Network Working Group W. Sanchez Request for Comments: 5397 C. Daboo Category: Standards Track Apple Inc. December 2008
Network Working Group W. Sanchez Request for Comments: 5397 C. Daboo Category: Standards Track Apple Inc. December 2008
WebDAV Current Principal Extension
WebDAV当前主体扩展
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (c) 2008 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2008 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Abstract
摘要
This specification defines a new WebDAV property that allows clients to quickly determine the principal corresponding to the current authenticated user.
此规范定义了一个新的WebDAV属性,该属性允许客户端快速确定与当前经过身份验证的用户对应的主体。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . . 2 3. DAV:current-user-principal . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 4 6. Normative References . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . . 2 3. DAV:current-user-principal . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 4 6. Normative References . . . . . . . . . . . . . . . . . . . . . 4
WebDAV [RFC4918] is an extension to HTTP [RFC2616] to support improved document authoring capabilities. The WebDAV Access Control Protocol ("WebDAV ACL") [RFC3744] extension adds access control capabilities to WebDAV. It introduces the concept of a "principal" resource, which is used to represent information about authenticated entities on the system.
WebDAV[RFC4918]是HTTP[RFC2616]的扩展,以支持改进的文档创作功能。WebDAV访问控制协议(“WebDAV ACL”)[RFC3744]扩展为WebDAV添加了访问控制功能。它引入了“主体”资源的概念,用于表示系统上经过身份验证的实体的信息。
Some clients have a need to determine which [RFC3744] principal a server is associating with the currently authenticated HTTP user. While [RFC3744] defines a DAV:current-user-privilege-set property for retrieving the privileges granted to that principal, there is no recommended way to identify the principal in question, which is necessary to perform other useful operations. For example, a client may wish to determine which groups the current user is a member of, or modify a property of the principal resource associated with the current user.
一些客户机需要确定服务器与当前经过身份验证的HTTP用户关联的[RFC3744]主体。虽然[RFC3744]定义了一个DAV:current user privilege set属性,用于检索授予该主体的权限,但没有推荐的方法来识别有问题的主体,这是执行其他有用操作所必需的。例如,客户端可能希望确定当前用户是哪些组的成员,或者修改与当前用户关联的主体资源的属性。
The DAV:principal-match REPORT provides some useful functionality, but there are common situations where the results from that query can be ambiguous. For example, not only is an individual user principal returned, but also every group principal that the user is a member of, and there is no clear way to distinguish which is which.
DAV:principal匹配报告提供了一些有用的功能,但在一些常见情况下,该查询的结果可能不明确。例如,不仅返回单个用户主体,还返回该用户所属的每个组主体,并且没有明确的方法来区分哪个是哪个。
This specification proposes an extension to WebDAV ACL that adds a DAV:current-user-principal property to resources under access control on the server. This property provides a URL to a principal resource corresponding to the currently authenticated user. This allows a client to "bootstrap" itself by performing additional queries on the principal resource to obtain additional information from that resource, which is the purpose of this extension. Note that while it is possible for multiple URLs to refer to the same principal resource, or for multiple principal resources to correspond to a single principal, this specification only allows for a single http(s) URL in the DAV:current-user-principal property. If a client wishes to obtain alternate URLs for the principal, it can query the principal resource for this information; it is not the purpose of this extension to provide a complete list of such URLs, but simply to provide a means to locate a resource which contains that (and other) information.
本规范提出了对WebDAV ACL的扩展,该扩展将DAV:current user principal属性添加到服务器上受访问控制的资源中。此属性提供与当前经过身份验证的用户相对应的主体资源的URL。这允许客户机通过对主体资源执行额外的查询来“引导”自身,以从该资源获取额外的信息,这就是此扩展的目的。请注意,虽然多个URL可能引用同一主体资源,或者多个主体资源可能对应于单个主体,但本规范仅允许在DAV:current user principal属性中使用单个http(s)URL。如果客户端希望获得主体的备用URL,它可以查询主体资源以获取此信息;此扩展的目的不是提供此类URL的完整列表,而是提供一种方法来定位包含该(和其他)信息的资源。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
When XML element types in the namespace "DAV:" are referenced in this document outside of the context of an XML fragment, the string "DAV:" will be prefixed to the element type names.
当名称空间“DAV:”中的XML元素类型在XML片段的上下文之外被引用时,字符串“DAV:”将作为元素类型名称的前缀。
Processing of XML by clients and servers MUST follow the rules defined in Section 17 of WebDAV [RFC4918].
客户端和服务器对XML的处理必须遵循WebDAV[RFC4918]第17节中定义的规则。
Some of the declarations refer to XML elements defined by WebDAV [RFC4918].
有些声明引用WebDAV[RFC4918]定义的XML元素。
Name: current-user-principal
名称:当前用户主体
Namespace: DAV:
名称空间:DAV:
Purpose: Indicates a URL for the currently authenticated user's principal resource on the server.
目的:指示服务器上当前已验证用户的主体资源的URL。
Value: A single DAV:href or DAV:unauthenticated element.
值:单个DAV:href或DAV:unauthenticated元素。
Protected: This property is computed on a per-request basis, and therefore is protected.
受保护:此属性是基于每个请求计算的,因此受到保护。
Description: The DAV:current-user-principal property contains either a DAV:href or DAV:unauthenticated XML element. The DAV:href element contains a URL to a principal resource corresponding to the currently authenticated user. That URL MUST be one of the URLs in the DAV:principal-URL or DAV:alternate-URI-set properties defined on the principal resource and MUST be an http(s) scheme URL. When authentication has not been done or has failed, this property MUST contain the DAV:unauthenticated pseudo-principal.
描述:DAV:current user principal属性包含DAV:href或DAV:unauthenticated XML元素。DAV:href元素包含指向与当前经过身份验证的用户相对应的主体资源的URL。该URL必须是在主体资源上定义的DAV:principal URL或DAV:alternate URI集属性中的URL之一,并且必须是http(s)方案URL。当身份验证未完成或失败时,此属性必须包含DAV:unauthenticated伪主体。
In some cases, there may be multiple principal resources corresponding to the same authenticated principal. In that case, the server is free to choose any one of the principal resource URIs for the value of the DAV:current-user-principal property. However, servers SHOULD be consistent and use the same principal resource URI for each authenticated principal.
在某些情况下,可能有多个主体资源对应于同一个经过身份验证的主体。在这种情况下,服务器可以为DAV:current user principal属性的值自由选择任何一个主体资源URI。但是,服务器应该是一致的,并且为每个经过身份验证的主体使用相同的主体资源URI。
COPY/MOVE behavior: This property is computed on a per-request basis, and is thus never copied or moved.
复制/移动行为:此属性是基于每个请求计算的,因此从不复制或移动。
Definition:
定义:
<!ELEMENT current-user-principal (unauthenticated | href)> <!-- href value: a URL to a principal resource -->
<!ELEMENT current-user-principal (unauthenticated | href)> <!-- href value: a URL to a principal resource -->
Example:
例子:
<D:current-user-principal xmlns:D="DAV:"> <D:href>/principals/users/cdaboo</D:href> </D:current-user-principal>
<D:current-user-principal xmlns:D="DAV:"> <D:href>/principals/users/cdaboo</D:href> </D:current-user-principal>
This specification does not introduce any additional security issues beyond those defined for HTTP [RFC2616], WebDAV [RFC4918], and WebDAV ACL [RFC3744].
除了为HTTP[RFC2616]、WebDAV[RFC4918]和WebDAV ACL[RFC3744]定义的安全问题外,本规范不会引入任何其他安全问题。
This specification is based on discussions that took place within the Calendaring and Scheduling Consortium's CalDAV Technical Committee. The authors thank the participants of that group for their input.
本规范基于日历和日程安排联盟的CalDAV技术委员会内进行的讨论。作者感谢该小组的参与者的投入。
The authors thank Julian Reschke for his valuable input via the WebDAV working group mailing list.
作者感谢Julian Reschke通过WebDAV工作组邮件列表提供的宝贵意见。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2616]菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.,和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC 2616,1999年6月。
[RFC3744] Clemm, G., Reschke, J., Sedlar, E., and J. Whitehead, "Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol", RFC 3744, May 2004.
[RFC3744]Clemm,G.,Reschke,J.,Sedlar,E.,和J.Whitehead,“Web分布式创作和版本控制(WebDAV)访问控制协议”,RFC 3744,2004年5月。
[RFC4918] Dusseault, L., "HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)", RFC 4918, June 2007.
[RFC4918]Dusseault,L.,“用于Web分布式创作和版本控制(WebDAV)的HTTP扩展”,RFC4918,2007年6月。
Authors' Addresses
作者地址
Wilfredo Sanchez Apple Inc. 1 Infinite Loop Cupertino, CA 95014 USA
威尔弗雷多·桑切斯苹果公司,美国加利福尼亚州库比蒂诺市无限环路1号,邮编95014
EMail: wsanchez@wsanchez.net URI: http://www.apple.com/
EMail: wsanchez@wsanchez.net URI: http://www.apple.com/
Cyrus Daboo Apple Inc. 1 Infinite Loop Cupertino, CA 95014 USA
Cyrus Daboo苹果公司,美国加利福尼亚州库珀蒂诺市无限环路1号,邮编95014
EMail: cyrus@daboo.name URI: http://www.apple.com/
EMail: cyrus@daboo.name URI: http://www.apple.com/