are satisfied. Any implementation-defined privilege that also controls access to methods modifying content, dead properties or collection membership must be aggregated under DAV:write, e.g., if an ACL grants access to DAV:write, the client may expect that no other privilege needs to be granted to have access to PUT and PROPPATCH.
写入权限控制锁定资源或修改资源的内容、无效属性或(对于集合)成员身份的方法,如PUT和PROPPATCH。注意,状态修改也通过锁定进行控制(见[RFC2518]第5.3节),因此有效的写访问要求同时满足写权限和写锁定要求。任何还控制对修改内容、死属性或集合成员身份的方法的访问的实现定义的特权都必须在DAV:write下聚合,例如,如果ACL授予对DAV:write的访问权,则客户端可能希望不需要授予其他特权就可以访问PUT和PROPPATCH。
<!ELEMENT write EMPTY>
<!ELEMENT write EMPTY>
The DAV:write-properties privilege controls methods that modify the dead properties of the resource, such as PROPPATCH. Whether this privilege may be used to control access to any live properties is determined by the implementation. Any implementation-defined privilege that also controls access to methods modifying dead properties must be aggregated under DAV:write-properties - e.g., if
DAV:write properties特权控制修改资源的死属性的方法,如PROPPATCH。此权限是否可用于控制对任何活动属性的访问由实现决定。任何实现定义的权限,也控制对修改死属性的方法的访问,都必须在DAV:write属性下聚合,例如,如果
an ACL grants access to DAV:write-properties, the client can safely expect that no other privilege needs to be granted to have access to PROPPATCH.
ACL授予对DAV:write属性的访问权,客户端可以安全地期望不需要授予其他特权就可以访问PROPPATCH。
<!ELEMENT write-properties EMPTY>
<!ELEMENT write-properties EMPTY>
The DAV:write-content privilege controls methods that modify the content of an existing resource, such as PUT. Any implementation-defined privilege that also controls access to content must be aggregated under DAV:write-content - e.g., if an ACL grants access to DAV:write-content, the client can safely expect that no other privilege needs to be granted to have access to PUT. Note that PUT - when applied to an unmapped URI - creates a new resource and therefore is controlled by the DAV:bind privilege on the parent collection.
DAV:write content特权控制修改现有资源内容的方法,例如PUT。任何也控制内容访问的实现定义的特权都必须在DAV:write content下聚合—例如,如果ACL授予对DAV:write content的访问权,则客户端可以安全地预期不需要授予其他特权就可以访问PUT。请注意,当PUT应用于未映射的URI时,会创建一个新资源,因此由父集合上的DAV:bind权限控制。
<!ELEMENT write-content EMPTY>
<!ELEMENT write-content EMPTY>
The DAV:unlock privilege controls the use of the UNLOCK method by a principal other than the lock owner (the principal that created a lock can always perform an UNLOCK). While the set of users who may lock a resource is most commonly the same set of users who may modify a resource, servers may allow various kinds of administrators to unlock resources locked by others. Any privilege controlling access by non-lock owners to UNLOCK MUST be aggregated under DAV:unlock.
DAV:unlock权限控制除锁所有者之外的主体使用解锁方法(创建锁的主体始终可以执行解锁)。虽然可能锁定资源的用户集通常与可能修改资源的用户集相同,但服务器可能允许各种管理员解锁其他人锁定的资源。任何控制非锁所有者访问以解锁的权限都必须聚合在DAV:UNLOCK下。
A lock owner can always remove a lock by issuing an UNLOCK with the correct lock token and authentication credentials. That is, even if a principal does not have DAV:unlock privilege, they can still remove locks they own. Principals other than the lock owner can remove a lock only if they have DAV:unlock privilege and they issue an UNLOCK with the correct lock token. Lock timeout is not affected by the DAV:unlock privilege.
锁所有者始终可以通过使用正确的锁令牌和身份验证凭据发出解锁来移除锁。也就是说,即使主体没有DAV:unlock权限,他们仍然可以删除自己拥有的锁。除锁所有者之外的主体只有在具有DAV:unlock权限并且使用正确的锁令牌发出解锁时才能移除锁。锁定超时不受DAV:unlock权限的影响。
<!ELEMENT unlock EMPTY>
<!ELEMENT unlock EMPTY>
The DAV:read-acl privilege controls the use of PROPFIND to retrieve the DAV:acl property of the resource.
DAV:read acl权限控制使用PROPFIND检索资源的DAV:acl属性。
<!ELEMENT read-acl EMPTY>
<!ELEMENT read-acl EMPTY>
The DAV:read-current-user-privilege-set privilege controls the use of PROPFIND to retrieve the DAV:current-user-privilege-set property of the resource.
DAV:read current user privilege set权限控制使用PROPFIND检索资源的DAV:current user privilege set属性。
Clients are intended to use this property to visually indicate in their UI items that are dependent on the permissions of a resource, for example, by graying out resources that are not writable.
客户端打算使用此属性在其UI中直观地指示依赖于资源权限的项目,例如,通过灰显不可写的资源。
This privilege is separate from DAV:read-acl because there is a need to allow most users access to the privileges permitted the current user (due to its use in creating the UI), while the full ACL contains information that may not be appropriate for the current authenticated user. As a result, the set of users who can view the full ACL is expected to be much smaller than those who can read the current user privilege set, and hence distinct privileges are needed for each.
此权限与DAV:read acl分开,因为需要允许大多数用户访问当前用户允许的权限(由于在创建UI时使用了此权限),而完整acl包含的信息可能不适合当前经过身份验证的用户。因此,可以查看完整ACL的用户集预计比可以读取当前用户权限集的用户集小得多,因此每个用户都需要不同的权限。
<!ELEMENT read-current-user-privilege-set EMPTY>
<!ELEMENT read-current-user-privilege-set EMPTY>
The DAV:write-acl privilege controls use of the ACL method to modify the DAV:acl property of the resource.
DAV:write acl权限控制使用acl方法修改资源的DAV:acl属性。
<!ELEMENT write-acl EMPTY>
<!ELEMENT write-acl EMPTY>
The DAV:bind privilege allows a method to add a new member URL to the specified collection (for example via PUT or MKCOL). It is ignored for resources that are not collections.
DAV:bind权限允许方法将新成员URL添加到指定集合(例如通过PUT或MKCOL)。对于不是集合的资源,它将被忽略。
<!ELEMENT bind EMPTY>
<!ELEMENT bind EMPTY>
The DAV:unbind privilege allows a method to remove a member URL from the specified collection (for example via DELETE or MOVE). It is ignored for resources that are not collections.
DAV:unbind权限允许方法从指定集合中删除成员URL(例如通过删除或移动)。对于不是集合的资源,它将被忽略。
<!ELEMENT unbind EMPTY>
<!ELEMENT unbind EMPTY>
DAV:all is an aggregate privilege that contains the entire set of privileges that can be applied to the resource.
DAV:all是一个聚合特权,它包含可应用于资源的整个特权集。
<!ELEMENT all EMPTY>
<!ELEMENT all EMPTY>
Server implementations are free to aggregate the predefined privileges (defined above in Sections 3.1-3.10) subject to the following limitations:
服务器实现可自由聚合预定义的权限(定义见上文第3.1-3.10节),但需遵守以下限制:
DAV:read-acl MUST NOT contain DAV:read, DAV:write, DAV:write-acl, DAV:write-properties, DAV:write-content, or DAV:read-current-user-privilege-set.
DAV:read acl不能包含DAV:read、DAV:write、DAV:write acl、DAV:write属性、DAV:write内容或DAV:read当前用户权限集。
DAV:write-acl MUST NOT contain DAV:write, DAV:read, DAV:read-acl, or DAV:read-current-user-privilege-set.
DAV:write acl不能包含DAV:write、DAV:read、DAV:read acl或DAV:read当前用户权限集。
DAV:read-current-user-privilege-set MUST NOT contain DAV:write, DAV:read, DAV:read-acl, or DAV:write-acl.
DAV:read当前用户权限集不能包含DAV:write、DAV:read、DAV:read acl或DAV:write acl。
DAV:write MUST NOT contain DAV:read, DAV:read-acl, or DAV:read-current-user-privilege-set.
DAV:write不能包含DAV:read、DAV:read acl或DAV:read当前用户权限集。
DAV:read MUST NOT contain DAV:write, DAV:write-acl, DAV:write-properties, or DAV:write-content.
DAV:read不能包含DAV:write、DAV:write acl、DAV:write属性或DAV:write内容。
DAV:write MUST contain DAV:bind, DAV:unbind, DAV:write-properties and DAV:write-content.
DAV:write必须包含DAV:bind、DAV:unbind、DAV:write属性和DAV:write内容。
Principals are manifested to clients as a WebDAV resource, identified by a URL. A principal MUST have a non-empty DAV:displayname property (defined in Section 13.2 of [RFC2518]), and a DAV:resourcetype property (defined in Section 13.9 of [RFC2518]). Additionally, a principal MUST report the DAV:principal XML element in the value of the DAV:resourcetype property. The element type declaration for DAV:principal is:
主体向客户端显示为WebDAV资源,由URL标识。主体必须具有非空的DAV:displayname属性(定义见[RFC2518]第13.2节)和DAV:resourcetype属性(定义见[RFC2518]第13.9节)。此外,主体必须在DAV:resourcetype属性的值中报告DAV:principal XML元素。DAV:principal的元素类型声明为:
<!ELEMENT principal EMPTY>
<!ELEMENT principal EMPTY>
This protocol defines the following additional properties for a principal. Since it can be expensive for a server to retrieve access control information, the name and value of these properties SHOULD NOT be returned by a PROPFIND allprop request (as defined in Section 12.14.1 of [RFC2518]).
此协议为主体定义以下附加属性。由于服务器检索访问控制信息的成本可能很高,因此PROPFIND allprop请求(如[RFC2518]第12.14.1节所定义)不应返回这些属性的名称和值。
This protected property, if non-empty, contains the URIs of network resources with additional descriptive information about the principal. This property identifies additional network resources (i.e., it contains one or more URIs) that may be consulted by a client to gain additional knowledge concerning a principal. One expected use for this property is the storage of an LDAP [RFC2255] scheme URL. A user-agent encountering an LDAP URL could use LDAP [RFC2251] to retrieve additional machine-readable directory information about the principal, and display that information in its user interface. Support for this property is REQUIRED, and the value is empty if no alternate URI exists for the principal.
此受保护属性(如果非空)包含网络资源的URI以及有关主体的其他描述性信息。此属性标识客户端可以咨询的其他网络资源(即,它包含一个或多个URI),以获得有关主体的其他知识。此属性的一个预期用途是存储LDAP[RFC2255]方案URL。遇到LDAP URL的用户代理可以使用LDAP[RFC2251]检索有关主体的其他机器可读目录信息,并在其用户界面中显示该信息。需要支持此属性,如果主体不存在备用URI,则该值为空。
<!ELEMENT alternate-URI-set (href*)>
<!ELEMENT alternate-URI-set (href*)>
A principal may have many URLs, but there must be one "principal URL" that clients can use to uniquely identify a principal. This protected property contains the URL that MUST be used to identify this principal in an ACL request. Support for this property is REQUIRED.
主体可能有许多URL,但必须有一个“主体URL”,客户端可以使用该URL唯一标识主体。此受保护属性包含必须用于在ACL请求中标识此主体的URL。需要对此属性的支持。
<!ELEMENT principal-URL (href)>
<!ELEMENT principal-URL (href)>
This property of a group principal identifies the principals that are direct members of this group. Since a group may be a member of another group, a group may also have indirect members (i.e., the members of its direct members). A URL in the DAV:group-member-set for a principal MUST be the DAV:principal-URL of that principal.
组主体的此属性标识作为此组直接成员的主体。由于一个组可能是另一个组的成员,因此一个组也可能有间接成员(即其直接成员的成员)。主体的DAV:group成员集中的URL必须是该主体的DAV:principal URL。
<!ELEMENT group-member-set (href*)>
<!ELEMENT group-member-set (href*)>
This protected property identifies the groups in which the principal is directly a member. Note that a server may allow a group to be a member of another group, in which case the DAV:group-membership of
此受保护属性标识主体直接作为成员的组。请注意,服务器可能允许一个组成为另一个组的成员,在这种情况下
those other groups would need to be queried in order to determine the groups in which the principal is indirectly a member. Support for this property is REQUIRED.
需要查询这些其他组,以确定委托人间接作为成员的组。需要对此属性的支持。
<!ELEMENT group-membership (href*)>
<!ELEMENT group-membership (href*)>
This specification defines a number of new properties for WebDAV resources. Access control properties may be retrieved just like other WebDAV properties, using the PROPFIND method. Since it is expensive, for many servers, to retrieve access control information, a PROPFIND allprop request (as defined in Section 12.14.1 of [RFC2518]) SHOULD NOT return the names and values of the properties defined in this section.
本规范为WebDAV资源定义了许多新属性。访问控制属性可以像其他WebDAV属性一样使用PROPFIND方法进行检索。由于检索访问控制信息对许多服务器来说代价高昂,PROPFIND-allprop请求(如[RFC2518]第12.14.1节所定义)不应返回本节所定义属性的名称和值。
Access control properties (especially DAV:acl and DAV:inherited-acl-set) are defined on the resource identified by the Request-URI of a PROPFIND request. A direct consequence is that if the resource is accessible via multiple URI, the value of access control properties is the same across these URI.
访问控制属性(特别是DAV:acl和DAV:inherited acl set)是在由PROPFIND请求的请求URI标识的资源上定义的。直接的结果是,如果资源可以通过多个URI访问,那么访问控制属性的值在这些URI中是相同的。
HTTP resources that support the WebDAV Access Control Protocol MUST contain the following properties. Null resources (described in Section 3 of [RFC2518]) MUST NOT contain the following properties.
支持WebDAV访问控制协议的HTTP资源必须包含以下属性。空资源(如[RFC2518]第3节所述)不得包含以下属性。
This property identifies a particular principal as being the "owner" of the resource. Since the owner of a resource often has special access control capabilities (e.g., the owner frequently has permanent DAV:write-acl privilege), clients might display the resource owner in their user interface.
此属性将特定主体标识为资源的“所有者”。由于资源所有者通常具有特殊的访问控制功能(例如,所有者通常具有永久DAV:write acl权限),因此客户端可能会在其用户界面中显示资源所有者。
Servers MAY implement DAV:owner as protected property and MAY return an empty DAV:owner element as property value in case no owner information is available.
服务器可以实现DAV:owner作为受保护的属性,并且在没有所有者信息的情况下可以返回一个空的DAV:owner元素作为属性值。
<!ELEMENT owner (href?)>
<!ELEMENT owner (href?)>
This example shows a client request for the value of the DAV:owner property from a collection resource with URL http://www.example.com/ papers/. The principal making the request is authenticated using Digest authentication. The value of DAV:owner is the URL http:// www.example.com/acl/users/gstein, wrapped in the DAV:href XML element.
此示例显示了一个客户端从具有URL的集合资源请求DAV:owner属性的值http://www.example.com/ 论文/。发出请求的主体使用摘要身份验证进行身份验证。DAV:owner的值是URL http://www.example.com/acl/users/gstein,包装在DAV:href XML元素中。
>> Request <<
>> Request <<
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="jim", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="jim", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:owner/> </D:prop> </D:propfind>
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:owner/> </D:prop> </D:propfind>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:owner> <D:href>http://www.example.com/acl/users/gstein</D:href> </D:owner> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:owner> <D:href>http://www.example.com/acl/users/gstein</D:href> </D:owner> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
The following example shows a client request to modify the value of the DAV:owner property on the resource with URL <http:// www.example.com/papers>. Since DAV:owner is a protected property on this particular server, it responds with a 207 (Multi-Status) response that contains a 403 (Forbidden) status code for the act of setting DAV:owner. Section 8.2.1 of [RFC2518] describes PROPPATCH status code information, Section 11 of [RFC2518] describes the
The following example shows a client request to modify the value of the DAV:owner property on the resource with URL <http:// www.example.com/papers>. Since DAV:owner is a protected property on this particular server, it responds with a 207 (Multi-Status) response that contains a 403 (Forbidden) status code for the act of setting DAV:owner. Section 8.2.1 of [RFC2518] describes PROPPATCH status code information, Section 11 of [RFC2518] describes the
Multi-Status response and Sections 1.6 and 3.12 of [RFC3253] describe additional error marshaling for PROPPATCH attempts on protected properties.
多状态响应和[RFC3253]的第1.6节和第3.12节描述了受保护属性上PROPPATCH尝试的额外错误封送。
>> Request <<
>> Request <<
PROPPATCH /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="jim", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
PROPPATCH /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="jim", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <D:owner> <D:href>http://www.example.com/acl/users/jim</D:href> </D:owner> </D:prop> </D:set> </D:propertyupdate>
<?xml version="1.0" encoding="utf-8" ?> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <D:owner> <D:href>http://www.example.com/acl/users/jim</D:href> </D:owner> </D:prop> </D:set> </D:propertyupdate>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop><D:owner/></D:prop> <D:status>HTTP/1.1 403 Forbidden</D:status> <D:responsedescription> <D:error><D:cannot-modify-protected-property/></D:error> Failure to set protected property (DAV:owner) </D:responsedescription> </D:propstat> </D:response> </D:multistatus>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop><D:owner/></D:prop> <D:status>HTTP/1.1 403 Forbidden</D:status> <D:responsedescription> <D:error><D:cannot-modify-protected-property/></D:error> Failure to set protected property (DAV:owner) </D:responsedescription> </D:propstat> </D:response> </D:multistatus>
This property identifies a particular principal as being the "group" of the resource. This property is commonly found on repositories that implement the Unix privileges model.
此属性将特定主体标识为资源的“组”。此属性通常在实现Unix特权模型的存储库中找到。
Servers MAY implement DAV:group as protected property and MAY return an empty DAV:group element as property value in case no group information is available.
服务器可以将DAV:group实现为受保护的属性,如果没有可用的组信息,则可以将空的DAV:group元素返回为属性值。
<!ELEMENT group (href?)>
<!ELEMENT group (href?)>
This is a protected property that identifies the privileges defined for the resource.
这是一个受保护的属性,用于标识为资源定义的权限。
<!ELEMENT supported-privilege-set (supported-privilege*)>
<!ELEMENT supported-privilege-set (supported-privilege*)>
Each privilege appears as an XML element, where aggregate privileges list as sub-elements all of the privileges that they aggregate.
每个特权显示为一个XML元素,其中聚合特权作为子元素列出它们聚合的所有特权。
<!ELEMENT supported-privilege (privilege, abstract?, description, supported-privilege*)> <!ELEMENT privilege ANY>
<!ELEMENT supported-privilege (privilege, abstract?, description, supported-privilege*)> <!ELEMENT privilege ANY>
An abstract privilege MUST NOT be used in an ACE for that resource. Servers MUST fail an attempt to set an abstract privilege.
不得在该资源的ACE中使用抽象权限。服务器设置抽象权限的尝试必须失败。
<!ELEMENT abstract EMPTY>
<!ELEMENT abstract EMPTY>
A description is a human-readable description of what this privilege controls access to. Servers MUST indicate the human language of the description using the xml:lang attribute and SHOULD consider the HTTP Accept-Language request header when selecting one of multiple available languages.
描述是此权限控制访问的内容的可读描述。服务器必须使用XML:Langy属性来描述描述的人类语言,并且在选择多种可用语言中的一个时,应该考虑HTTP接受语言请求标头。
<!ELEMENT description #PCDATA>
<!ELEMENT description #PCDATA>
It is envisioned that a WebDAV ACL-aware administrative client would list the supported privileges in a dialog box, and allow the user to choose non-abstract privileges to apply in an ACE. The privileges tree is useful programmatically to map well-known privileges (defined by WebDAV or other standards groups) into privileges that are supported by any particular server implementation. The privilege tree also serves to hide complexity in implementations allowing large number of privileges to be defined by displaying aggregates to the user.
设想WebDAV ACL感知管理客户端将在对话框中列出支持的权限,并允许用户选择要在ACE中应用的非抽象权限。特权树在以编程方式将已知特权(由WebDAV或其他标准组定义)映射到任何特定服务器实现支持的特权时非常有用。特权树还用于隐藏实现中的复杂性,允许通过向用户显示聚合来定义大量特权。
This example shows a client request for the DAV:supported-privilege-set property on the resource http://www.example.com/papers/. The value of the DAV:supported-privilege-set property is a tree of supported privileges (using "[XML Namespace , localname]" to identify each privilege):
此示例显示了对资源的DAV:supported privilege set属性的客户端请求http://www.example.com/papers/. DAV:supported privilege set属性的值是一个受支持权限树(使用“[XML Namespace,localname]”标识每个权限):
[DAV:, all] (aggregate, abstract) | +-- [DAV:, read] (aggregate) | +-- [DAV:, read-acl] (abstract) +-- [DAV:, read-current-user-privilege-set] (abstract) | +-- [DAV:, write] (aggregate) | +-- [DAV:, write-acl] (abstract) +-- [DAV:, write-properties] +-- [DAV:, write-content] | +-- [DAV:, unlock]
[DAV:, all] (aggregate, abstract) | +-- [DAV:, read] (aggregate) | +-- [DAV:, read-acl] (abstract) +-- [DAV:, read-current-user-privilege-set] (abstract) | +-- [DAV:, write] (aggregate) | +-- [DAV:, write-acl] (abstract) +-- [DAV:, write-properties] +-- [DAV:, write-content] | +-- [DAV:, unlock]
This privilege tree is not normative (except that it reflects the normative aggregation rules given in Section 3.12), and many possible privilege trees are possible.
此权限树不是规范性的(除非它反映了第3.12节中给出的规范性聚合规则),并且许多可能的权限树都是可能的。
>> Request <<
>> Request <<
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="gclemm", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="gclemm", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:supported-privilege-set/> </D:prop> </D:propfind>
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:supported-privilege-set/> </D:prop> </D:propfind>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status
HTTP/1.1 207多状态
Content-Type: text/xml; charset="utf-8" Content-Length: xxx
Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:supported-privilege-set> <D:supported-privilege> <D:privilege><D:all/></D:privilege> <D:abstract/> <D:description xml:lang="en"> Any operation </D:description> <D:supported-privilege> <D:privilege><D:read/></D:privilege> <D:description xml:lang="en"> Read any object </D:description> <D:supported-privilege> <D:privilege><D:read-acl/></D:privilege> <D:abstract/> <D:description xml:lang="en">Read ACL</D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege> <D:read-current-user-privilege-set/> </D:privilege> <D:abstract/> <D:description xml:lang="en"> Read current user privilege set property </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write/></D:privilege> <D:description xml:lang="en"> Write any object </D:description> <D:supported-privilege> <D:privilege><D:write-acl/></D:privilege> <D:description xml:lang="en">
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:supported-privilege-set> <D:supported-privilege> <D:privilege><D:all/></D:privilege> <D:abstract/> <D:description xml:lang="en"> Any operation </D:description> <D:supported-privilege> <D:privilege><D:read/></D:privilege> <D:description xml:lang="en"> Read any object </D:description> <D:supported-privilege> <D:privilege><D:read-acl/></D:privilege> <D:abstract/> <D:description xml:lang="en">Read ACL</D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege> <D:read-current-user-privilege-set/> </D:privilege> <D:abstract/> <D:description xml:lang="en"> Read current user privilege set property </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write/></D:privilege> <D:description xml:lang="en"> Write any object </D:description> <D:supported-privilege> <D:privilege><D:write-acl/></D:privilege> <D:description xml:lang="en">
Write ACL </D:description> <D:abstract/> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-properties/></D:privilege> <D:description xml:lang="en"> Write properties </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-content/></D:privilege> <D:description xml:lang="en"> Write resource content </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:unlock/></D:privilege> <D:description xml:lang="en"> Unlock resource </D:description> </D:supported-privilege> </D:supported-privilege> </D:supported-privilege-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
Write ACL </D:description> <D:abstract/> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-properties/></D:privilege> <D:description xml:lang="en"> Write properties </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-content/></D:privilege> <D:description xml:lang="en"> Write resource content </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:unlock/></D:privilege> <D:description xml:lang="en"> Unlock resource </D:description> </D:supported-privilege> </D:supported-privilege> </D:supported-privilege-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
DAV:current-user-privilege-set is a protected property containing the exact set of privileges (as computed by the server) granted to the currently authenticated HTTP user. Aggregate privileges and their contained privileges are listed. A user-agent can use the value of this property to adjust its user interface to make actions inaccessible (e.g., by graying out a menu item or button) for which the current principal does not have permission. This property is also useful for determining what operations the current principal can perform, without having to actually execute an operation.
DAV:current user privilege set是一个受保护的属性,包含授予当前经过身份验证的HTTP用户的确切权限集(由服务器计算)。将列出聚合权限及其包含的权限。用户代理可以使用此属性的值调整其用户界面,以使当前主体无权访问的操作无法访问(例如,通过使菜单项或按钮变灰)。此属性还可用于确定当前主体可以执行哪些操作,而无需实际执行操作。
<!ELEMENT current-user-privilege-set (privilege*)> <!ELEMENT privilege ANY>
<!ELEMENT current-user-privilege-set (privilege*)> <!ELEMENT privilege ANY>
If the current user is granted a specific privilege, that privilege must belong to the set of privileges that may be set on this resource. Therefore, each element in the DAV:current-user-privilege-set property MUST identify a non-abstract privilege from the DAV:supported-privilege-set property.
如果当前用户被授予特定权限,则该权限必须属于可在此资源上设置的权限集。因此,DAV:current user privilege set属性中的每个元素都必须从DAV:supported privilege set属性中标识一个非抽象权限。
5.4.1. Example: Retrieving the User's Current Set of Assigned Privileges
5.4.1. 示例:检索用户当前分配的权限集
Continuing the example from Section 5.3.1, this example shows a client requesting the DAV:current-user-privilege-set property from the resource with URL http://www.example.com/papers/. The username of the principal making the request is "khare", and Digest authentication is used in the request. The principal with username "khare" has been granted the DAV:read privilege. Since the DAV:read privilege contains the DAV:read-acl and DAV:read-current-user-privilege-set privileges (see Section 5.3.1), the principal with username "khare" can read the ACL property, and the DAV:current-user-privilege-set property. However, the DAV:all, DAV:read-acl, DAV:write-acl and DAV:read-current-user-privilege-set privileges are not listed in the value of DAV:current-user-privilege-set, since (for this example) they are abstract privileges. DAV:write is not listed since the principal with username "khare" is not listed in an ACE granting that principal write permission.
继续第5.3.1节中的示例,此示例显示了一个客户端,该客户端从具有URL的资源请求DAV:current user privilege set属性http://www.example.com/papers/. 发出请求的主体的用户名是“khare”,请求中使用摘要身份验证。用户名为“khare”的主体已被授予DAV:read权限。由于DAV:read权限包含DAV:read acl和DAV:read current user privilege set权限(参见第5.3.1节),因此用户名为“khare”的主体可以读取acl属性和DAV:current user privilege set属性。但是,DAV:all、DAV:read acl、DAV:write acl和DAV:read current user privilege set特权未列在DAV:current user privilege set的值中,因为(在本例中)它们是抽象特权。DAV:未列出写入,因为用户名为“khare”的主体未在授予该主体写入权限的ACE中列出。
>> Request <<
>> Request <<
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="khare", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="khare", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:current-user-privilege-set/> </D:prop> </D:propfind>
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:current-user-privilege-set/> </D:prop> </D:propfind>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:current-user-privilege-set> <D:privilege><D:read/></D:privilege> </D:current-user-privilege-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:current-user-privilege-set> <D:privilege><D:read/></D:privilege> </D:current-user-privilege-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
This is a protected property that specifies the list of access control entries (ACEs), which define what principals are to get what privileges for this resource.
这是一个受保护的属性,指定访问控制项(ACE)的列表,这些项定义了哪些主体可以获得此资源的权限。
<!ELEMENT acl (ace*) >
<!ELEMENT acl (ace*) >
Each DAV:ace element specifies the set of privileges to be either granted or denied to a single principal. If the DAV:acl property is empty, no principal is granted any privilege.
每个DAV:ace元素指定要向单个主体授予或拒绝的权限集。如果DAV:acl属性为空,则不会向主体授予任何权限。
<!ELEMENT ace ((principal | invert), (grant|deny), protected?, inherited?)>
<!ELEMENT ace ((principal | invert), (grant|deny), protected?, inherited?)>
The DAV:principal element identifies the principal to which this ACE applies.
DAV:principal元素标识此ACE应用的主体。
<!ELEMENT principal (href | all | authenticated | unauthenticated | property | self)>
<!元素主体(href | all | authenticated | unauthenticated | property | self)>
The current user matches DAV:href only if that user is authenticated as being (or being a member of) the principal identified by the URL contained by that DAV:href.
当前用户仅在该用户被验证为由该DAV:href包含的URL标识的主体(或其成员)时才与DAV:href匹配。
The current user always matches DAV:all.
当前用户始终与DAV:all匹配。
<!ELEMENT all EMPTY>
<!ELEMENT all EMPTY>
The current user matches DAV:authenticated only if authenticated.
当前用户匹配DAV:authenticated(仅当已验证时)。
<!ELEMENT authenticated EMPTY>
<!ELEMENT authenticated EMPTY>
The current user matches DAV:unauthenticated only if not authenticated.
当前用户匹配DAV:unauthenticated(仅在未经身份验证的情况下)。
<!ELEMENT unauthenticated EMPTY>
<!ELEMENT unauthenticated EMPTY>
DAV:all is the union of DAV:authenticated, and DAV:unauthenticated. For a given request, the user matches either DAV:authenticated, or DAV:unauthenticated, but not both (that is, DAV:authenticated and DAV:unauthenticated are disjoint sets).
DAV:all是DAV:authenticated和DAV:unauthenticated的联合体。对于给定的请求,用户匹配DAV:authenticated或DAV:unauthenticated,但不是两者都匹配(即,DAV:authenticated和DAV:unauthenticated是不相交的集)。
The current user matches a DAV:property principal in a DAV:acl property of a resource only if the value of the identified property of that resource contains at most one DAV:href XML element, the URI value of DAV:href identifies a principal, and the current user is authenticated as being (or being a member of) that principal. For example, if the DAV:property element contained <DAV:owner/>, the current user would match the DAV:property principal only if the current user is authenticated as matching the principal identified by the DAV:owner property of the resource.
仅当资源的已标识属性的值最多包含一个DAV:href XML元素,且DAV:href的URI值标识主体,且当前用户已验证为该主体(或其成员),则当前用户才匹配该资源的DAV:acl属性中的DAV:property主体。例如,如果DAV:property元素包含<DAV:owner/>,则只有当当前用户被验证为与资源的DAV:owner属性标识的主体匹配时,当前用户才会匹配DAV:property主体。
<!ELEMENT property ANY>
<!ELEMENT property ANY>
The current user matches DAV:self in a DAV:acl property of the resource only if that resource is a principal and that principal matches the current user or, if the principal is a group, a member of that group matches the current user.
只有当资源是主体且该主体与当前用户匹配,或者如果主体是组,则该组的成员与当前用户匹配时,当前用户才与资源的DAV:acl属性中的DAV:self匹配。
<!ELEMENT self EMPTY>
<!ELEMENT self EMPTY>
Some servers may support ACEs applying to those users NOT matching the current principal, e.g., all users not in a particular group. This can be done by wrapping the DAV:principal element with DAV:invert.
某些服务器可能支持应用于与当前主体不匹配的用户的ACE,例如,不在特定组中的所有用户。这可以通过用DAV:invert包装DAV:principal元素来实现。
<!ELEMENT invert principal>
<!ELEMENT invert principal>
Each DAV:grant or DAV:deny element specifies the set of privileges to be either granted or denied to the specified principal. A DAV:grant or DAV:deny element of the DAV:acl of a resource MUST only contain non-abstract elements specified in the DAV:supported-privilege-set of that resource.
每个DAV:grant或DAV:deny元素指定要向指定主体授予或拒绝的特权集。资源的DAV:acl的DAV:grant或DAV:deny元素只能包含在该资源的DAV:supported特权集中指定的非抽象元素。
<!ELEMENT grant (privilege+)> <!ELEMENT deny (privilege+)> <!ELEMENT privilege ANY>
<!ELEMENT grant (privilege+)> <!ELEMENT deny (privilege+)> <!ELEMENT privilege ANY>
A server indicates an ACE is protected by including the DAV:protected element in the ACE. If the ACL of a resource contains an ACE with a DAV:protected element, an attempt to remove that ACE from the ACL MUST fail.
服务器表示通过在ACE中包含DAV:protected元素来保护ACE。如果资源的ACL包含具有DAV:protected元素的ACE,则从ACL中删除该ACE的尝试必须失败。
<!ELEMENT protected EMPTY>
<!ELEMENT protected EMPTY>
The presence of a DAV:inherited element indicates that this ACE is inherited from another resource that is identified by the URL contained in a DAV:href element. An inherited ACE cannot be modified directly, but instead the ACL on the resource from which it is inherited must be modified.
存在DAV:inherited元素表示此ACE是从另一个资源继承的,该资源由DAV:href元素中包含的URL标识。继承的ACE不能直接修改,但必须修改继承它的资源上的ACL。
Note that ACE inheritance is not the same as ACL initialization. ACL initialization defines the ACL that a newly created resource will use (if not specified). ACE inheritance refers to an ACE that is logically shared - where an update to the resource containing an ACE will affect the ACE of each resource that inherits that ACE. The method by which ACLs are initialized or by which ACEs are inherited is not defined by this document.
请注意,ACE继承与ACL初始化不同。ACL初始化定义新创建的资源将使用的ACL(如果未指定)。ACE继承是指逻辑上共享的ACE,其中对包含ACE的资源的更新将影响继承该ACE的每个资源的ACE。本文档未定义初始化ACL或继承ACE的方法。
<!ELEMENT inherited (href)>
<!ELEMENT inherited (href)>
Continuing the example from Sections 5.3.1 and 5.4.1, this example shows a client requesting the DAV:acl property from the resource with URL http://www.example.com/papers/. There are two ACEs defined in this ACL:
继续第5.3.1节和第5.4.1节中的示例,此示例显示了一个客户端,该客户端使用URL从资源请求DAV:acl属性http://www.example.com/papers/. 此ACL中定义了两个ACE:
ACE #1: The group identified by URL http://www.example.com/acl/ groups/maintainers (the group of site maintainers) is granted DAV:write privilege. Since (for this example) DAV:write contains the DAV:write-acl privilege (see Section 5.3.1), this means the "maintainers" group can also modify the access control list.
ACE#1:由URL标识的组http://www.example.com/acl/ 组/维护人员(站点维护人员组)被授予DAV:写入权限。由于(在本例中)DAV:write包含DAV:write acl权限(参见第5.3.1节),这意味着“维护者”组也可以修改访问控制列表。
ACE #2: All principals (DAV:all) are granted the DAV:read privilege. Since (for this example) DAV:read contains DAV:read-acl and DAV:read-current-user-privilege-set, this means all users (including all members of the "maintainers" group) can read the DAV:acl property and the DAV:current-user-privilege-set property.
ACE#2:所有主体(DAV:All)都被授予DAV:read权限。由于(在本例中)DAV:read包含DAV:read acl和DAV:read current user privilege set,这意味着所有用户(包括“维护者”组的所有成员)都可以读取DAV:acl属性和DAV:current user privilege set属性。
>> Request <<
>> Request <<
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="masinter", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="masinter", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
<D:propfind xmlns:D="DAV:"> <D:prop> <D:acl/> </D:prop> </D:propfind>
<D:propfind xmlns:D="DAV:"> <D:prop> <D:acl/> </D:prop> </D:propfind>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:acl> <D:ace> <D:principal> <D:href >http://www.example.com/acl/groups/maintainers</D:href> </D:principal> <D:grant> <D:privilege><D:write/></D:privilege>
<D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:acl> <D:ace> <D:principal> <D:href >http://www.example.com/acl/groups/maintainers</D:href> </D:principal> <D:grant> <D:privilege><D:write/></D:privilege>
</D:grant> </D:ace> <D:ace> <D:principal> <D:all/> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
</D:grant> </D:ace> <D:ace> <D:principal> <D:all/> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
This protected property defines the types of ACLs supported by this server, to avoid clients needlessly getting errors. When a client tries to set an ACL via the ACL method, the server may reject the attempt to set the ACL as specified. The following properties indicate the restrictions the client must observe before setting an ACL:
此受保护属性定义此服务器支持的ACL类型,以避免客户端不必要地出错。当客户端尝试通过ACL方法设置ACL时,服务器可能会拒绝按指定设置ACL的尝试。以下属性指示客户端在设置ACL之前必须遵守的限制:
<grant-only> Deny ACEs are not supported
不支持拒绝ACE
<no-invert> Inverted ACEs are not supported
<no invert>不支持反向ACE
<deny-before-grant> All deny ACEs must occur before any grant ACEs
<deny before grant>所有拒绝ACE必须在任何授予ACE之前发生
<required-principal> Indicates which principals are required to be present
<required principal>指示哪些主体需要出席
<!ELEMENT acl-restrictions (grant-only?, no-invert?, deny-before-grant?, required-principal?)>
<!元素acl限制(仅授予?、无反转?、授予前拒绝?、必需的主体?>
This element indicates that ACEs with deny clauses are not allowed.
此元素表示不允许使用带有deny子句的ACE。
<!ELEMENT grant-only EMPTY>
<!ELEMENT grant-only EMPTY>
This element indicates that ACEs with the <invert> element are not allowed.
此元素表示不允许使用带有<invert>元素的ACE。
<!ELEMENT no-invert EMPTY>
<!ELEMENT no-invert EMPTY>
This element indicates that all deny ACEs must precede all grant ACEs.
此元素表示所有拒绝ACE必须位于所有授予ACE之前。
<!ELEMENT deny-before-grant EMPTY>
<!ELEMENT deny-before-grant EMPTY>
The required principal elements identify which principals must have an ACE defined in the ACL.
所需的主体元素标识哪些主体必须在ACL中定义ACE。
<!ELEMENT required-principal (all? | authenticated? | unauthenticated? | self? | href* | property*)>
<!ELEMENT required-principal (all? | authenticated? | unauthenticated? | self? | href* | property*)>
For example, the following element requires that the ACL contain a
例如,以下元素要求ACL包含
DAV:owner property ACE:
DAV:业主财产ACE:
<D:required-principal xmlns:D="DAV:"> <D:property><D:owner/></D:property> </D:required-principal>
<D:required-principal xmlns:D="DAV:"> <D:property><D:owner/></D:property> </D:required-principal>
In this example, the client requests the value of the DAV:acl-restrictions property. Digest authentication provides credentials for the principal operating the client.
在本例中,客户端请求DAV:acl restrictions属性的值。摘要身份验证为操作客户端的主体提供凭据。
>> Request <<
>> Request <<
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="srcarter", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="srcarter", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:acl-restrictions/> </D:prop> </D:propfind>
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:acl-restrictions/> </D:prop> </D:propfind>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:acl-restrictions> <D:grant-only/> <D:required-principal> <D:all/> </D:required-principal> </D:acl-restrictions> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:acl-restrictions> <D:grant-only/> <D:required-principal> <D:all/> </D:required-principal> </D:acl-restrictions> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
This protected property contains a set of URLs that identify other resources that also control the access to this resource. To have a privilege on a resource, not only must the ACL on that resource (specified in the DAV:acl property of that resource) grant the privilege, but so must the ACL of each resource identified in the DAV:inherited-acl-set property of that resource. Effectively, the privileges granted by the current ACL are ANDed with the privileges granted by each inherited ACL.
此受保护属性包含一组URL,这些URL标识也控制对此资源的访问的其他资源。要对资源拥有特权,不仅该资源上的ACL(在该资源的DAV:ACL属性中指定)必须授予特权,而且该资源的DAV:inherited ACL set属性中标识的每个资源的ACL也必须授予特权。实际上,当前ACL授予的权限与每个继承ACL授予的权限进行AND运算。
<!ELEMENT inherited-acl-set (href*)>
<!ELEMENT inherited-acl-set (href*)>
This protected property of a resource contains a set of URLs that identify the root collections that contain the principals that are available on the server that implements this resource. A WebDAV Access Control Protocol user agent could use the contents of DAV:principal-collection-set to retrieve the DAV:displayname property (specified in Section 13.2 of [RFC2518]) of all principals on that server, thereby yielding human-readable names for each principal that could be displayed in a user interface.
资源的此受保护属性包含一组URL,这些URL标识根集合,这些根集合包含实现此资源的服务器上可用的主体。WebDAV访问控制协议用户代理可以使用DAV:principal集合集的内容检索该服务器上所有主体的DAV:displayname属性(在[RFC2518]第13.2节中指定),从而为每个主体生成可在用户界面中显示的人类可读名称。
<!ELEMENT principal-collection-set (href*)>
<!ELEMENT principal-collection-set (href*)>
Since different servers can control different parts of the URL namespace, different resources on the same host MAY have different DAV:principal-collection-set values. The collections specified in the DAV:principal-collection-set MAY be located on different hosts from the resource. The URLs in DAV:principal-collection-set SHOULD be http or https scheme URLs. For security and scalability reasons, a server MAY report only a subset of the entire set of known principal collections, and therefore clients should not assume they have retrieved an exhaustive listing. Additionally, a server MAY elect to report none of the principal collections it knows about, in which case the property value would be empty.
由于不同的服务器可以控制URL命名空间的不同部分,因此同一主机上的不同资源可能具有不同的DAV:principal集合集值。在DAV:principal集合集中指定的集合可能位于与资源不同的主机上。DAV:principal集合集中的URL应该是http或https方案URL。出于安全性和可伸缩性的原因,服务器可能只报告整个已知主体集合集合集合集合的子集,因此客户端不应假定已检索到详尽的列表。此外,服务器可能选择不报告它所知道的任何主要集合,在这种情况下,属性值将为空。
The value of DAV:principal-collection-set gives the scope of the DAV:principal-property-search REPORT (defined in Section 9.4). Clients use the DAV:principal-property-search REPORT to populate their user interface with a list of principals. Therefore, servers that limit a client's ability to obtain principal information will interfere with the client's ability to manipulate access control lists, due to the difficulty of getting the URL of a principal for use in an ACE.
DAV:principal集合集的值给出了DAV:principal属性搜索报告的范围(定义见第9.4节)。客户机使用DAV:principal属性搜索报告以主体列表填充其用户界面。因此,限制客户端获取主体信息的能力的服务器将干扰客户端操作访问控制列表的能力,因为很难获取主体的URL以在ACE中使用。
In this example, the client requests the value of the DAV:principal-collection-set property on the collection resource identified by URL http://www.example.com/papers/. The property contains the two URLs, http://www.example.com/acl/users/ and http:// www.example.com/acl/groups/, both wrapped in DAV:href XML elements. Digest authentication provides credentials for the principal operating the client.
在本例中,客户端请求URL标识的集合资源上的DAV:principal集合集属性的值http://www.example.com/papers/. 属性包含两个URL,http://www.example.com/acl/users/ 和http://www.example.com/acl/groups/,都用DAV:href XML元素包装。摘要身份验证为操作客户端的主体提供凭据。
The client might reasonably follow this request with two separate PROPFIND requests to retrieve the DAV:displayname property of the members of the two collections (/acl/users and /acl/groups). This information could be used when displaying a user interface for creating access control entries.
客户端可以通过两个单独的PROPFIND请求合理地遵循此请求,以检索两个集合(/acl/users和/acl/groups)的成员的DAV:displayname属性。显示用于创建访问控制项的用户界面时,可以使用此信息。
>> Request <<
>> Request <<
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="yarong", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="yarong", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:principal-collection-set/> </D:prop> </D:propfind>
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:principal-collection-set/> </D:prop> </D:propfind>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:principal-collection-set> <D:href>http://www.example.com/acl/users/</D:href> <D:href>http://www.example.com/acl/groups/</D:href> </D:principal-collection-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:principal-collection-set> <D:href>http://www.example.com/acl/users/</D:href> <D:href>http://www.example.com/acl/groups/</D:href> </D:principal-collection-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
The following example shows how access control information can be retrieved by using the PROPFIND method to fetch the values of the DAV:owner, DAV:supported-privilege-set, DAV:current-user-privilege-set, and DAV:acl properties.
以下示例显示了如何通过使用PROPFIND方法获取DAV:owner、DAV:supported privilege set、DAV:current user privilege set和DAV:acl属性的值来检索访问控制信息。
>> Request <<
>> Request <<
PROPFIND /top/container/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="ejw", realm="users@example.com", nonce="...", uri="/top/container/", response="...", opaque="..."
PROPFIND /top/container/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="ejw", realm="users@example.com", nonce="...", uri="/top/container/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:owner/> <D:supported-privilege-set/> <D:current-user-privilege-set/> <D:acl/> </D:prop> </D:propfind>
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:owner/> <D:supported-privilege-set/> <D:current-user-privilege-set/> <D:acl/> </D:prop> </D:propfind>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:" xmlns:A="http://www.example.com/acl/"> <D:response> <D:href>http://www.example.com/top/container/</D:href> <D:propstat> <D:prop> <D:owner> <D:href>http://www.example.com/users/gclemm</D:href> </D:owner> <D:supported-privilege-set> <D:supported-privilege> <D:privilege><D:all/></D:privilege> <D:abstract/>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:" xmlns:A="http://www.example.com/acl/"> <D:response> <D:href>http://www.example.com/top/container/</D:href> <D:propstat> <D:prop> <D:owner> <D:href>http://www.example.com/users/gclemm</D:href> </D:owner> <D:supported-privilege-set> <D:supported-privilege> <D:privilege><D:all/></D:privilege> <D:abstract/>
<D:description xml:lang="en"> Any operation </D:description> <D:supported-privilege> <D:privilege><D:read/></D:privilege> <D:description xml:lang="en"> Read any object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write/></D:privilege> <D:abstract/> <D:description xml:lang="en"> Write any object </D:description> <D:supported-privilege> <D:privilege><A:create/></D:privilege> <D:description xml:lang="en"> Create an object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><A:update/></D:privilege> <D:description xml:lang="en"> Update an object </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><A:delete/></D:privilege> <D:description xml:lang="en"> Delete an object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:read-acl/></D:privilege> <D:description xml:lang="en"> Read the ACL </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-acl/></D:privilege> <D:description xml:lang="en"> Write the ACL </D:description> </D:supported-privilege> </D:supported-privilege> </D:supported-privilege-set>
<D:description xml:lang="en"> Any operation </D:description> <D:supported-privilege> <D:privilege><D:read/></D:privilege> <D:description xml:lang="en"> Read any object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write/></D:privilege> <D:abstract/> <D:description xml:lang="en"> Write any object </D:description> <D:supported-privilege> <D:privilege><A:create/></D:privilege> <D:description xml:lang="en"> Create an object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><A:update/></D:privilege> <D:description xml:lang="en"> Update an object </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><A:delete/></D:privilege> <D:description xml:lang="en"> Delete an object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:read-acl/></D:privilege> <D:description xml:lang="en"> Read the ACL </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-acl/></D:privilege> <D:description xml:lang="en"> Write the ACL </D:description> </D:supported-privilege> </D:supported-privilege> </D:supported-privilege-set>
<D:current-user-privilege-set> <D:privilege><D:read/></D:privilege> <D:privilege><D:read-acl/></D:privilege> </D:current-user-privilege-set> <D:acl> <D:ace> <D:principal> <D:href>http://www.example.com/users/esedlar</D:href> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> <D:privilege><D:read-acl/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal> <D:href>http://www.example.com/groups/mrktng</D:href> </D:principal> <D:deny> <D:privilege><D:read/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:read-acl/></D:privilege> <D:privilege><D:write-acl/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal><D:all/></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> <D:inherited> <D:href>http://www.example.com/top</D:href> </D:inherited> </D:ace> </D:acl> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
<D:current-user-privilege-set> <D:privilege><D:read/></D:privilege> <D:privilege><D:read-acl/></D:privilege> </D:current-user-privilege-set> <D:acl> <D:ace> <D:principal> <D:href>http://www.example.com/users/esedlar</D:href> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> <D:privilege><D:read-acl/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal> <D:href>http://www.example.com/groups/mrktng</D:href> </D:principal> <D:deny> <D:privilege><D:read/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:read-acl/></D:privilege> <D:privilege><D:write-acl/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal><D:all/></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> <D:inherited> <D:href>http://www.example.com/top</D:href> </D:inherited> </D:ace> </D:acl> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
The value of the DAV:owner property is a single DAV:href XML element containing the URL of the principal that owns this resource.
DAV:owner属性的值是单个DAV:href XML元素,其中包含拥有此资源的主体的URL。
The value of the DAV:supported-privilege-set property is a tree of supported privileges (using "[XML Namespace , localname]" to identify each privilege):
DAV:supported privilege set属性的值是一个受支持权限树(使用“[XML Namespace,localname]”标识每个权限):
[DAV:, all] (aggregate, abstract) | +-- [DAV:, read] +-- [DAV:, write] (aggregate, abstract) | +-- [http://www.example.com/acl, create] +-- [http://www.example.com/acl, update] +-- [http://www.example.com/acl, delete] +-- [DAV:, read-acl] +-- [DAV:, write-acl]
[DAV:, all] (aggregate, abstract) | +-- [DAV:, read] +-- [DAV:, write] (aggregate, abstract) | +-- [http://www.example.com/acl, create] +-- [http://www.example.com/acl, update] +-- [http://www.example.com/acl, delete] +-- [DAV:, read-acl] +-- [DAV:, write-acl]
The DAV:current-user-privilege-set property contains two privileges, DAV:read, and DAV:read-acl. This indicates that the current authenticated user only has the ability to read the resource, and read the DAV:acl property on the resource. The DAV:acl property contains a set of four ACEs:
DAV:current user privilege set属性包含两个权限:DAV:read和DAV:read acl。这表示当前经过身份验证的用户只能读取资源,并读取资源上的DAV:acl属性。DAV:acl属性包含一组四个ACE:
ACE #1: The principal identified by the URL http://www.example.com/ users/esedlar is granted the DAV:read, DAV:write, and DAV:read-acl privileges.
ACE#1:由URL标识的主体http://www.example.com/ users/esedlar被授予DAV:read、DAV:write和DAV:read acl权限。
ACE #2: The principals identified by the URL http://www.example.com/ groups/mrktng are denied the DAV:read privilege. In this example, the principal URL identifies a group.
ACE#2:URL标识的主体http://www.example.com/ 组/mrktng被拒绝DAV:read权限。在本例中,主体URL标识一个组。
ACE #3: In this ACE, the principal is a property principal, specifically the DAV:owner property. When evaluating this ACE, the value of the DAV:owner property is retrieved, and is examined to see if it contains a DAV:href XML element. If so, the URL within the DAV:href element is read, and identifies a principal. In this ACE, the owner is granted DAV:read-acl, and DAV:write-acl privileges.
ACE#3:在这个ACE中,主体是一个属性主体,特别是DAV:owner属性。评估此ACE时,将检索DAV:owner属性的值,并检查其是否包含DAV:href XML元素。如果是,则读取DAV:href元素中的URL,并标识主体。在此ACE中,所有者被授予DAV:read acl和DAV:write acl权限。
ACE #4: This ACE grants the DAV:all principal (all users) the DAV:read privilege. This ACE is inherited from the resource http:// www.example.com/top, the parent collection of this resource.
ACE#4:此ACE授予DAV:all主体(所有用户)DAV:read权限。此ACE继承自此资源的父集合http://www.example.com/top。
WebDAV ACLs are evaluated in similar manner as ACLs on Windows NT and in NFSv4 [RFC3530]). An ACL is evaluated to determine whether or not access will be granted for a WebDAV request. ACEs are maintained in a particular order, and are evaluated until all of the permissions required by the current request have been granted, at which point the ACL evaluation is terminated and access is granted. If, during ACL evaluation, a <deny> ACE (matching the current user) is encountered for a privilege which has not yet been granted, the ACL evaluation is terminated and access is denied. Failure to have all required privileges granted results in access being denied.
WebDAV ACL的评估方式与Windows NT和NFSv4[RFC3530]中的ACL类似。对ACL进行评估,以确定是否将为WebDAV请求授予访问权限。ACE将按特定顺序维护,并进行评估,直到授予当前请求所需的所有权限,此时ACL评估将终止并授予访问权限。如果在ACL评估期间,针对尚未授予的特权遇到<deny>ACE(与当前用户匹配),则ACL评估将终止,访问将被拒绝。未能授予所有必需的权限将导致访问被拒绝。
Note that the semantics of many other existing ACL systems may be represented via this mechanism, by mixing deny and grant ACEs. For example, consider the standard "rwx" privilege scheme used by UNIX. In this scheme, if the current user is the owner of the file, access is granted if the corresponding privilege bit is set and denied if not set, regardless of the permissions set on the file's group and for the world. An ACL for UNIX permissions of "r--rw-r--" might be constructed like:
请注意,许多其他现有ACL系统的语义可以通过混合拒绝和授予ACE的这种机制来表示。例如,考虑UNIX使用的标准“RWX”特权方案。在该方案中,如果当前用户是文件的所有者,则如果设置了相应的特权位,则授予访问权限;如果未设置,则拒绝访问权限,而不考虑在文件组和世界上设置的权限。UNIX权限“r--rw-r--”的ACL的构造如下:
<D:acl> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:deny> <D:privilege><D:all/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal> <D:property><D:group/></D:property> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> </D:grant> </D:ace>
<D:acl> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:deny> <D:privilege><D:all/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal> <D:property><D:group/></D:property> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> </D:grant> </D:ace>
<D:ace> <D:principal> <D:property><D:group/></D:property> </D:principal> <D:deny> <D:privilege><D:all/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal><D:all></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl>
<D:ace> <D:principal> <D:property><D:group/></D:property> </D:principal> <D:deny> <D:privilege><D:all/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal><D:all></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl>
and the <acl-restrictions> would be defined as:
而<acl限制>将被定义为:
<D:no-invert/> <D:required-principal> <D:all/> <D:property><D:owner/></D:property> <D:property><D:group/><D:group/> </D:required-principal>
<D:no-invert/> <D:required-principal> <D:all/> <D:property><D:owner/></D:property> <D:property><D:group/><D:group/> </D:required-principal>
Note that the client can still get errors from a UNIX server in spite of obeying the <acl-restrictions>, including <D:allowed-principal> (adding an ACE specifying a principal other than the ones in the ACL above) or <D:ace-conflict> (by trying to reorder the ACEs in the example above), as these particular implementation semantics are too complex to be captured with the simple (but general) declarative restrictions.
请注意,尽管遵守<acl限制>,但客户端仍然可以从UNIX服务器获得错误,包括<D:allowed principal>(添加ACE指定除上述acl中的主体以外的主体)或<D:ACE conflict>(通过尝试对上述示例中的ACE重新排序),因为这些特定的实现语义太复杂,不能用简单(但一般)的声明性限制来捕获。
This section defines the impact of access control functionality on existing methods.
本节定义了访问控制功能对现有方法的影响。
The WebDAV ACL mechanism requires the usage of HTTP method "preconditions" as described in section 1.6 of RFC3253 for ALL HTTP methods. All HTTP methods have an additional precondition called DAV:need-privileges. If an HTTP method fails due to insufficient privileges, the response body to the "403 Forbidden" error MUST contain the <DAV:error> element, which in turn contains the
WebDAV ACL机制要求对所有HTTP方法使用RFC3253第1.6节所述的HTTP方法“先决条件”。所有HTTP方法都有一个称为DAV的附加先决条件:需要特权。如果HTTP方法由于权限不足而失败,则“403禁止”错误的响应体必须包含<DAV:error>元素,该元素反过来包含
<DAV:need-privileges> element, which contains one or more <DAV:resource> elements indicating which resource had insufficient privileges, and what the lacking privileges were:
<DAV:need privileges>元素,其中包含一个或多个<DAV:resource>元素,指示哪些资源没有足够的权限,以及缺少的权限是什么:
<!ELEMENT need-privileges (resource)* > <!ELEMENT resource ( href , privilege ) >
<!ELEMENT need-privileges (resource)* > <!ELEMENT resource ( href , privilege ) >
Since some methods require multiple permissions on multiple resources, this information is needed to resolve any ambiguity. There is no requirement that all privilege violations be reported - for implementation reasons, some servers may only report the first privilege violation. For example:
由于某些方法需要对多个资源具有多个权限,因此需要此信息来解决任何歧义。不要求报告所有权限冲突-出于实现原因,某些服务器可能只报告第一次权限冲突。例如:
>> Request <<
>> Request <<
MOVE /a/b/ HTTP/1.1 Host: www.example.com Destination: http://www.example.com/c/d
MOVE /a/b/ HTTP/1.1 Host: www.example.com Destination: http://www.example.com/c/d
>> Response <<
>> Response <<
HTTP/1.1 403 Forbidden Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 403 Forbidden Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<D:error xmlns:D="DAV:"> <D:need-privileges> <D:resource> <D:href>/a</D:href> <D:privilege><D:unbind/></D:privilege> </D:resource> <D:resource> <D:href>/c</D:href> <D:privilege><D:bind/></D:privilege> </D:resource> </D:need-privileges> </D:error>
<D:error xmlns:D="DAV:"> <D:need-privileges> <D:resource> <D:href>/a</D:href> <D:privilege><D:unbind/></D:privilege> </D:resource> <D:resource> <D:href>/c</D:href> <D:privilege><D:bind/></D:privilege> </D:resource> </D:need-privileges> </D:error>
If the server supports access control, it MUST return "access-control" as a field in the DAV response header from an OPTIONS request on any resource implemented by that server. A value of "access-control" in the DAV header MUST indicate that the server supports all MUST level requirements and REQUIRED features specified in this document.
如果服务器支持访问控制,则必须从该服务器实现的任何资源上的选项请求中,将“访问控制”作为DAV响应头中的字段返回。DAV标头中的“访问控制”值必须表明服务器支持本文档中指定的所有必须级别要求和必需功能。
>> Request <<
>> Request <<
OPTIONS /foo.html HTTP/1.1 Host: www.example.com Content-Length: 0
选项/foo.html HTTP/1.1主机:www.example.com内容长度:0
>> Response <<
>> Response <<
HTTP/1.1 200 OK DAV: 1, 2, access-control Allow: OPTIONS, GET, PUT, PROPFIND, PROPPATCH, ACL
HTTP/1.1 200 OK DAV:1,2,访问控制允许:选项、获取、放置、PROPFIND、PROPPATCH、ACL
In this example, the OPTIONS response indicates that the server supports access control and that /foo.html can have its access control list modified by the ACL method.
在本例中,选项响应表示服务器支持访问控制,并且/foo.html可以通过ACL方法修改其访问控制列表。
When a resource is moved from one location to another due to a MOVE request, the non-inherited and non-protected ACEs in the DAV:acl property of the resource MUST NOT be modified, or the MOVE request fails. Handling of inherited and protected ACEs is intentionally undefined to give server implementations flexibility in how they implement ACE inheritance and protection.
由于移动请求而将资源从一个位置移动到另一个位置时,不得修改资源的DAV:acl属性中未继承和未受保护的ACE,否则移动请求将失败。有意不定义继承和受保护ACE的处理,以使服务器实现在如何实现ACE继承和保护方面具有灵活性。
The DAV:acl property on the resource at the destination of a COPY MUST be the same as if the resource was created by an individual resource creation request (e.g., MKCOL, PUT). Clients wishing to preserve the DAV:acl property across a copy need to read the DAV:acl property prior to the COPY, then perform an ACL operation on the new resource at the destination to restore, insofar as this is possible, the original access control list.
副本目标处资源的DAV:acl属性必须与通过单个资源创建请求(例如,MKCOL、PUT)创建的资源相同。希望跨副本保留DAV:acl属性的客户端需要在复制之前读取DAV:acl属性,然后在目标的新资源上执行acl操作,以尽可能恢复原始访问控制列表。
A lock on a resource ensures that only the lock owner can modify ACEs that are not inherited and not protected (these are the only ACEs that a client can modify with an ACL request). A lock does not protect inherited or protected ACEs, since a client cannot modify them with an ACL request on that resource.
资源上的锁确保只有锁所有者可以修改未继承和未受保护的ACE(这些是客户端可以通过ACL请求修改的唯一ACE)。锁不保护继承的或受保护的ACE,因为客户端无法使用该资源上的ACL请求修改它们。
The ACL method modifies the access control list (which can be read via the DAV:acl property) of a resource. Specifically, the ACL method only permits modification to ACEs that are not inherited, and are not protected. An ACL method invocation modifies all non-inherited and non-protected ACEs in a resource's access control list to exactly match the ACEs contained within in the DAV:acl XML element (specified in Section 5.5) of the request body. An ACL request body MUST contain only one DAV:acl XML element. Unless the non-inherited and non-protected ACEs of the DAV:acl property of the resource can be updated to be exactly the value specified in the ACL request, the ACL request MUST fail.
ACL方法修改资源的访问控制列表(可通过DAV:ACL属性读取)。具体而言,ACL方法仅允许修改未继承且未受保护的ACE。ACL方法调用修改资源访问控制列表中所有未继承和未受保护的ACE,以精确匹配请求正文的DAV:ACL XML元素(在第5.5节中指定)中包含的ACE。ACL请求主体只能包含一个DAV:ACL XML元素。除非可以将资源的DAV:acl属性的非继承和非保护ACE更新为acl请求中指定的值,否则acl请求必须失败。
It is possible that the ACEs visible to the current user in the DAV:acl property may only be a portion of the complete set of ACEs on that resource. If this is the case, an ACL request only modifies the set of ACEs visible to the current user, and does not affect any non-visible ACE.
在DAV:acl属性中对当前用户可见的ACE可能只是该资源上完整ACE集的一部分。如果是这种情况,ACL请求只修改当前用户可见的ACE集,而不影响任何不可见的ACE。
In order to avoid overwriting DAV:acl changes by another client, a client SHOULD acquire a WebDAV lock on the resource before retrieving the DAV:acl property of a resource that it intends on updating.
为了避免另一个客户机覆盖DAV:acl更改,客户机应在检索要更新的资源的DAV:acl属性之前获取该资源的WebDAV锁。
Implementation Note: Two common operations are to add or remove an ACE from an existing access control list. To accomplish this, a client uses the PROPFIND method to retrieve the value of the DAV:acl property, then parses the returned access control list to remove all inherited and protected ACEs (these ACEs are tagged with the DAV:inherited and DAV:protected XML elements). In the remaining set of non-inherited, non-protected ACEs, the client can add or remove one or more ACEs before submitting the final ACE set in the request body of the ACL method.
实施说明:两种常见操作是从现有访问控制列表中添加或删除ACE。为此,客户机使用PROPFIND方法检索DAV:acl属性的值,然后解析返回的访问控制列表以删除所有继承的和受保护的ACE(这些ACE用DAV:inherited和DAV:protected XML元素标记)。在剩余的一组未继承、未受保护的ACE中,客户端可以在ACL方法的请求正文中提交最终ACE集之前添加或删除一个或多个ACE。
An implementation MUST enforce the following constraints on an ACL request. If the constraint is violated, a 403 (Forbidden) or 409 (Conflict) response MUST be returned and the indicated XML element MUST be returned as a child of a top level DAV:error element in an XML response body.
实现必须对ACL请求实施以下约束。如果违反了该约束,则必须返回403(禁止)或409(冲突)响应,并且所指示的XML元素必须作为XML响应主体中顶级DAV:error元素的子元素返回。
Though these status elements are generally expressed as empty XML elements (and are defined as EMPTY in the DTD), implementations MAY return additional descriptive XML elements as children of the status
尽管这些状态元素通常表示为空XML元素(并且在DTD中定义为空),但实现可能会返回附加的描述性XML元素作为状态的子元素
element. Clients MUST be able to accept children of these status elements. Clients that do not understand the additional XML elements should ignore them.
要素客户端必须能够接受这些状态元素的子级。不理解其他XML元素的客户端应该忽略它们。
(DAV:no-ace-conflict): The ACEs submitted in the ACL request MUST NOT conflict with each other. This is a catchall error code indicating that an implementation-specific ACL restriction has been violated.
(DAV:无ace冲突):ACL请求中提交的ace不得相互冲突。这是一个catchall错误代码,指示违反了特定于实现的ACL限制。
(DAV:no-protected-ace-conflict): The ACEs submitted in the ACL request MUST NOT conflict with the protected ACEs on the resource. For example, if the resource has a protected ACE granting DAV:write to a given principal, then it would not be consistent if the ACL request submitted an ACE denying DAV:write to the same principal.
(DAV:无受保护的ace冲突):ACL请求中提交的ace不得与资源上受保护的ace冲突。例如,如果资源有一个受保护的ACE向给定主体授予DAV:write,那么如果ACL请求向同一主体提交了拒绝DAV:write的ACE,则该请求将不一致。
(DAV:no-inherited-ace-conflict): The ACEs submitted in the ACL request MUST NOT conflict with the inherited ACEs on the resource. For example, if the resource inherits an ACE from its parent collection granting DAV:write to a given principal, then it would not be consistent if the ACL request submitted an ACE denying DAV:write to the same principal. Note that reporting of this error will be implementation-dependent. Implementations MUST either report this error or allow the ACE to be set, and then let normal ACE evaluation rules determine whether the new ACE has any impact on the privileges available to a specific principal.
(DAV:无继承的ace冲突):ACL请求中提交的ace不得与资源上继承的ace冲突。例如,如果资源从其父集合继承一个ACE,向给定主体授予DAV:write,那么如果ACL请求向同一主体提交一个拒绝DAV:write的ACE,则该ACE将不一致。请注意,此错误的报告将取决于实现。实现必须报告此错误或允许设置ACE,然后让常规ACE评估规则确定新ACE是否对特定主体可用的权限有任何影响。
(DAV:limited-number-of-aces): The number of ACEs submitted in the ACL request MUST NOT exceed the number of ACEs allowed on that resource. However, ACL-compliant servers MUST support at least one ACE granting privileges to a single principal, and one ACE granting privileges to a group.
(DAV:有限数量的ACE):在ACL请求中提交的ACE数量不得超过该资源上允许的ACE数量。但是,符合ACL的服务器必须至少支持一个ACE向单个主体授予权限,以及一个ACE向组授予权限。
(DAV:deny-before-grant): All non-inherited deny ACEs MUST precede all non-inherited grant ACEs.
(DAV:授予前拒绝):所有非继承的拒绝ACE必须位于所有非继承的授予ACE之前。
(DAV:grant-only): The ACEs submitted in the ACL request MUST NOT include a deny ACE. This precondition applies only when the ACL restrictions of the resource include the DAV:grant-only constraint (defined in Section 5.6.1).
(DAV:仅授予):ACL请求中提交的ACE不得包含拒绝ACE。仅当资源的ACL限制包括DAV:grant only约束(定义见第5.6.1节)时,此前提条件才适用。
(DAV:no-invert): The ACL request MUST NOT include a DAV:invert element. This precondition applies only when the ACL semantics of the resource includes the DAV:no-invert constraint (defined in Section 5.6.2).
(DAV:no invert):ACL请求不能包含DAV:invert元素。仅当资源的ACL语义包含DAV:no invert约束(定义见第5.6.2节)时,此前提条件才适用。
(DAV:no-abstract): The ACL request MUST NOT attempt to grant or deny an abstract privilege (see Section 5.3).
(DAV:无抽象):ACL请求不得试图授予或拒绝抽象权限(参见第5.3节)。
(DAV:not-supported-privilege): The ACEs submitted in the ACL request MUST be supported by the resource.
(DAV:不受支持的权限):资源必须支持在ACL请求中提交的ACE。
(DAV:missing-required-principal): The result of the ACL request MUST have at least one ACE for each principal identified in a DAV:required-principal XML element in the ACL semantics of that resource (see Section 5.5).
(DAV:missing required principal):ACL请求的结果必须为该资源的ACL语义中的DAV:required principal XML元素中标识的每个主体至少有一个ACE(请参见第5.5节)。
(DAV:recognized-principal): Every principal URL in the ACL request MUST identify a principal resource.
(DAV:已识别的主体):ACL请求中的每个主体URL必须标识主体资源。
(DAV:allowed-principal): The principals specified in the ACEs submitted in the ACL request MUST be allowed as principals for the resource. For example, a server where only authenticated principals can access resources would not allow the DAV:all or DAV:unauthenticated principals to be used in an ACE, since these would allow unauthenticated access to resources.
(DAV:允许的主体):必须允许在ACL请求中提交的ACE中指定的主体作为资源的主体。例如,只有经过身份验证的主体才能访问资源的服务器不允许在ACE中使用DAV:all或DAV:unauthenticated主体,因为这将允许未经身份验证的访问资源。
In the following example, user "fielding", authenticated by information in the Authorization header, grants the principal identified by the URL http://www.example.com/users/esedlar (i.e., the user "esedlar") read and write privileges, grants the owner of the resource read-acl and write-acl privileges, and grants everyone read privileges.
在下面的示例中,用户“fielding”通过授权标头中的信息进行身份验证,授予URL标识的主体http://www.example.com/users/esedlar (即,用户“esedlar”)读写权限,授予资源所有者读acl和写acl权限,并授予每个人读权限。
>> Request <<
>> Request <<
ACL /top/container/ HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Authorization: Digest username="fielding", realm="users@example.com", nonce="...", uri="/top/container/", response="...", opaque="..."
ACL /top/container/ HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Authorization: Digest username="fielding", realm="users@example.com", nonce="...", uri="/top/container/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:acl xmlns:D="DAV:"> <D:ace> <D:principal> <D:href>http://www.example.com/users/esedlar</D:href> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> </D:grant> </D:ace>
<?xml version="1.0" encoding="utf-8" ?> <D:acl xmlns:D="DAV:"> <D:ace> <D:principal> <D:href>http://www.example.com/users/esedlar</D:href> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> </D:grant> </D:ace>
<D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:read-acl/></D:privilege> <D:privilege><D:write-acl/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal><D:all/></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl>
<D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:read-acl/></D:privilege> <D:privilege><D:write-acl/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal><D:all/></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl>
>> Response <<
>> Response <<
HTTP/1.1 200 OK
HTTP/1.1200ok
In the following request, user "fielding", authenticated by information in the Authorization header, attempts to deny the principal identified by the URL http://www.example.com/users/esedlar (i.e., the user "esedlar") write privileges. Prior to the request, the DAV:acl property on the resource contained a protected ACE (see Section 5.5.3) granting DAV:owner the DAV:read and DAV:write privileges. The principal identified by URL http://www.example.com/ users/esedlar is the owner of the resource. The ACL method invocation fails because the submitted ACE conflicts with the protected ACE, thus violating the semantics of ACE protection.
在下面的请求中,用户“fielding”通过授权标头中的信息进行身份验证,试图拒绝URL标识的主体http://www.example.com/users/esedlar (即用户“esedlar”)写入权限。在请求之前,资源上的DAV:acl属性包含一个受保护的ACE(请参阅第5.5.3节),该ACE授予DAV:owner DAV:read和DAV:write权限。由URL标识的主体http://www.example.com/ users/esedlar是资源的所有者。ACL方法调用失败,因为提交的ACE与受保护的ACE冲突,因此违反了ACE保护的语义。
>> Request <<
>> Request <<
ACL /top/container/ HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Authorization: Digest username="fielding", realm="users@example.com", nonce="...", uri="/top/container/", response="...", opaque="..."
ACL /top/container/ HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Authorization: Digest username="fielding", realm="users@example.com", nonce="...", uri="/top/container/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:acl xmlns:D="DAV:"> <D:ace> <D:principal>
<?xml version="1.0" encoding="utf-8" ?> <D:acl xmlns:D="DAV:"> <D:ace> <D:principal>
<D:href>http://www.example.com/users/esedlar</D:href> </D:principal> <D:deny> <D:privilege><D:write/></D:privilege> </D:deny> </D:ace> </D:acl>
<D:href>http://www.example.com/users/esedlar</D:href> </D:principal> <D:deny> <D:privilege><D:write/></D:privilege> </D:deny> </D:ace> </D:acl>
>> Response <<
>> Response <<
HTTP/1.1 403 Forbidden Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 403 Forbidden Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:error xmlns:D="DAV:"> <D:no-protected-ace-conflict/> </D:error>
<?xml version="1.0" encoding="utf-8" ?> <D:error xmlns:D="DAV:"> <D:no-protected-ace-conflict/> </D:error>
In the following request, user "ejw", authenticated by information in the Authorization header, tries to change the access control list on the resource http://www.example.com/top/index.html. This resource has two inherited ACEs.
在下面的请求中,用户“ejw”通过授权头中的信息进行身份验证,试图更改资源上的访问控制列表http://www.example.com/top/index.html. 此资源有两个继承的ACE。
Inherited ACE #1 grants the principal identified by URL http:// www.example.com/users/ejw (i.e., the user "ejw") http:// www.example.com/privs/write-all and DAV:read-acl privileges. On this server, http://www.example.com/privs/write-all is an aggregate privilege containing DAV:write, and DAV:write-acl.
继承的ACE#1授予URL http://www.example.com/users/ejw标识的主体(即用户“ejw”)http://www.example.com/privs/write-all和DAV:read acl权限。在这个服务器上,http://www.example.com/privs/write-all 是包含DAV:write和DAV:write acl的聚合权限。
Inherited ACE #2 grants principal DAV:all the DAV:read privilege.
继承的ACE#2授予委托人DAV:所有DAV:读取权限。
The request attempts to set a (non-inherited) ACE, denying the principal identified by the URL http://www.example.com/users/ejw (i.e., the user "ejw") DAV:write permission. This conflicts with inherited ACE #1. Note that the decision to report an inherited ACE conflict is specific to this server implementation. Another server implementation could have allowed the new ACE to be set, and then used normal ACE evaluation rules to determine whether the new ACE has any impact on the privileges available to a principal.
请求尝试设置(非继承的)ACE,拒绝URL标识的主体http://www.example.com/users/ejw (即用户“ejw”)DAV:写入权限。这与继承的ACE#1相冲突。请注意,报告继承的ACE冲突的决定特定于此服务器实现。另一个服务器实现可能允许设置新ACE,然后使用常规ACE评估规则确定新ACE是否对主体可用的权限有任何影响。
>> Request <<
>> Request <<
ACL /top/index.html HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Authorization: Digest username="ejw", realm="users@example.com", nonce="...", uri="/top/index.html", response="...", opaque="..."
ACL /top/index.html HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Authorization: Digest username="ejw", realm="users@example.com", nonce="...", uri="/top/index.html", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:acl xmlns:D="DAV:" xmlns:F="http://www.example.com/privs/"> <D:ace> <D:principal> <D:href>http://www.example.com/users/ejw</D:href> </D:principal> <D:grant><D:write/></D:grant> </D:ace> </D:acl>
<?xml version="1.0" encoding="utf-8" ?> <D:acl xmlns:D="DAV:" xmlns:F="http://www.example.com/privs/"> <D:ace> <D:principal> <D:href>http://www.example.com/users/ejw</D:href> </D:principal> <D:grant><D:write/></D:grant> </D:ace> </D:acl>
>> Response <<
>> Response <<
HTTP/1.1 403 Forbidden Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 403 Forbidden Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:error xmlns:D="DAV:"> <D:no-inherited-ace-conflict/> </D:error>
<?xml version="1.0" encoding="utf-8" ?> <D:error xmlns:D="DAV:"> <D:no-inherited-ace-conflict/> </D:error>
8.1.5. Example: ACL method failure due to an attempt to set grant and deny in a single ACE
8.1.5. 示例:由于试图在单个ACE中设置grant和deny,ACL方法失败
In this example, user "ygoland", authenticated by information in the Authorization header, tries to change the access control list on the resource http://www.example.com/diamond/engagement-ring.gif. The ACL request includes a single, syntactically and semantically incorrect ACE, which attempts to grant the group identified by the URL http:// www.example.com/users/friends DAV:read privilege and deny the principal identified by URL http://www.example.com/users/ygoland-so (i.e., the user "ygoland-so") DAV:read privilege. However, it is illegal to have multiple principal elements, as well as both a grant and deny element in the same ACE, so the request fails due to poor syntax.
在本例中,用户“ygoland”通过授权标头中的信息进行身份验证,试图更改资源上的访问控制列表http://www.example.com/diamond/engagement-ring.gif. ACL请求包含一个语法和语义不正确的ACE,该ACE试图授予URL http://www.example.com/users/friends DAV:read权限标识的组,并拒绝URL标识的主体http://www.example.com/users/ygoland-so (即用户“ygoland so”)DAV:read权限。但是,在同一ACE中有多个主元素以及一个grant和deny元素是非法的,因此请求会由于语法错误而失败。
>> Request <<
>> Request <<
ACL /diamond/engagement-ring.gif HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Authorization: Digest username="ygoland", realm="users@example.com", nonce="...", uri="/diamond/engagement-ring.gif", response="...", opaque="..."
ACL /diamond/engagement-ring.gif HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Authorization: Digest username="ygoland", realm="users@example.com", nonce="...", uri="/diamond/engagement-ring.gif", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:acl xmlns:D="DAV:"> <D:ace> <D:principal> <D:href>http://www.example.com/users/friends</D:href> </D:principal> <D:grant><D:read/></D:grant> <D:principal> <D:href>http://www.example.com/users/ygoland-so</D:href> </D:principal> <D:deny><D:read/></D:deny> </D:ace> </D:acl>
<?xml version="1.0" encoding="utf-8" ?> <D:acl xmlns:D="DAV:"> <D:ace> <D:principal> <D:href>http://www.example.com/users/friends</D:href> </D:principal> <D:grant><D:read/></D:grant> <D:principal> <D:href>http://www.example.com/users/ygoland-so</D:href> </D:principal> <D:deny><D:read/></D:deny> </D:ace> </D:acl>
>> Response <<
>> Response <<
HTTP/1.1 400 Bad Request Content-Length: 0
HTTP/1.1 400错误请求内容长度:0
Note that if the request had been divided into two ACEs, one to grant, and one to deny, the request would have been syntactically well formed.
请注意,如果请求被分成两个ACE,一个用于授予,另一个用于拒绝,那么该请求在语法上是格式良好的。
The REPORT method (defined in Section 3.6 of [RFC3253]) provides an extensible mechanism for obtaining information about a resource. Unlike the PROPFIND method, which returns the value of one or more named properties, the REPORT method can involve more complex processing. REPORT is valuable in cases where the server has access to all of the information needed to perform the complex request (such as a query), and where it would require multiple requests for the client to retrieve the information needed to perform the same request.
报告方法(定义见[RFC3253]第3.6节)为获取资源信息提供了一种可扩展的机制。与PROPFIND方法(返回一个或多个命名属性的值)不同,REPORT方法可能涉及更复杂的处理。当服务器可以访问执行复杂请求(如查询)所需的所有信息,并且客户端需要多次请求才能检索执行同一请求所需的信息时,报表非常有用。
A server that supports the WebDAV Access Control Protocol MUST support the DAV:expand-property report (defined in Section 3.8 of [RFC3253]).
支持WebDAV访问控制协议的服务器必须支持DAV:expand属性报告(定义见[RFC3253]第3.8节)。
The DAV:acl-principal-prop-set report returns, for all principals in the DAV:acl property (of the Request-URI) that are identified by http(s) URLs or by a DAV:property principal, the value of the properties specified in the REPORT request body. In the case where a principal URL appears multiple times, the DAV:acl-principal-prop-set report MUST return the properties for that principal only once. Support for this report is REQUIRED.
对于由http(s)URL或DAV:property主体标识的DAV:acl属性(请求URI的)中的所有主体,DAV:acl主体属性集报告将返回报告请求正文中指定的属性值。在主体URL多次出现的情况下,DAV:acl principal prop set报告只能返回该主体的属性一次。需要对此报告提供支持。
One expected use of this report is to retrieve the human readable name (found in the DAV:displayname property) of each principal found in an ACL. This is useful for constructing user interfaces that show each ACE in a human readable form.
此报告的一个预期用途是检索ACL中每个主体的可读名称(位于DAV:displayname属性中)。这对于构建以可读形式显示每个ACE的用户界面非常有用。
Marshalling
编组
The request body MUST be a DAV:acl-principal-prop-set XML element.
请求主体必须是DAV:acl principal prop set XML元素。
<!ELEMENT acl-principal-prop-set ANY> ANY value: a sequence of one or more elements, with at most one DAV:prop element. prop: see RFC 2518, Section 12.11
<!ELEMENT acl-principal-prop-set ANY> ANY value: a sequence of one or more elements, with at most one DAV:prop element. prop: see RFC 2518, Section 12.11
This report is only defined when the Depth header has value "0"; other values result in a 400 (Bad Request) error response. Note that [RFC3253], Section 3.6, states that if the Depth header is not present, it defaults to a value of "0".
仅当深度标头的值为“0”时才定义此报告;其他值会导致400(错误请求)错误响应。请注意,[RFC3253]第3.6节规定,如果深度标题不存在,则默认值为“0”。
The response body for a successful request MUST be a DAV:multistatus XML element (i.e., the response uses the same format as the response for PROPFIND). In the case where there are no response elements, the returned multistatus XML element is empty.
成功请求的响应体必须是DAV:multistatusxml元素(即,响应使用与PROPFIND响应相同的格式)。在没有响应元素的情况下,返回的multistatusxml元素为空。
multistatus: see RFC 2518, Section 12.9
Multistaus:见RFC 2518第12.9节
The response body for a successful DAV:acl-principal-prop-set REPORT request MUST contain a DAV:response element for each principal identified by an http(s) URL listed in a DAV:principal XML element of an ACE within the DAV:acl property of the resource identified by the Request-URI.
成功的DAV:acl principal prop set报告请求的响应正文必须包含由请求URI标识的资源的DAV:acl属性内ACE的DAV:principal XML元素中列出的http(s)URL标识的每个主体的DAV:response元素。
Postconditions:
后条件:
(DAV:number-of-matches-within-limits): The number of matching principals must fall within server-specific, predefined limits. For example, this condition might be triggered if a search specification would cause the return of an extremely large number of responses.
(DAV:限制内的匹配数):匹配主体的数量必须在特定于服务器的预定义限制内。例如,如果搜索规范会导致返回大量响应,则可能会触发此条件。
Resource http://www.example.com/index.html has an ACL with three ACEs:
资源http://www.example.com/index.html 具有具有三个ACE的ACL:
ACE #1: All principals (DAV:all) have DAV:read and DAV:read-current-user-privilege-set access.
ACE#1:所有主体(DAV:All)都具有DAV:read和DAV:read当前用户权限集访问权限。
ACE #2: The principal identified by http://www.example.com/people/ gstein (the user "gstein") is granted DAV:write, DAV:write-acl, DAV:read-acl privileges.
ACE#2:由http://www.example.com/people/ gstein(用户“gstein”)被授予DAV:write、DAV:write acl、DAV:read acl权限。
ACE #3: The group identified by http://www.example.com/groups/authors (the "authors" group) is granted DAV:write and DAV:read-acl privileges.
ACE#3:由http://www.example.com/groups/authors (作者组)被授予DAV:write和DAV:read acl权限。
The following example shows a DAV:acl-principal-prop-set report requesting the DAV:displayname property. It returns the value of DAV:displayname for resources http://www.example.com/people/gstein and http://www.example.com/groups/authors , but not for DAV:all, since this is not an http(s) URL.
以下示例显示请求DAV:displayname属性的DAV:acl主体属性集报告。它返回资源的DAV:displayname值http://www.example.com/people/gstein 和http://www.example.com/groups/authors ,但不适用于DAV:all,因为这不是http(s)URL。
>> Request <<
>> Request <<
REPORT /index.html HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Depth: 0
REPORT /index.html HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Depth: 0
<?xml version="1.0" encoding="utf-8" ?> <D:acl-principal-prop-set xmlns:D="DAV:"> <D:prop> <D:displayname/> </D:prop> </D:acl-principal-prop-set>
<?xml version="1.0" encoding="utf-8" ?> <D:acl-principal-prop-set xmlns:D="DAV:"> <D:prop> <D:displayname/> </D:prop> </D:acl-principal-prop-set>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/people/gstein</D:href> <D:propstat> <D:prop> <D:displayname>Greg Stein</D:displayname> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.example.com/groups/authors</D:href> <D:propstat> <D:prop> <D:displayname>Site authors</D:displayname> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/people/gstein</D:href> <D:propstat> <D:prop> <D:displayname>Greg Stein</D:displayname> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.example.com/groups/authors</D:href> <D:propstat> <D:prop> <D:displayname>Site authors</D:displayname> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
The DAV:principal-match REPORT is used to identify all members (at any depth) of the collection identified by the Request-URI that are principals and that match the current user. In particular, if the collection contains principals, the report can be used to identify all members of the collection that match the current user. Alternatively, if the collection contains resources that have a property that identifies a principal (e.g., DAV:owner), the report can be used to identify all members of the collection whose property identifies a principal that matches the current user. For example, this report can return all of the resources in a collection hierarchy that are owned by the current user. Support for this report is REQUIRED.
DAV:principal匹配报告用于标识由请求URI标识的集合的所有成员(在任何深度),这些成员都是主体并且与当前用户匹配。特别是,如果集合包含主体,则报告可用于标识集合中与当前用户匹配的所有成员。或者,如果集合包含的资源具有标识主体的属性(例如,DAV:owner),则该报告可用于标识集合的所有成员,这些成员的属性标识与当前用户匹配的主体。例如,此报表可以返回集合层次结构中当前用户拥有的所有资源。需要对此报告提供支持。
Marshalling:
编组:
The request body MUST be a DAV:principal-match XML element. <!ELEMENT principal-match ((principal-property | self), prop?)> <!ELEMENT principal-property ANY>
The request body MUST be a DAV:principal-match XML element. <!ELEMENT principal-match ((principal-property | self), prop?)> <!ELEMENT principal-property ANY>
ANY value: an element whose value identifies a property. The expectation is the value of the named property typically contains an href element that contains the URI of a principal <!ELEMENT self EMPTY> prop: see RFC 2518, Section 12.11
任意值:其值标识属性的元素。期望值是指定属性的值,该属性通常包含一个href元素,该元素包含主体的URI<!元素自空>属性:见RFC 2518,第12.11节
This report is only defined when the Depth header has value "0"; other values result in a 400 (Bad Request) error response. Note that [RFC3253], Section 3.6, states that if the Depth header is not present, it defaults to a value of "0". The response body for a successful request MUST be a DAV:multistatus XML element. In the case where there are no response elements, the returned multistatus XML element is empty.
仅当深度标头的值为“0”时才定义此报告;其他值会导致400(错误请求)错误响应。请注意,[RFC3253]第3.6节规定,如果深度标题不存在,则默认值为“0”。成功请求的响应体必须是DAV:multistatusxml元素。在没有响应元素的情况下,返回的multistatusxml元素为空。
multistatus: see RFC 2518, Section 12.9
Multistaus:见RFC 2518第12.9节
The response body for a successful DAV:principal-match REPORT request MUST contain a DAV:response element for each member of the collection that matches the current user. When the DAV:principal-property element is used, a match occurs if the current user is matched by the principal identified by the URI found in the DAV:href element of the property identified by the DAV:principal-property element. When the DAV:self element is used in a DAV:principal-match report issued against a group, it matches the group if a member identifies the same principal as the current user.
成功的DAV:principal匹配报告请求的响应正文必须包含集合中与当前用户匹配的每个成员的DAV:response元素。使用DAV:principal属性元素时,如果当前用户与由DAV:principal属性元素标识的属性的DAV:href元素中的URI标识的主体匹配,则会发生匹配。在针对某个组发布的DAV:principal匹配报告中使用DAV:self元素时,如果某个成员将同一主体标识为当前用户,则该元素将匹配该组。
If DAV:prop is specified in the request body, the properties specified in the DAV:prop element MUST be reported in the DAV:response elements.
如果在请求正文中指定了DAV:prop,则必须在DAV:response元素中报告在DAV:prop元素中指定的属性。
The following example identifies the members of the collection identified by the URL http://www.example.com/doc that are owned by the current user. The current user ("gclemm") is authenticated using Digest authentication.
下面的示例标识由URL标识的集合的成员http://www.example.com/doc 由当前用户拥有的。使用摘要身份验证对当前用户(“gclemm”)进行身份验证。
>> Request <<
>> Request <<
REPORT /doc/ HTTP/1.1 Host: www.example.com Authorization: Digest username="gclemm", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..." Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Depth: 0
REPORT /doc/ HTTP/1.1 Host: www.example.com Authorization: Digest username="gclemm", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..." Content-Type: text/xml; charset="utf-8" Content-Length: xxxx Depth: 0
<?xml version="1.0" encoding="utf-8" ?> <D:principal-match xmlns:D="DAV:"> <D:principal-property> <D:owner/> </D:principal-property> </D:principal-match>
<?xml version="1.0" encoding="utf-8" ?> <D:principal-match xmlns:D="DAV:"> <D:principal-property> <D:owner/> </D:principal-property> </D:principal-match>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/doc/foo.html</D:href> <D:status>HTTP/1.1 200 OK</D:status> </D:response> <D:response> <D:href>http://www.example.com/doc/img/bar.gif</D:href> <D:status>HTTP/1.1 200 OK</D:status> </D:response> </D:multistatus>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/doc/foo.html</D:href> <D:status>HTTP/1.1 200 OK</D:status> </D:response> <D:response> <D:href>http://www.example.com/doc/img/bar.gif</D:href> <D:status>HTTP/1.1 200 OK</D:status> </D:response> </D:multistatus>
The DAV:principal-property-search REPORT performs a search for all principals whose properties contain character data that matches the search criteria specified in the request. One expected use of this report is to discover the URL of a principal associated with a given person or group by searching for them by name. This is done by searching over DAV:displayname, which is defined on all principals.
“DAV:principal property search”报告对其属性包含与请求中指定的搜索条件匹配的字符数据的所有主体执行搜索。此报表的一个预期用途是通过按名称搜索与给定人员或组关联的负责人的URL。这是通过搜索DAV:displayname来完成的,DAV:displayname是在所有主体上定义的。
The actual search method (exact matching vs. substring matching vs, prefix-matching, case-sensitivity) deliberately is left to the server implementation to allow implementation on a wide set of possible user management systems. In cases where the implementation of DAV:principal-property-search is not constrained by the semantics of an underlying user management repository, preferred default semantics are caseless substring matches.
实际的搜索方法(精确匹配vs.子字符串匹配vs.前缀匹配,区分大小写)故意留给服务器实现,以允许在一系列可能的用户管理系统上实现。在DAV:principal属性搜索的实现不受底层用户管理存储库语义约束的情况下,首选的默认语义是无大小写子字符串匹配。
For implementation efficiency, servers do not typically support searching on all properties. A search requesting properties that are not searchable for a particular principal will not match that principal.
为了实现效率,服务器通常不支持搜索所有属性。无法搜索特定主体的搜索请求属性将与该主体不匹配。
Support for the DAV:principal-property-search report is REQUIRED.
需要对DAV:principal属性搜索报告的支持。
Implementation Note: The value of a WebDAV property is a sequence of well-formed XML, and hence can include any character in the Unicode/ISO-10646 standard, that is, most known characters in human languages. Due to the idiosyncrasies of case mapping across human languages, implementation of case-insensitive matching is non-trivial. Implementors of servers that do perform substring matching are strongly encouraged to consult "The Unicode Standard" [UNICODE4], especially Section 5.18, Subsection "Caseless Matching", for guidance when implementing their case-insensitive matching algorithms.
实现说明:WebDAV属性的值是格式良好的XML序列,因此可以包括Unicode/ISO-10646标准中的任何字符,即人类语言中的大多数已知字符。由于跨人类语言的大小写映射的特性,不区分大小写匹配的实现非常重要。强烈建议执行子字符串匹配的服务器的实施者在实施其不区分大小写的匹配算法时,参考“Unicode标准”[UNICODE4],特别是第5.18节“无大小写匹配”小节,以获取指导。
Implementation Note: Some implementations of this protocol will use an LDAP repository for storage of principal metadata. The schema describing each attribute (akin to a WebDAV property) in an LDAP repository specifies whether it supports case-sensitive or caseless searching. One of the benefits of leaving the search method to the discretion of the server implementation is the default LDAP attribute search behavior can be used when implementing the DAV:principal-property-search report.
实现说明:此协议的某些实现将使用LDAP存储库来存储主体元数据。描述LDAP存储库中每个属性(类似于WebDAV属性)的模式指定它是否支持区分大小写的搜索。将搜索方法留给服务器实现自行决定的好处之一是,在实现DAV:principal属性搜索报告时,可以使用默认的LDAP属性搜索行为。
Marshalling:
编组:
The request body MUST be a DAV:principal-property-search XML element containing a search specification and an optional list of properties. For every principal that matches the search specification, the response will contain the value of the requested properties on that principal.
请求主体必须是DAV:principal属性搜索XML元素,包含搜索规范和可选属性列表。对于与搜索规范匹配的每个主体,响应将包含该主体上请求的属性的值。
<!ELEMENT principal-property-search ((property-search+), prop?, apply-to-principal-collection-set?) >
<!ELEMENT principal-property-search ((property-search+), prop?, apply-to-principal-collection-set?) >
By default, the report searches all members (at any depth) of the collection identified by the Request-URI. If DAV:apply-to-principal-collection-set is specified in the request body, the request is applied instead to each collection identified by the DAV:principal-collection-set property of the resource identified by the Request-URI.
默认情况下,报表搜索由请求URI标识的集合的所有成员(在任何深度)。如果在请求正文中指定了DAV:apply-to-principal集合集,则该请求将应用于由请求URI标识的资源的DAV:principal集合集属性标识的每个集合。
The DAV:property-search element contains a prop element enumerating the properties to be searched and a match element, containing the search string.
property search元素包含枚举要搜索的属性的prop元素和包含搜索字符串的match元素。
<!ELEMENT property-search (prop, match) > prop: see RFC 2518, Section 12.11
<!ELEMENT property-search (prop, match) > prop: see RFC 2518, Section 12.11
<!ELEMENT match #PCDATA >
<!ELEMENT match #PCDATA >
Multiple property-search elements or multiple elements within a DAV:prop element will be interpreted with a logical AND.
多个属性搜索元素或DAV:prop元素中的多个元素将使用逻辑AND进行解释。
This report is only defined when the Depth header has value "0"; other values result in a 400 (Bad Request) error response. Note that [RFC3253], Section 3.6, states that if the Depth header is not present, it defaults to a value of "0".
仅当深度标头的值为“0”时才定义此报告;其他值会导致400(错误请求)错误响应。请注意,[RFC3253]第3.6节规定,如果深度标题不存在,则默认值为“0”。
The response body for a successful request MUST be a DAV:multistatus XML element. In the case where there are no response elements, the returned multistatus XML element is empty.
成功请求的响应体必须是DAV:multistatusxml元素。在没有响应元素的情况下,返回的multistatusxml元素为空。
multistatus: see RFC 2518, Section 12.9
Multistaus:见RFC 2518第12.9节
The response body for a successful DAV:principal-property-search REPORT request MUST contain a DAV:response element for each principal whose property values satisfy the search specification given in DAV:principal-property-search.
成功的DAV:principal属性搜索报告请求的响应正文必须包含属性值满足DAV:principal属性搜索中给定的搜索规范的每个主体的DAV:response元素。
If DAV:prop is specified in the request body, the properties specified in the DAV:prop element MUST be reported in the DAV:response elements.
如果在请求正文中指定了DAV:prop,则必须在DAV:response元素中报告在DAV:prop元素中指定的属性。
Preconditions:
先决条件:
None
没有一个
Postconditions:
后条件:
(DAV:number-of-matches-within-limits): The number of matching principals must fall within server-specific, predefined limits. For example, this condition might be triggered if a search specification would cause the return of an extremely large number of responses.
(DAV:限制内的匹配数):匹配主体的数量必须在特定于服务器的预定义限制内。例如,如果搜索规范会导致返回大量响应,则可能会触发此条件。
There are several cases to consider when matching strings. The easiest case is when a property value is "simple" and has only character information item content (see [REC-XML-INFOSET]). For example, the search string "julian" would match the DAV:displayname property with value "Julian Reschke". Note that the on-the-wire marshaling of DAV:displayname in this case is:
在匹配字符串时需要考虑几个情况。最简单的情况是属性值为“简单”且只有字符信息项内容(请参见[REC-XML-INFOSET])。例如,搜索字符串“julian”将DAV:displayname属性与值“julian Reschke”匹配。请注意,在本例中,DAV:displayname的在线封送是:
<D:displayname xmlns:D="DAV:">Julian Reschke</D:displayname>
<D:displayname xmlns:D="DAV:">Julian Reschke</D:displayname>
The name of the property is encoded into the XML element information item, and the character information item content of the property is "Julian Reschke".
属性的名称被编码到XML元素信息项中,属性的字符信息项内容是“Julian Reschke”。
A more complicated case occurs when properties have mixed content (that is, compound values consisting of multiple child element items, other types of information items, and character information item content). Consider the property "aprop" in the namespace "http:// www.example.com/props/", marshaled as:
当属性具有混合内容(即,由多个子元素项、其他类型的信息项和字符信息项内容组成的复合值)时,会出现更复杂的情况。考虑命名空间“http://www.示例/COM/PROPS/”中的属性“APROP”,封送如下:
<W:aprop xmlns:W="http://www.example.com/props/"> {cdata 0}<W:elem1>{cdata 1}</W:elem1> <W:elem2>{cdata 2}</W:elem2>{cdata 3} </W:aprop>
<W:aprop xmlns:W="http://www.example.com/props/"> {cdata 0}<W:elem1>{cdata 1}</W:elem1> <W:elem2>{cdata 2}</W:elem2>{cdata 3} </W:aprop>
In this case, matching is performed on each individual contiguous sequence of character information items. In the example above, a search string would be compared to the four following strings:
在这种情况下,对字符信息项的每个单独连续序列执行匹配。在上面的示例中,将搜索字符串与以下四个字符串进行比较:
{cdata 0} {cdata 1} {cdata 2} {cdata 3}
{cdata 0} {cdata 1} {cdata 2} {cdata 3}
That is, four individual matches would be performed, one each for {cdata 0}, {cdata 1}, {cdata 2}, and {cdata 3}.
也就是说,将执行四个单独的匹配,分别为{cdata 0}、{cdata 1}、{cdata 2}和{cdata 3}执行一个匹配。
In this example, the client requests the principal URLs of all users whose DAV:displayname property contains the substring "doE" and whose "title" property in the namespace "http://BigCorp.com/ns/" (that is, their professional title) contains "Sales". In addition, the client requests five properties to be returned with the matching principals:
在本例中,客户端请求其DAV:displayname属性包含子字符串“doE”且其命名空间中的“title”属性的所有用户的主URLhttp://BigCorp.com/ns/“(即他们的职称)包含“销售”。此外,客户机请求返回五个属性,其中包含匹配的主体:
In the DAV: namespace: displayname
在DAV:namespace:displayname中
In the http://www.example.com/ns/ namespace: department, phone, office, salary
In the http://www.example.com/ns/ namespace: department, phone, office, salary
The response shows that two principal resources meet the search specification, "John Doe" and "Zygdoebert Smith". The property "salary" in namespace "http://www.example.com/ns/" is not returned, since the principal making the request does not have sufficient access permissions to read this property.
响应表明两个主要资源满足搜索规范“John Doe”和“Zygdoebert Smith”。命名空间“”中的属性“salary”http://www.example.com/ns/不会返回,因为发出请求的主体没有足够的访问权限来读取此属性。
>> Request <<
>> Request <<
REPORT /users/ HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset=utf-8 Content-Length: xxxx Depth: 0
REPORT /users/ HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset=utf-8 Content-Length: xxxx Depth: 0
<?xml version="1.0" encoding="utf-8" ?> <D:principal-property-search xmlns:D="DAV:"> <D:property-search> <D:prop> <D:displayname/> </D:prop> <D:match>doE</D:match> </D:property-search> <D:property-search> <D:prop xmlns:B="http://www.example.com/ns/"> <B:title/> </D:prop> <D:match>Sales</D:match> </D:property-search> <D:prop xmlns:B="http://www.example.com/ns/"> <D:displayname/> <B:department/> <B:phone/> <B:office/> <B:salary/> </D:prop> </D:principal-property-search>
<?xml version="1.0" encoding="utf-8" ?> <D:principal-property-search xmlns:D="DAV:"> <D:property-search> <D:prop> <D:displayname/> </D:prop> <D:match>doE</D:match> </D:property-search> <D:property-search> <D:prop xmlns:B="http://www.example.com/ns/"> <B:title/> </D:prop> <D:match>Sales</D:match> </D:property-search> <D:prop xmlns:B="http://www.example.com/ns/"> <D:displayname/> <B:department/> <B:phone/> <B:office/> <B:salary/> </D:prop> </D:principal-property-search>
>> Response <<
>> Response <<
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset=utf-8 Content-Length: xxxx
HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset=utf-8 Content-Length: xxxx
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:" xmlns:B="http://BigCorp.com/ns/"> <D:response> <D:href>http://www.example.com/users/jdoe</D:href> <D:propstat>
<?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:" xmlns:B="http://BigCorp.com/ns/"> <D:response> <D:href>http://www.example.com/users/jdoe</D:href> <D:propstat>
<D:prop> <D:displayname>John Doe</D:displayname> <B:department>Widget Sales</B:department> <B:phone>234-4567</B:phone> <B:office>209</B:office> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop> <B:salary/> </D:prop> <D:status>HTTP/1.1 403 Forbidden</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.example.com/users/zsmith</D:href> <D:propstat> <D:prop> <D:displayname>Zygdoebert Smith</D:displayname> <B:department>Gadget Sales</B:department> <B:phone>234-7654</B:phone> <B:office>114</B:office> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop> <B:salary/> </D:prop> <D:status>HTTP/1.1 403 Forbidden</D:status> </D:propstat> </D:response> </D:multistatus>
<D:prop> <D:displayname>John Doe</D:displayname> <B:department>Widget Sales</B:department> <B:phone>234-4567</B:phone> <B:office>209</B:office> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop> <B:salary/> </D:prop> <D:status>HTTP/1.1 403 Forbidden</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.example.com/users/zsmith</D:href> <D:propstat> <D:prop> <D:displayname>Zygdoebert Smith</D:displayname> <B:department>Gadget Sales</B:department> <B:phone>234-7654</B:phone> <B:office>114</B:office> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop> <B:salary/> </D:prop> <D:status>HTTP/1.1 403 Forbidden</D:status> </D:propstat> </D:response> </D:multistatus>
The DAV:principal-search-property-set REPORT identifies those properties that may be searched using the DAV:principal-property-search REPORT (defined in Section 9.4).
“DAV:principal搜索属性集”报告确定了可以使用“DAV:principal属性搜索”报告(定义见第9.4节)搜索的属性。
Servers MUST support the DAV:principal-search-property-set REPORT on all collections identified in the value of a DAV:principal-collection-set property.
服务器必须支持DAV:principal集合集属性值中标识的所有集合的DAV:principal搜索属性集报告。
An access control protocol user agent could use the results of the DAV:principal-search-property-set REPORT to present a query interface to the user for retrieving principals.
访问控制协议用户代理可以使用DAV:principal搜索属性集报告的结果向用户提供查询接口以检索主体。
Support for this report is REQUIRED.
需要对此报告提供支持。
Implementation Note: Some clients will have only limited screen real estate for the display of lists of searchable properties. In this case, a user might appreciate having the most frequently searched properties be displayed on-screen, rather than having to scroll through a long list of searchable properties. One mechanism for signaling the most frequently searched properties is to return them towards the start of a list of properties. A client can then preferentially display the list of properties in order, increasing the likelihood that the most frequently searched properties will appear on-screen, and will not require scrolling for their selection.
实施说明:一些客户将只有有限的屏幕不动产用于显示可搜索属性的列表。在这种情况下,用户可能希望在屏幕上显示最常搜索的属性,而不是滚动浏览一长串可搜索属性。向最频繁搜索的属性发送信号的一种机制是将它们返回到属性列表的开头。然后,客户机可以优先按顺序显示属性列表,从而增加了最常搜索的属性出现在屏幕上的可能性,并且不需要滚动来进行选择。
Marshalling:
编组:
The request body MUST be an empty DAV:principal-search-property-set XML element.
请求正文必须是空的DAV:principal搜索属性集XML元素。
This report is only defined when the Depth header has value "0"; other values result in a 400 (Bad Request) error response. Note that [RFC3253], Section 3.6, states that if the Depth header is not present, it defaults to a value of "0".
仅当深度标头的值为“0”时才定义此报告;其他值会导致400(错误请求)错误响应。请注意,[RFC3253]第3.6节规定,如果深度标题不存在,则默认值为“0”。
The response body MUST be a DAV:principal-search-property-set XML element, containing a DAV:principal-search-property XML element for each property that may be searched with the DAV:principal-property-search REPORT. A server MAY limit its response to just a subset of the searchable properties, such as those likely to be useful to an interactive access control client.
响应正文必须是DAV:principal搜索属性集XML元素,对于可以使用DAV:principal属性搜索报告搜索的每个属性,该元素都包含一个DAV:principal搜索属性XML元素。服务器可能会将其响应限制为可搜索属性的一个子集,例如对交互式访问控制客户端可能有用的属性。
<!ELEMENT principal-search-property-set (principal-search-property*) >
<!ELEMENT principal-search-property-set (principal-search-property*) >
Each DAV:principal-search-property XML element contains exactly one searchable property, and a description of the property.
每个DAV:principal search property XML元素只包含一个可搜索属性和该属性的描述。
<!ELEMENT principal-search-property (prop, description) >
<!ELEMENT principal-search-property (prop, description) >
The DAV:prop element contains one principal property on which the server is able to perform a DAV:principal-property-search REPORT.
DAV:prop元素包含一个主体属性,服务器可以对其执行DAV:principal属性搜索报告。
prop: see RFC 2518, Section 12.11
道具:见RFC 2518,第12.11节
The description element is a human-readable description of what information this property represents. Servers MUST indicate the human language of the description using the xml:lang attribute and SHOULD consider the HTTP Accept-Language request header when selecting one of multiple available languages.
description元素是此属性表示的信息的可读描述。服务器必须使用XML:Langy属性来描述描述的人类语言,并且在选择多种可用语言中的一个时,应该考虑HTTP接受语言请求标头。
<!ELEMENT description #PCDATA >
<!ELEMENT description #PCDATA >
In this example, the client determines the set of searchable principal properties by requesting the DAV:principal-search-property-set REPORT on the root of the server's principal URL collection set, identified by http://www.example.com/users/.
在本例中,客户端通过请求服务器主体URL集合根上的DAV:principal search property set报告来确定可搜索主体属性集,该集合由http://www.example.com/users/.
>> Request <<
>> Request <<
REPORT /users/ HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxx Accept-Language: en, de Authorization: BASIC d2FubmFtYWs6cGFzc3dvcmQ= Depth: 0
REPORT /users/ HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxx Accept-Language: en, de Authorization: BASIC d2FubmFtYWs6cGFzc3dvcmQ= Depth: 0
<?xml version="1.0" encoding="utf-8" ?> <D:principal-search-property-set xmlns:D="DAV:"/>
<?xml version="1.0" encoding="utf-8" ?> <D:principal-search-property-set xmlns:D="DAV:"/>
>> Response <<
>> Response <<
HTTP/1.1 200 OK Content-Type: text/xml; charset="utf-8" Content-Length: xxx
HTTP/1.1 200 OK Content-Type: text/xml; charset="utf-8" Content-Length: xxx
<?xml version="1.0" encoding="utf-8" ?> <D:principal-search-property-set xmlns:D="DAV:"> <D:principal-search-property> <D:prop> <D:displayname/> </D:prop> <D:description xml:lang="en">Full name</D:description> </D:principal-search-property> <D:principal-search-property> <D:prop xmlns:B="http://BigCorp.com/ns/"> <B:title/>
<?xml version="1.0" encoding="utf-8" ?> <D:principal-search-property-set xmlns:D="DAV:"> <D:principal-search-property> <D:prop> <D:displayname/> </D:prop> <D:description xml:lang="en">Full name</D:description> </D:principal-search-property> <D:principal-search-property> <D:prop xmlns:B="http://BigCorp.com/ns/"> <B:title/>
</D:prop> <D:description xml:lang="en">Job title</D:description> </D:principal-search-property> </D:principal-search-property-set>
</D:prop> <D:description xml:lang="en">Job title</D:description> </D:principal-search-property> </D:principal-search-property-set>
Implementations of this specification MUST support the XML element ignore rule, as specified in Section 23.3.2 of [RFC2518], and the XML Namespace recommendation [REC-XML-NAMES].
本规范的实现必须支持[RFC2518]第23.3.2节规定的XML元素忽略规则和XML名称空间建议[REC-XML-NAME]。
Note that use of the DAV namespace is reserved for XML elements and property names defined in a standards-track or Experimental IETF RFC.
注意,DAV名称空间的使用是为标准跟踪或实验性IETF RFC中定义的XML元素和属性名保留的。
In this specification, the only human-readable content can be found in the description XML element, found within the DAV:supported-privilege-set property. This element contains a human-readable description of the capabilities controlled by a privilege. As a result, the description element must be capable of representing descriptions in multiple character sets. Since the description element is found within a WebDAV property, it is represented on the wire as XML [REC-XML], and hence can leverage XML's language tagging and character set encoding capabilities. Specifically, XML processors at minimum must be able to read XML elements encoded using the UTF-8 [RFC3629] encoding of the ISO 10646 multilingual plane. XML examples in this specification demonstrate use of the charset parameter of the Content-Type header, as defined in [RFC3023], as well as the XML "encoding" attribute, which together provide charset identification information for MIME and XML processors. Furthermore, this specification requires server implementations to tag description fields with the xml:lang attribute (see Section 2.12 of [REC-XML]), which specifies the human language of the description. Additionally, server implementations should take into account the value of the Accept-Language HTTP header to determine which description string to return.
在本规范中,只有人类可读的内容可以在description XML元素中找到,该元素位于DAV:supported privilege set属性中。此元素包含由权限控制的功能的可读描述。因此,description元素必须能够在多个字符集中表示描述。由于description元素位于WebDAV属性中,因此它在连线上表示为XML[REC-XML],因此可以利用XML的语言标记和字符集编码功能。具体而言,XML处理器至少必须能够读取使用ISO10646多语言平面的UTF-8[RFC3629]编码编码的XML元素。本规范中的XML示例演示了如何使用[RFC3023]中定义的内容类型头的字符集参数以及XML“encoding”属性,它们共同为MIME和XML处理器提供字符集标识信息。此外,本规范要求服务器实现使用xml:lang属性标记描述字段(参见[REC-xml]的第2.12节),该属性指定描述的人类语言。此外,服务器实现应该考虑Accept Language HTTP头的值,以确定返回哪个描述字符串。
For XML elements other than the description element, it is expected that implementations will treat the property names, privilege names, and values as tokens, and convert these tokens into human-readable text in the user's language and character set when displayed to a person. Only a generic WebDAV property display utility would display these values in their raw form to a human user.
对于除description元素之外的XML元素,预期实现将把属性名、特权名和值作为标记,并在向用户显示时将这些标记转换为用户语言和字符集的可读文本。只有通用WebDAV属性显示实用程序才会以原始形式向用户显示这些值。
For error reporting, we follow the convention of HTTP/1.1 status codes, including with each status code a short, English description of the code (e.g., 200 (OK)). While the possibility exists that a
对于错误报告,我们遵循HTTP/1.1状态代码的约定,包括每个状态代码的简短英文描述(例如,200(OK))。虽然存在这样一种可能性:
poorly crafted user agent would display this message to a user, internationalized applications will ignore this message, and display an appropriate message in the user's language and character set.
精心设计的用户代理将向用户显示此消息,国际化应用程序将忽略此消息,并以用户的语言和字符集显示适当的消息。
Further internationalization considerations for this protocol are described in the WebDAV Distributed Authoring protocol specification [RFC2518].
WebDAV分布式创作协议规范[RFC2518]中描述了该协议的进一步国际化注意事项。
Applications and users of this access control protocol should be aware of several security considerations, detailed below. In addition to the discussion in this document, the security considerations detailed in the HTTP/1.1 specification [RFC2616], the WebDAV Distributed Authoring Protocol specification [RFC2518], and the XML Media Types specification [RFC3023] should be considered in a security analysis of this protocol.
此访问控制协议的应用程序和用户应注意以下几个安全注意事项。除了本文档中的讨论之外,在对本协议进行安全分析时,还应考虑HTTP/1.1规范[RFC2616]、WebDAV分布式创作协议规范[RFC2518]和XML媒体类型规范[RFC3023]中详述的安全注意事项。
In the absence of a mechanism for remotely manipulating access control lists, if a single user's authentication credentials are compromised, only those resources for which the user has access permission can be read, modified, moved, or deleted. With the introduction of this access control protocol, if a single compromised user has the ability to change ACLs for a broad range of other users (e.g., a super-user), the number of resources that could be altered by a single compromised user increases. This risk can be mitigated by limiting the number of people who have write-acl privileges across a broad range of resources.
在缺乏远程操作访问控制列表的机制的情况下,如果单个用户的身份验证凭据受损,则只能读取、修改、移动或删除该用户具有访问权限的资源。随着该访问控制协议的引入,如果单个受损用户能够更改范围广泛的其他用户(例如超级用户)的ACL,则单个受损用户可以更改的资源数量将增加。通过限制在广泛的资源范围内拥有写入acl权限的人数,可以减轻此风险。
12.2. Risks of the DAV:read-acl and DAV:current-user-privilege-set Privileges
12.2. DAV:读取acl和DAV:当前用户权限集权限的风险
The ability to read the access privileges (stored in the DAV:acl property), or the privileges permitted the currently authenticated user (stored in the DAV:current-user-privilege-set property) on a resource may seem innocuous, since reading an ACL cannot possibly affect the resource's state. However, if all resources have world-readable ACLs, it is possible to perform an exhaustive search for those resources that have inadvertently left themselves in a vulnerable state, such as being world-writable. In particular, the property retrieval method PROPFIND, executed with Depth infinity on an entire hierarchy, is a very efficient way to retrieve the DAV:acl or DAV:current-user-privilege-set properties. Once found, this vulnerability can be exploited by a denial of service attack in which the open resource is repeatedly overwritten. Alternately, writable resources can be modified in undesirable ways.
读取资源上的访问权限(存储在DAV:acl属性中)或当前经过身份验证的用户允许的权限(存储在DAV:current user privilege set属性中)似乎是无害的,因为读取acl可能不会影响资源的状态。但是,如果所有资源都具有世界可读的ACL,则可以对那些无意中使自己处于易受攻击状态(例如世界可写)的资源执行彻底搜索。特别是,在整个层次结构上以无限深度执行的属性检索方法PROPFIND是检索DAV:acl或DAV:current user privilege set属性的非常有效的方法。一旦发现此漏洞,就会受到拒绝服务攻击的攻击,在这种攻击中,打开的资源会被反复覆盖。或者,可以用不希望的方式修改可写资源。
To reduce this risk, read-acl privileges should not be granted to unauthenticated principals, and restrictions on read-acl and read-current-user-privilege-set privileges for authenticated principals should be carefully analyzed when deploying this protocol. Access to the current-user-privilege-set property will involve a tradeoff of usability versus security. When the current-user-privilege-set is visible, user interfaces are expected to provide enhanced information concerning permitted and restricted operations, yet this information may also indicate a vulnerability that could be exploited. Deployment of this protocol will need to evaluate this tradeoff in light of the requirements of the deployment environment.
为了降低此风险,不应将读取acl权限授予未经身份验证的主体,并且在部署此协议时,应仔细分析对已验证主体的读取acl和读取当前用户权限集权限的限制。对当前用户权限集属性的访问将涉及可用性与安全性的权衡。当当前用户权限集可见时,用户界面将提供有关允许和限制操作的增强信息,但此信息也可能表示可能被利用的漏洞。此协议的部署将需要根据部署环境的要求评估这种权衡。
In an effort to reduce protocol complexity, this protocol specification intentionally does not address the issue of how to manage or discover the initial ACL that is placed upon a resource when it is created. The only way to discover the initial ACL is to create a new resource, then retrieve the value of the DAV:acl property. This assumes the principal creating the resource also has been granted the DAV:read-acl privilege.
为了降低协议复杂性,本协议规范有意不解决如何管理或发现资源创建时放置在资源上的初始ACL的问题。发现初始ACL的唯一方法是创建一个新资源,然后检索DAV:ACL属性的值。这假设创建资源的主体也被授予了DAV:readacl权限。
As a result, it is possible that a principal could create a resource, and then discover that its ACL grants privileges that are undesirable. Furthermore, this protocol makes it possible (though unlikely) that the creating principal could be unable to modify the ACL, or even delete the resource. Even when the ACL can be modified, there will be a short period of time when the resource exists with the initial ACL before its new ACL can be set.
因此,主体可能会创建一个资源,然后发现其ACL授予了不需要的特权。此外,该协议使得创建主体可能(尽管不太可能)无法修改ACL,甚至无法删除资源。即使可以修改ACL,在设置新ACL之前,资源与初始ACL一起存在的时间也很短。
Several factors mitigate this risk. Human principals are often aware of the default access permissions in their editing environments and take this into account when writing information. Furthermore, default privilege policies are usually very conservative, limiting the privileges granted by the initial ACL.
有几个因素可以减轻这种风险。人员主体通常知道其编辑环境中的默认访问权限,并在编写信息时将其考虑在内。此外,默认特权策略通常非常保守,限制初始ACL授予的特权。
Authentication mechanisms defined for use with HTTP and WebDAV also apply to this WebDAV Access Control Protocol, in particular the Basic and Digest authentication mechanisms defined in [RFC2617]. Implementation of the ACL spec requires that Basic authentication, if used, MUST only be supported over secure transport such as TLS.
定义用于HTTP和WebDAV的身份验证机制也适用于此WebDAV访问控制协议,特别是[RFC2617]中定义的基本和摘要身份验证机制。ACL规范的实现要求基本身份验证(如果使用)必须仅通过安全传输(如TLS)支持。
This document uses the namespace defined by [RFC2518] for XML elements. That is, this specification uses the "DAV:" URI namespace, previously registered in the URI schemes registry. All other IANA considerations mentioned in [RFC2518] are also applicable to this specification.
本文档使用[RFC2518]为XML元素定义的名称空间。也就是说,该规范使用“DAV:”URI名称空间,该名称空间以前在urischemes注册表中注册。[RFC2518]中提到的所有其他IANA注意事项也适用于本规范。
This protocol is the collaborative product of the WebDAV ACL design team: Bernard Chester, Geoff Clemm, Anne Hopkins, Barry Lind, Sean Lyndersay, Eric Sedlar, Greg Stein, and Jim Whitehead. The authors are grateful for the detailed review and comments provided by Jim Amsden, Dylan Barrell, Gino Basso, Murthy Chintalapati, Lisa Dusseault, Stefan Eissing, Tim Ellison, Yaron Goland, Dennis Hamilton, Laurie Harper, Eckehard Hermann, Ron Jacobs, Chris Knight, Remy Maucherat, Larry Masinter, Joe Orton, Peter Raymond, and Keith Wannamaker. We thank Keith Wannamaker for the initial text of the principal property search sections. Prior work on WebDAV access control protocols has been performed by Yaron Goland, Paul Leach, Lisa Dusseault, Howard Palmer, and Jon Radoff. We would like to acknowledge the foundation laid for us by the authors of the DeltaV, WebDAV and HTTP protocols upon which this protocol is layered, and the invaluable feedback from the WebDAV working group.
本协议是WebDAV ACL设计团队的合作产品:Bernard Chester、Geoff Clem、Anne Hopkins、Barry Lind、Sean Lyndersay、Eric Sedlar、Greg Stein和Jim Whitehead。作者感谢Jim Amsden、Dylan Barrell、Gino Basso、Murthy Chintalapati、Lisa Dusseault、Stefan Eissing、Tim Ellison、Yaron Goland、Dennis Hamilton、Laurie Harper、Eckehard Hermann、Ron Jacobs、Chris Knight、Remy Maucherat、Larry Masinter、Joe Orton、Peter Raymond和Keith Wannamaker提供的详细评论。我们感谢Keith Wannamaker提供主要财产搜索部分的初始文本。之前关于WebDAV访问控制协议的工作由Yaron Goland、Paul Leach、Lisa Dusseault、Howard Palmer和Jon Radoff完成。我们想承认由DelTAV、WebDAV和HTTP协议的作者为我们奠定的基础,以及这个协议是WebDAV工作组的宝贵反馈。
[REC-XML] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler, "Extensible Markup Language (XML) 1.0 ((Third ed)", W3C REC REC-xml-20040204, February 2004, <http://www.w3.org/TR/2004/REC-xml-20040204>.
[REC-XML]Bray,T.,Paoli,J.,Sperberg McQueen,C.和E.Maler,“可扩展标记语言(XML)1.0((第三版)”,W3C REC-XML-200402042004年2月<http://www.w3.org/TR/2004/REC-xml-20040204>.
[REC-XML-INFOSET] Cowan, J. and R. Tobin, "XML Information Set (Second Edition)", W3C REC REC-xml-infoset-20040204, February 2004, <http://www.w3.org/TR/2004/REC-xml-infoset-20040204/>.
[REC-XML-INFOSET]Cowan,J.和R.Tobin,“XML信息集(第二版)”,W3C REC-XML-INFOSET-200402042004年2月<http://www.w3.org/TR/2004/REC-xml-infoset-20040204/>.
[REC-XML-NAMES] Bray, T., Hollander, D. and A. Layman, "Namespaces in XML", W3C REC REC-xml-names-19990114, January 1999, <http://www.w3.org/TR/1999/REC-xml-names-19990114>.
[REC-XML-NAMES]Bray,T.,Hollander,D.和A.Layman,“XML中的名称空间”,W3C REC-XML-NAMES-199901141999年1月<http://www.w3.org/TR/1999/REC-xml-names-19990114>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2518] Goland, Y., Whitehead, E., Faizi, A., Carter, S. and D. Jensen, "HTTP Extensions for Distributed Authoring -- WEBDAV", RFC 2518, February 1999.
[RFC2518]Goland,Y.,Whitehead,E.,Faizi,A.,Carter,S.和D.Jensen,“分布式创作的HTTP扩展——WEBDAV”,RFC25181999年2月。
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2616]菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC 2616,1999年6月。
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999.
[RFC2617]Franks,J.,Hallam Baker,P.,Hostetler,J.,Lawrence,S.,Leach,P.,Lootonen,A.和L.Stewart,“HTTP认证:基本和摘要访问认证”,RFC 26171999年6月。
[RFC3023] Murata, M., St.Laurent, S. and D. Kohn, "XML Media Types", RFC 3023, January 2001.
[RFC3023]Murata,M.,St.Laurent,S.和D.Kohn,“XML媒体类型”,RFC 3023,2001年1月。
[RFC3253] Clemm, G., Amsden, J., Ellison, T., Kaler, C. and J. Whitehead, "Versioning Extensions to WebDAV", RFC 3253, March 2002.
[RFC3253]Clemm,G.,Amsden,J.,Ellison,T.,Kaler,C.和J.Whitehead,“WebDAV的版本控制扩展”,RFC 3253,2002年3月。
[RFC3530] Shepler, S., Ed., Callaghan, B., Robinson, D., Thurlow, R., Beame, C., Eisler, M. and D. Noveck, "Network File System (NFS) version 4 Protocol", RFC 3530, April 2003.
[RFC3530]Shepler,S.,Ed.,Callaghan,B.,Robinson,D.,Thurlow,R.,Beame,C.,Eisler,M.和D.Noveck,“网络文件系统(NFS)版本4协议”,RFC3530,2003年4月。
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629 November 2003.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。
[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.
[RFC2251]Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。
[RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255, December 1997.
[RFC2255]Howes,T.和M.Smith,“LDAP URL格式”,RFC2255,1997年12月。
[UNICODE4] The Unicode Consortium, "The Unicode Standard - Version 4.0", Addison-Wesley , August 2003, <http://www.unicode.org/versions/Unicode4.0.0/>. ISBN 0321185781.
[Unicode 4]Unicode联盟,“Unicode标准-4.0版”,Addison Wesley,2003年8月<http://www.unicode.org/versions/Unicode4.0.0/>. ISBN 0321185781。
All XML elements defined in this Document Type Definition (DTD) belong to the DAV namespace. This DTD should be viewed as an addendum to the DTD provided in [RFC2518], section 23.1.
此文档类型定义(DTD)中定义的所有XML元素都属于DAV命名空间。本DTD应视为[RFC2518]第23.1节中提供的DTD的附录。
<!-- Privileges -- (Section 3)>
<!-- Privileges -- (Section 3)>
<!ELEMENT read EMPTY> <!ELEMENT write EMPTY> <!ELEMENT write-properties EMPTY> <!ELEMENT write-content EMPTY> <!ELEMENT unlock EMPTY> <!ELEMENT read-acl EMPTY> <!ELEMENT read-current-user-privilege-set EMPTY> <!ELEMENT write-acl EMPTY> <!ELEMENT bind EMPTY> <!ELEMENT unbind EMPTY> <!ELEMENT all EMPTY>
<!ELEMENT read EMPTY> <!ELEMENT write EMPTY> <!ELEMENT write-properties EMPTY> <!ELEMENT write-content EMPTY> <!ELEMENT unlock EMPTY> <!ELEMENT read-acl EMPTY> <!ELEMENT read-current-user-privilege-set EMPTY> <!ELEMENT write-acl EMPTY> <!ELEMENT bind EMPTY> <!ELEMENT unbind EMPTY> <!ELEMENT all EMPTY>
<!-- Principal Properties (Section 4) -->
<!-- Principal Properties (Section 4) -->
<!ELEMENT principal EMPTY>
<!ELEMENT principal EMPTY>
<!ELEMENT alternate-URI-set (href*)> <!ELEMENT principal-URL (href)> <!ELEMENT group-member-set (href*)> <!ELEMENT group-membership (href*)>
<!ELEMENT alternate-URI-set (href*)> <!ELEMENT principal-URL (href)> <!ELEMENT group-member-set (href*)> <!ELEMENT group-membership (href*)>
<!-- Access Control Properties (Section 5) -->
<!-- Access Control Properties (Section 5) -->
<!-- DAV:owner Property (Section 5.1) -->
<!-- DAV:owner Property (Section 5.1) -->
<!ELEMENT owner (href?)>
<!ELEMENT owner (href?)>
<!-- DAV:group Property (Section 5.2) -->
<!-- DAV:group Property (Section 5.2) -->
<!ELEMENT group (href?)>
<!ELEMENT group (href?)>
<!-- DAV:supported-privilege-set Property (Section 5.3) -->
<!-- DAV:supported-privilege-set Property (Section 5.3) -->
<!ELEMENT supported-privilege-set (supported-privilege*)> <!ELEMENT supported-privilege (privilege, abstract?, description, supported-privilege*)>
<!ELEMENT supported-privilege-set (supported-privilege*)> <!ELEMENT supported-privilege (privilege, abstract?, description, supported-privilege*)>
<!ELEMENT privilege ANY> <!ELEMENT abstract EMPTY> <!ELEMENT description #PCDATA>
<!ELEMENT privilege ANY> <!ELEMENT abstract EMPTY> <!ELEMENT description #PCDATA>
<!-- DAV:current-user-privilege-set Property (Section 5.4) -->
<!-- DAV:current-user-privilege-set Property (Section 5.4) -->
<!ELEMENT current-user-privilege-set (privilege*)>
<!ELEMENT current-user-privilege-set (privilege*)>
<!-- DAV:acl Property (Section 5.5) -->
<!-- DAV:acl Property (Section 5.5) -->
<!ELEMENT acl (ace)* > <!ELEMENT ace ((principal | invert), (grant|deny), protected?, inherited?)>
<!ELEMENT acl (ace)* > <!ELEMENT ace ((principal | invert), (grant|deny), protected?, inherited?)>
<!ELEMENT principal (href) | all | authenticated | unauthenticated | property | self)>
<!元素主体(href)|所有|已验证|未验证|属性|自身)>
<!ELEMENT all EMPTY> <!ELEMENT authenticated EMPTY> <!ELEMENT unauthenticated EMPTY> <!ELEMENT property ANY> <!ELEMENT self EMPTY>
<!ELEMENT all EMPTY> <!ELEMENT authenticated EMPTY> <!ELEMENT unauthenticated EMPTY> <!ELEMENT property ANY> <!ELEMENT self EMPTY>
<!ELEMENT invert principal>
<!ELEMENT invert principal>
<!ELEMENT grant (privilege+)> <!ELEMENT deny (privilege+)> <!ELEMENT privilege ANY>
<!ELEMENT grant (privilege+)> <!ELEMENT deny (privilege+)> <!ELEMENT privilege ANY>
<!ELEMENT protected EMPTY>
<!ELEMENT protected EMPTY>
<!ELEMENT inherited (href)>
<!ELEMENT inherited (href)>
<!-- DAV:acl-restrictions Property (Section 5.6) -->
<!-- DAV:acl-restrictions Property (Section 5.6) -->
<!ELEMENT acl-restrictions (grant-only?, no-invert?, deny-before-grant?, required-principal?)>
<!元素acl限制(仅授予?、无反转?、授予前拒绝?、必需的主体?>
<!ELEMENT grant-only EMPTY> <!ELEMENT no-invert EMPTY> <!ELEMENT deny-before-grant EMPTY>
<!ELEMENT grant-only EMPTY> <!ELEMENT no-invert EMPTY> <!ELEMENT deny-before-grant EMPTY>
<!ELEMENT required-principal (all? | authenticated? | unauthenticated? | self? | href* |property*)>
<!ELEMENT required-principal (all? | authenticated? | unauthenticated? | self? | href* |property*)>
<!-- DAV:inherited-acl-set Property (Section 5.7) -->
<!-- DAV:inherited-acl-set Property (Section 5.7) -->
<!ELEMENT inherited-acl-set (href*)>
<!ELEMENT inherited-acl-set (href*)>
<!-- DAV:principal-collection-set Property (Section 5.8) -->
<!-- DAV:principal-collection-set Property (Section 5.8) -->
<!ELEMENT principal-collection-set (href*)>
<!ELEMENT principal-collection-set (href*)>
<!-- Access Control and Existing Methods (Section 7) -->
<!-- Access Control and Existing Methods (Section 7) -->
<!ELEMENT need-privileges (resource)* > <!ELEMENT resource ( href, privilege )
<!ELEMENT need-privileges (resource)* > <!ELEMENT resource ( href, privilege )
<!-- ACL method preconditions (Section 8.1.1) -->
<!-- ACL method preconditions (Section 8.1.1) -->
<!ELEMENT no-ace-conflict EMPTY> <!ELEMENT no-protected-ace-conflict EMPTY> <!ELEMENT no-inherited-ace-conflict EMPTY> <!ELEMENT limited-number-of-aces EMPTY> <!ELEMENT grant-only EMPTY> <!ELEMENT no-invert EMPTY> <!ELEMENT deny-before-grant EMPTY> <!ELEMENT no-abstract EMPTY> <!ELEMENT not-supported-privilege EMPTY> <!ELEMENT missing-required-principal EMPTY> <!ELEMENT recognized-principal EMPTY> <!ELEMENT allowed-principal EMPTY>
<!ELEMENT no-ace-conflict EMPTY> <!ELEMENT no-protected-ace-conflict EMPTY> <!ELEMENT no-inherited-ace-conflict EMPTY> <!ELEMENT limited-number-of-aces EMPTY> <!ELEMENT grant-only EMPTY> <!ELEMENT no-invert EMPTY> <!ELEMENT deny-before-grant EMPTY> <!ELEMENT no-abstract EMPTY> <!ELEMENT not-supported-privilege EMPTY> <!ELEMENT missing-required-principal EMPTY> <!ELEMENT recognized-principal EMPTY> <!ELEMENT allowed-principal EMPTY>
<!-- REPORTs (Section 9) -->
<!-- REPORTs (Section 9) -->
<!ELEMENT acl-principal-prop-set ANY> ANY value: a sequence of one or more elements, with at most one DAV:prop element.
<!ELEMENT acl principal prop set ANY>ANY值:一个或多个元素的序列,最多包含一个DAV:prop元素。
<!ELEMENT principal-match ((principal-property | self), prop?)> <!ELEMENT principal-property ANY> ANY value: an element whose value identifies a property. The expectation is the value of the named property typically contains an href element that contains the URI of a principal <!ELEMENT self EMPTY>
<!ELEMENT principal-match ((principal-property | self), prop?)> <!ELEMENT principal-property ANY> ANY value: an element whose value identifies a property. The expectation is the value of the named property typically contains an href element that contains the URI of a principal <!ELEMENT self EMPTY>
<!ELEMENT principal-property-search ((property-search+), prop?) > <!ELEMENT property-search (prop, match) > <!ELEMENT match #PCDATA >
<!ELEMENT principal-property-search ((property-search+), prop?) > <!ELEMENT property-search (prop, match) > <!ELEMENT match #PCDATA >
<!ELEMENT principal-search-property-set ( principal-search-property*) > <!ELEMENT principal-search-property (prop, description) > <!ELEMENT description #PCDATA >
<!ELEMENT principal-search-property-set ( principal-search-property*) > <!ELEMENT principal-search-property (prop, description) > <!ELEMENT description #PCDATA >
Appendix B. WebDAV Method Privilege Table (Normative)
附录B.WebDAV方法权限表(规范性)
The following table of WebDAV methods (as defined in RFC 2518, 2616, and 3253) clarifies which privileges are required for access for each method. Note that the privileges listed, if denied, MUST cause access to be denied. However, given that a specific implementation MAY define an additional custom privilege to control access to existing methods, having all of the indicated privileges does not mean that access will be granted. Note that lack of the indicated privileges does not imply that access will be denied, since a particular implementation may use a sub-privilege aggregated under the indicated privilege to control access. Privileges required refer to the current resource being processed unless otherwise specified.
下表列出了WebDAV方法(如RFC 2518、2616和3253中的定义),说明了访问每个方法所需的权限。请注意,列出的权限如果被拒绝,则必须导致访问被拒绝。然而,考虑到特定的实现可以定义一个额外的自定义特权来控制对现有方法的访问,拥有所有指定的特权并不意味着将授予访问权。请注意,缺少所指示的特权并不意味着访问将被拒绝,因为特定实现可能使用在所指示的特权下聚合的子特权来控制访问。除非另有规定,否则所需的权限是指正在处理的当前资源。
+---------------------------------+---------------------------------+ | METHOD | PRIVILEGES | +---------------------------------+---------------------------------+ | GET | <D:read> | | HEAD | <D:read> | | OPTIONS | <D:read> | | PUT (target exists) | <D:write-content> on target | | | resource | | PUT (no target exists) | <D:bind> on parent collection | | | of target | | PROPPATCH | <D:write-properties> | | ACL | <D:write-acl> | | PROPFIND | <D:read> (plus <D:read-acl> and | | | <D:read-current-user-privilege- | | | set> as needed) | | COPY (target exists) | <D:read>, <D:write-content> and | | | <D:write-properties> on target | | | resource | | COPY (no target exists) | <D:read>, <D:bind> on target | | | collection | | MOVE (no target exists) | <D:unbind> on source collection | | | and <D:bind> on target | | | collection | | MOVE (target exists) | As above, plus <D:unbind> on | | | the target collection | | DELETE | <D:unbind> on parent collection | | LOCK (target exists) | <D:write-content> | | LOCK (no target exists) | <D:bind> on parent collection | | MKCOL | <D:bind> on parent collection | | UNLOCK | <D:unlock> | | CHECKOUT | <D:write-properties> | | CHECKIN | <D:write-properties> | | REPORT | <D:read> (on all referenced | | | resources) | | VERSION-CONTROL | <D:write-properties> | | MERGE | <D:write-content> | | MKWORKSPACE | <D:write-content> on parent | | | collection | | BASELINE-CONTROL | <D:write-properties> and | | | <D:write-content> | | MKACTIVITY | <D:write-content> on parent | | | collection | +---------------------------------+---------------------------------+
+---------------------------------+---------------------------------+ | METHOD | PRIVILEGES | +---------------------------------+---------------------------------+ | GET | <D:read> | | HEAD | <D:read> | | OPTIONS | <D:read> | | PUT (target exists) | <D:write-content> on target | | | resource | | PUT (no target exists) | <D:bind> on parent collection | | | of target | | PROPPATCH | <D:write-properties> | | ACL | <D:write-acl> | | PROPFIND | <D:read> (plus <D:read-acl> and | | | <D:read-current-user-privilege- | | | set> as needed) | | COPY (target exists) | <D:read>, <D:write-content> and | | | <D:write-properties> on target | | | resource | | COPY (no target exists) | <D:read>, <D:bind> on target | | | collection | | MOVE (no target exists) | <D:unbind> on source collection | | | and <D:bind> on target | | | collection | | MOVE (target exists) | As above, plus <D:unbind> on | | | the target collection | | DELETE | <D:unbind> on parent collection | | LOCK (target exists) | <D:write-content> | | LOCK (no target exists) | <D:bind> on parent collection | | MKCOL | <D:bind> on parent collection | | UNLOCK | <D:unlock> | | CHECKOUT | <D:write-properties> | | CHECKIN | <D:write-properties> | | REPORT | <D:read> (on all referenced | | | resources) | | VERSION-CONTROL | <D:write-properties> | | MERGE | <D:write-content> | | MKWORKSPACE | <D:write-content> on parent | | | collection | | BASELINE-CONTROL | <D:write-properties> and | | | <D:write-content> | | MKACTIVITY | <D:write-content> on parent | | | collection | +---------------------------------+---------------------------------+
Index
指数
A ACL method 40
ACL方法40
C Condition Names DAV:allowed-principal (pre) 42 DAV:deny-before-grant (pre) 41 DAV:grant-only (pre) 41 DAV:limited-number-of-aces (pre) 41 DAV:missing-required-principal (pre) 42 DAV:no-abstract (pre) 41 DAV:no-ace-conflict (pre) 41 DAV:no-inherited-ace-conflict (pre) 41 DAV:no-invert (pre) 41 DAV:no-protected-ace-conflict (pre) 41 DAV:not-supported-privilege (pre) 42 DAV:number-of-matches-within-limits (post) 48, 53 DAV:recognized-principal (pre) 42
C条件名称DAV:允许的主体(pre)42 DAV:授予前拒绝(pre)41 DAV:仅授予(pre)41 DAV:ace数量有限(pre)41 DAV:缺少必需的主体(pre)42 DAV:无抽象(pre)41 DAV:无ace冲突(pre)41 DAV:无继承的ace冲突(pre)41 DAV:无反转(pre)41 DAV:无受保护的ace冲突(pre)41 DAV:不支持的特权(前)42 DAV:限制内的匹配数(后)48,53 DAV:认可的主体(前)42
D DAV header compliance class 'access-control' 38 DAV:acl property 23 DAV:acl-principal-prop-set report 48 DAV:acl-restrictions property 27 DAV:all privilege 13 DAV:allowed-principal precondition 42 DAV:alternate-URI-set property 14 DAV:bind privilege 12 DAV:current-user-privilege-set property 21 DAV:deny-before-grant precondition 41 DAV:grant-only precondition 41 DAV:group property 18 DAV:group-member-set property 14 DAV:group-membership property 14 DAV:inherited-acl-set property 29 DAV:limited-number-of-aces precondition 41 DAV:missing-required-principal precondition 42 DAV:no-abstract precondition 41 DAV:no-ace-conflict precondition 41 DAV:no-inherited-ace-conflict precondition 41 DAV:no-invert precondition 41 DAV:no-protected-ace-conflict precondition 41 DAV:not-supported-privilege precondition 42 DAV:number-of-matches-within-limits postcondition 48, 53 DAV:owner property 15
D DAV标头符合性类“访问控制”38 DAV:acl属性23 DAV:acl主体属性集报告48 DAV:acl限制属性27 DAV:all privilege 13 DAV:allowed privilege Predition 42 DAV:alternate URI set属性14 DAV:bind privilege 12 DAV:current user privilege set属性21 DAV:deny before grant Predition 41DAV:仅授予先决条件41 DAV:组属性18 DAV:组成员集属性14 DAV:组成员资格属性14 DAV:继承的acl集属性29 DAV:ace数量有限先决条件41 DAV:缺少必需的主要先决条件42 DAV:无抽象先决条件41 DAV:无ace冲突先决条件41 DAV:无继承的ace冲突先决条件41 DAV:无反转先决条件41 DAV:无受保护的ace冲突先决条件41 DAV:不受支持的特权先决条件42 DAV:限制内的匹配数后决条件48,53 DAV:所有者属性15
DAV:principal resource type 13 DAV:principal-collection-set property 30 DAV:principal-match report 50 DAV:principal-property-search 51 DAV:principal-search-property-set 56 DAV:principal-URL property 14 DAV:read privilege 10 DAV:read-acl privilege 11 DAV:read-current-user-privilege-set privilege 12 DAV:recognized-principal precondition 42 DAV:supported-privilege-set property 18 DAV:unbind privilege 12 DAV:unlock privilege 11 DAV:write privilege 10 DAV:write-acl privilege 12 DAV:write-content privilege 10 DAV:write-properties privilege 10
DAV:主体资源类型13 DAV:主体集合集属性30 DAV:主体匹配报告50 DAV:主体属性搜索51 DAV:主体搜索属性集56 DAV:主体URL属性14 DAV:读取权限10 DAV:读取acl权限11 DAV:读取当前用户权限集权限12 DAV:识别的主体先决条件42DAV:支持的权限集属性18 DAV:解除绑定权限12 DAV:解锁权限11 DAV:写入权限10 DAV:写入acl权限12 DAV:写入内容权限10 DAV:写入属性权限10
M Methods ACL 40
M方法acl40
P Privileges DAV:all 13 DAV:bind 12 DAV:read 10 DAV:read-acl 11 DAV:read-current-user-privilege-set 12 DAV:unbind 12 DAV:unlock 11 DAV:write 10 DAV:write-acl 12 DAV:write-content 11 DAV:write-properties 10 Properties DAV:acl 23 DAV:acl-restrictions 27 DAV:alternate-URI-set 14 DAV:current-user-privilege-set 21 DAV:group 18 DAV:group-member-set 14 DAV:group-membership 14 DAV:inherited-acl-set 29 DAV:owner 15 DAV:principal-collection-set 30 DAV:principal-URL 14 DAV:supported-privilege-set 18
P权限DAV:所有13 DAV:绑定12 DAV:读取10 DAV:读取acl 11 DAV:读取当前用户权限集12 DAV:解除绑定12 DAV:解锁11 DAV:写入10 DAV:写入acl 12 DAV:写入内容11 DAV:写入属性10属性DAV:acl 23 DAV:acl限制27 DAV:备用URI集14 DAV:当前用户权限集21 DAV:组18 DAV:组成员集14DAV:组成员资格14 DAV:继承的acl集29 DAV:所有者15 DAV:主体集合集30 DAV:主体URL 14 DAV:支持的权限集18
R Reports DAV:acl-principal-prop-set 47 DAV:principal-match 49 DAV:principal-property-search 51 DAV:principal-search-property-set 56 Resource Types DAV:principal 13
R报告DAV:acl主体属性集47 DAV:principal match 49 DAV:principal属性搜索51 DAV:principal搜索属性集56资源类型DAV:principal 13
Authors' Addresses
作者地址
Geoffrey Clemm IBM 20 Maguire Road Lexington, MA 02421
杰弗里·克莱姆美国马萨诸塞州列克星敦马圭尔路20号IBM 02421
EMail: geoffrey.clemm@us.ibm.com
EMail: geoffrey.clemm@us.ibm.com
Julian F. Reschke greenbytes GmbH Salzmannstrasse 152 Muenster, NW 48159 Germany
Julian F.Reschke greenbytes GmbH Salzmannstrase 152 Muenster,西北48159德国
EMail: julian.reschke@greenbytes.de
EMail: julian.reschke@greenbytes.de
Eric Sedlar Oracle Corporation 500 Oracle Parkway Redwood Shores, CA 94065
Eric Sedlar甲骨文公司500甲骨文公园路红木海岸,加利福尼亚州94065
EMail: eric.sedlar@oracle.com
EMail: eric.sedlar@oracle.com
Jim Whitehead U.C. Santa Cruz, Dept. of Computer Science 1156 High Street Santa Cruz, CA 95064
吉姆·怀特黑德加州大学圣克鲁斯分校,计算机科学系,加利福尼亚州圣克鲁斯高街1156号,邮编95064
EMail: ejw@cse.ucsc.edu
EMail: ejw@cse.ucsc.edu
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。