WebDAV Redirect Reference ResourcesXerox Corporation800 Phillips Road, 105-50CWebsterNY14580jslein@crt.xerox.comUC Santa Cruz, Dept. of Computer Science1156 High StreetSanta CruzCA95064USejw@cse.ucsc.eduCourseNet Systems170 Capp StreetSan FranciscoCA94110jrd3@alum.mit.eduRational Software Corporation20 Maguire RoadLexingtonMA02173-3104geoffrey.clemm@us.ibm.comFileNet Corporation3565 Harbor BoulevardCosta MesaCA92626-1420cfay@filenet.comIBM ResearchP.O. Box 704Yorktown HeightsNY10598ccjason@us.ibm.comgreenbytes GmbHSalzmannstrasse 152MuensterNW48159Germany+49 251 2807760+49 251 2807761julian.reschke@greenbytes.dehttp://greenbytes.de/tech/webdav/WEBDAV Working Group
Support creation of other than 302 redirects, especially 301.
This specification defines redirect reference resources. A
redirect reference resource is a resource whose default response is an
HTTP/1.1 302 (Found) status code, redirecting the client to a different
resource, the target resource. A redirect reference makes it possible
to access the target resource indirectly, through any URI mapped to the
redirect reference resource. There are no integrity guarantees
associated with redirect reference resources.
Distribution of this document is unlimited. Please send comments to the
Distributed Authoring and Versioning (WebDAV) working group at w3c-dist-auth@w3.org, which may be joined by sending a message with subject
"subscribe" to w3c-dist-auth-request@w3.org.
Discussions of the WEBDAV working group are archived at URL:
http://lists.w3.org/Archives/Public/w3c-dist-auth/.
This is one of a pair of specifications that extend the WebDAV
Distributed Authoring Protocol to enable clients to create new access
paths to existing resources. This capability is useful for several
reasons:
Not Hierarchical:
The first sentence of the second paragraph of the introduction of the redirect spec asserts that the URIs of WebDAV compliant resources match to collections. The WebDAV standard makes no such requirement. I therefore move that this sentence be stricken.
State the more general HTTP rationale first (alternative names for the same resource), then introduce the collection hierarchy rationale, which applies only if you are in a WebDAV-compliant space.
URIs of WebDAV-compliant resources are hierarchical and correspond to a
hierarchy of collections in resource space. The WebDAV Distributed
Authoring Protocol makes it possible to organize these resources into
hierarchies, placing them into groupings, known as collections, which
are more easily browsed and manipulated than a single flat collection.
However, hierarchies require categorization decisions that locate
resources at a single location in the hierarchy, a drawback when a
resource has multiple valid categories. For example, in a hierarchy of
vehicle descriptions containing collections for cars and boats, a
description of a combination car/boat vehicle could belong in either
collection. Ideally, the description should be accessible from both.
Allowing clients to create new URIs that access the existing resource
lets them put that resource into multiple collections.
Servers: Replace "server" with "unrelated system" throughout.
Try replacing "server" with "host" in some contexts, rephrasing in passive voice in others.
See also issue 40.
Hierarchies also make resource sharing more difficult, since resources
that have utility across many collections are still forced into a single
collection. For example, the mathematics department at one university
might create a collection of information on fractals that contains
bindings to some local resources, but also provides access to some
resources at other universities. For many reasons, it may be
undesirable to make physical copies of the shared resources on the local
server: to conserve disk space, to respect copyright constraints, or to
make any changes in the shared resources visible automatically. Being
able to create new access paths to existing resources in other
collections or even on other servers is useful for this sort of case.
Forwarding: Replace "forward" with "redirect" throughout.
Use "redirect" for the behavior redirect resources do exhibit. Use "forward" for the contrasting behavior (passing a method on to the target with no client action needed). Define these two terms. See also issue 40.
Make it clear in examples and text that the redirection URI could be non-HTTP.
We agree that it is possible to create redirect references to non-HTTP resources.
Add example. (actually it was added to the definition of "target resource").
The redirect reference resources defined here provide a mechanism for
creating alternative access paths to existing resources. A redirect
reference resource is a resource in one collection whose purpose is to
forward requests to another resource (its target), possibly in a
different collection. In this way, it allows clients to submit requests
to the target resource from another collection. It redirects most
requests to the target resource using the HTTP 302 (Found) status code,
thereby providing a form of mediated access to the target resource.
Integrity: Intro, para 7 "Servers are not required to enforce the integrity of redirect references." Integrity is not defined. Replace with something clearer.
Rewrite to say that the server MUST NOT update the target
See also issue 6.
A redirect reference is a resource, and so can have properties and a
body of its own with properties but no body of its own. Properties of a redirect reference resource can
contain such information as who created the reference, when, and why.
Since redirect reference resources are implemented using HTTP 302
responses, it generally takes two round trips to submit a request to the
intended resource. Servers are not required to enforce the integrity of
redirect references. Redirect references work equally well for local
resources and for resources that reside on a different server from the
reference.
The remainder of this document is structured as follows:
defines terms that will be used throughout the specification.
provides an overview of redirect reference resources.
discusses how to create a redirect reference resource.
defines the semantics of existing methods when applied to redirect
reference resources, and discusses their semantics when
applied to collections that contain redirect reference resources.
Sections
through discuss several other issues raised by the
existence of redirect reference resources. Sections through
define the new headers, properties, and XML elements required to support
redirect reference resources. Section discusses capability
discovery. Sections
through present the security,
internationalization, and IANA concerns raised by this specification.
The remaining sections provide a variety of supporting information.
Since this document describes a set of extensions to the WebDAV
Distributed Authoring Protocol , itself an extension to the
HTTP/1.1 protocol, the augmented BNF used here to describe protocol
elements is exactly the same as described in Section 2.1 of .
Since this augmented BNF uses the basic production rules provided in
Section 2.2 of , these rules apply to this document as well.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
The terminology used here follows and extends that in the WebDAV
Distributed Authoring Protocol specification . Definitions of
the terms resource, Uniform Resource Identifier (URI), and Uniform
Resource Locator (URL) are provided in .
Consider global rename of "redirect reference resource" to "redirect resource".
Redirect Reference Resource
A resource created to redirect all requests made to it, using 302 (Found),
to a defined target resource.
Non-Reference Resource
A resource that is not a reference to another resource.Target Resource
The resource to which requests are forwarded by a reference
resource.
A target resource can be anything that can be identified by an absolute URI
(see , "absoluteURI").
For all operations submitted to a redirect reference resource, the
default response is a 302 (Found), accompanied by the Redirect-Ref
header (defined in below) and the Location header set to
the URI of the target resource. With this information, the client can
resubmit the request to the URI of the target resource.
A redirect reference resource never automatically forwards requests to
its target resource.
Redirect resources
bring the same benefits as links in HTML documents. They can be created and
maintained without the involvement or even knowledge of their target
resource. This reduces the cost of linking between resources."
Get rid of the DAV:reftarget property.
DAV:reftarget is readonly and is present only for redirect references that are also WebDAV resources.
We'll also have a method for setting target; Redirect-Ref header (returned on all 302 responses) will have the target as its value.
See also issue 6, 17, 50.
If the client is aware that it is operating on a redirect reference
resource, it can resolve the reference by retrieving the reference
resource's DAV:reftarget property (defined in below), whose
value contains the URI of the target resource. It can then submit
requests to the target resource.
A redirect reference resource is a new type of resource. To distinguish
redirect reference resources from non-reference resources, a new value
of the DAV:resourcetype property (defined in ), DAV:redirectref,
is defined in below.
Section 4, para 5 and Section 6, para 3 discussions of the Apply-to-Redirect-Ref header make it sound as if we are specifying direct reference behavior.
Change these passages so that the contrast is between applying the method to the redirect reference and responding with a 302.
Since a redirect reference resource is a resource, it can have its own
properties and body, and , methods can be applied to the reference
resource as well as to its target resource. The Apply-To-Redirect-Ref
request header (defined in below) is provided so that
referencing-aware clients can control whether an operation is applied to
the redirect reference resource or to its target resource. The Apply-To-Redirect-Ref
header can be used with most requests to redirect
reference resources. This header is particularly useful with PROPFIND,
to retrieve the reference resource's own properties.
"Standard data container" needs to be defined in the context of MKRESOURCE
Not relevant once we switch to MKREF.
Inconsistency about whether a "standard data container" can be created with MKRESOURCE or not.
Not relevant once we switch to MKREF.
Section 5: Start with "The new MKRESOURCE method" to make it clear that it is being introduced for the first time here.
Say "The MKREF method defined normatively here . . ."
Inconsistency about whether collections can be created with MKRESOURCE.
(1) Strip all non-redirect-ref functionality from MKRESOURCE, then (2) later
switch to a new method.
Is MKRESOURCE atomic as viewed by a client? Can another client access the new resource's properties before they have been fully initialized?
Maybe the MKRESOURCE request should let the client ask for it to be atomic.
No longer relevant once we switch to MKREF with no request body. Also,
as an intermediate step MKRESOURCE is defined to be atomic.
Make redirect references independent of the rest of WebDAV. The creation method for redirect references shouldn't require an XML request body.
We will make redirect references independent of the rest of WebDAV.
MKREF will not have an XML request body.
Use a creation method that creates only redirect references.
The MKRESOURCE method hinders experiment because a user of a server who wishes to add support for the creation of a new resource type can't simply throw in another Apache module and allow it to provide the code for the new resource type. They have to find the code used for MKRESOURCE and change it to support the new resource type.
We will replace MKRESOURCE with MKREF, which creates only redirect reference resources.
There needs to be a way to update the target of a redirect reference.
Agreed.
See also issues 6, 43.
The new MKRESOURCE method is used to create new redirect reference
resources. As defined in , MKRESOURCE can be used to create
a resource of any type other than standard data containers and
collections. In order to create a redirect reference resource using
MKRESOURCE, the values of two properties must be set in the body of the
MKRESOURCE request. The value of DAV:resourcetype MUST be set to
DAV:redirectref, a new value of DAV:resourcetype defined in .
The value of DAV:reftarget MUST be set to the URI of the target
resource.
Used in this way, the MKRESOURCE method creates a redirect reference
resource whose target is identified by the DAV:reftarget property.
The MKRESOURCE method requests the creation of a redirect reference resource and
initialization of its properties. It allows resources other than
standard data containers and collections to be created and their
properties initialized in one atomic operation.
Preconditions:
A resource MUST NOT exist at the Request-URI.
Request Marshalling:
The location of the new resource to be created is specified by the
Request-URI.
The request body of the MKRESOURCE method MUST consist of the
DAV:propertyupdate XML element defined in Section 12.13 of ,
specifying a DAV:resourcetype of "DAV:redirectref".
Postconditions:
If the response status code is 201, a new resource exists at the
Request-URI.
Section 5.1: Get rid of the statement that the body of the resource is empty (PostConditions). It would be good if the response to GET included a response body that could be shown to a user by a client that doesn't do automatic redirection.
There is a related problem in Section 6 on PUT. It is wrong to assume that what is PUT to a resource is what GET will return. In Section 6, say "A PUT with Apply-To-RR MAY contain a request body. The semantics of the request body is out of scope for this specification..."
Also fix the discussion of example 6.2.
Redirect references cannot have bodies.
GET with Apply-To-RR MUST fail with 403.
PUT with Apply-To-RR MUST fail with 403.
See also issue 1.
The body of the new resource is empty.
Section 5.1: Replace the sentence "The properties of the new resource are as specified by the DAV:propertyupdate request body, using PROPPATCH semantics" with the following:
"The MKRESOURCE request MAY contain a DAV:propertyupdate request body to initialize resource properties. Herein, the semantics is the same as when sending a MKRESOURCE request without a request body, followed by a PROPPATCH with the DAV:propertyupdate request body."
No longer relevant once we switch to MKREF with no request body.
The properties of the new resource are as specified by the
DAV:propertyupdate request body, using PROPPATCH semantics. If the
DAV:propertyupdate does not specify a DAV:resourcetype, the resource
will be a standard data container.
If the response status code is not 201, then a new resource is not
created at the Request-URI, and any existing resource at the Request-URI
is unaffected.
Response Marshalling:
Responses from a MKRESOURCE request MUST NOT be cached, as MKRESOURCE
has non-idempotent semantics.
The following status codes can be expected in responses to MKRESOURCE:
In line with his wish to get rid of the request message body of MKRESOURCE, 207 would not be an appropriate response code.
The description of 409 might lead someone to believe that you can't create redirect references outside of WebDAV namespaces. Suggests a different description.
No longer relevant - MKREF can't get a 207 response.
Revise to make it clear that the first condition will only occur in WebDAV-compliant namespaces.
201 (Created): The new resource was successfully created.
207 (Multi-Status): This response is generated if an error was
encountered while initializing the properties of the resource, in which
case the response is as defined in Section 8.2.1 of .
403 (Forbidden): The server does not allow the creation of the requested
resource type at the requested location, or the parent collection of the
Request-URI exists but cannot accept members.
409 (Conflict): A resource cannot be created at the Request-URI because
the parent collection for the resource does not exist, or because there
is already a resource at that request-URL.
423 (Locked): The Request-URI is locked, and the lock token was not
passed with the request.
507 (Insufficient Storage): The server does not have sufficient space to
record the state of the resource.
This request resulted in the creation of a new redirect reference
resource at www.ics.uci.edu/~whitehead/dav/spec08.ref, which points to
the resource identified by the DAV:reftarget property. In this example,
the target resource is identified by the URI http://www.ics.uci.edu/i-d/draft-webdav-protocol-08.txt.
The redirect reference resource's DAV:resourcetype property is set to DAV:redirectref.
Replace all of section 6 with just this:
A redirect resource, upon receiving a request without an Apply-To-Redirect-Ref header, MUST respond with a 302 (Found) response. The 302 (Found) response MUST include a location header identifying the target and a Redirect-Ref header.
If a redirect resource receives a request with an Apply-To-Redirect-Ref header then the redirect reference resource MUST apply the method to itself rather than blindly returning a 302 (Found) response.
Keep a summary along the lines of Yaron's proposal (don't use the word "blindly").
Keep the bullets detailing the headers to be returned.
Delete the rest, including the examples.
See also issue 28, 29, 30, 31, 32.
Although non-referencing-aware clients cannot create reference
resources, they should be able to submit requests through the reference
resources created by reference-aware WebDAV clients. They should be
able to follow any references to their targets. To make this possible,
a server that receives any request made via a redirect reference
resource MUST return a 302 (Found) status code, unless the request
includes an Apply-To-Redirect-Ref header. The client and server MUST
follow Section 10.3.3 "302 Found," but with these additional
rules:
The Location response header MUST contain an absolute URI that
identifies the target of the reference resource.
The response MUST include the Redirect-Ref header. This header
allows reference-aware WebDAV clients to recognize the resource as a
reference resource and understand the reason for the redirection.
Section 6: Get rid of the sentence "A reference-aware WebDAV client can act on this response in one of two ways." A client can act on the response in any way it wants.
Agreed.
See also issue 48.
Section 6, para 4: Obvious, doesn't need to be stated. Maybe note in an example.
Agreed.
See also issue 48.
A reference-aware WebDAV client can act on this response in one of two
ways. It can, like a non-referencing client, resubmit the request to
the URI in the Location header in order to operate on the target
resource. Alternatively, it can resubmit the request to the URI of the
redirect reference resource with the Apply-To-Redirect-Ref header in
order to operate on the reference resource itself. If the Apply-To-Redirect-Ref
header is present, the request MUST be applied to the
reference resource itself, and a 302 response MUST NOT be returned.
A reference-aware client may know before submitting its request that the
Request-URI identifies a redirect reference resource. In this case, if
the client wants to apply the method to the reference resource, it can
save the round trip caused by the 302 response by using an Apply-To-Redirect-Ref
header in its initial request to the URI.
A few methods need additional explanation:
The Apply-To-Redirect-Ref header can be used with GET or HEAD to
retrieve the entity headers of a redirect reference resource. When
Apply-To-Redirect-Ref is used with GET or HEAD, the Redirect-Ref entity
header MUST be returned.
A redirect reference resource MAY have a body, though none is defined
for it in this specification. The PUT method can be used, with Apply-To-Redirect-Ref,
to create or replace the body of a redirect reference
resource.
As redirect references do not have bodies, GET and PUT requests with
Apply-To-Redirect-Ref MUST fail with status 403 (forbidden).
Since /bar.html is a redirect reference resource and the Apply-To-Redirect-Ref
header is not included in the request, the response is a
302 (Found). The Redirect-Ref header informs a reference-aware client
that this is not an ordinary HTTP 1.1 redirect, but is a redirect
reference resource. The URI of the target resource is provided in the
Location header so that the client can resubmit the request to the
target resource.
Remove the last sentence of Example 6.2, which says that PUT replaces the reference with a different resource.
No longer relevant. Deleted this example in response to issue 48.
Although /bar.html is a redirect reference resource, the presence of the
Apply-To-Redirect-Ref header prevents a 302 response, and instead causes
the request to be applied to the reference resource. The result in this
case is that the reference resource is replaced by a non-reference
resource having the content submitted with the request.
Since /bar.html is a redirect reference resource and the Apply-To-Redirect-Ref
header is not included in the request, the response is a
302 (Found). The Redirect-Ref header informs a reference-aware client
that this is not an ordinary HTTP 1.1 redirect, but is a redirect
reference resource. The URI of the target resource is provided in the
Location header so that the client can resubmit the request to the
target resource.
Instead of adding an optional prop XML element to the response element in 207 responses, define a new location XML element and a new refresource XML element.
Agree to define new XML elements that are not pseudo-properties.
Disagreement about whether refresource is needed.
See issue 61.
Section 7: It doesn't make sense to ask future editors of RFC 2518 to define DAV:location with the semantics it has here.
RFC 2518 should provide the information in the Location header somehow in multistatus responses, but not by using properties.
Define an XML element for location that is not a pseudo-property.
We'll keep the recommendation that RFC 2518 add this for 302 responses.
See also issue 44.
Consistent with the rules in , the response for each redirect
reference encountered while processing a collection MUST be a 302
(Found) unless a Apply-To-Redirect-Ref header is included with the
request. The overall response will therefore be a 207 (Multi-Status).
Since a Location header and Redirect-Ref header cannot be returned for
each redirect reference encountered, the same information is provided
using properties in the response elements for those resources. The
DAV:location pseudo-property and the DAV:resourcetype property MUST be
included with the 302 status code. This necessitates an extension to
the syntax of the DAV:response element that was defined in .
The extension is defined in below.
Section 7, para 3: Make it clear that these are just examples of client behavior, and are not meant to limit the client's behavior to these options.
Agreed to delete this paragraph.
Continue discussion of what information should be returned with 302 in multistatus. Just location? Also redirectref?
A referencing-aware client can tell from the DAV:resourcetype property
that the collection contains a redirect reference resource. The
DAV:location pseudo-property contains the absolute URI of the target
resource. A referencing-aware client can either use the URI value of
the DAV:location pseudo-property to resubmit its request to the target
resource, or it can submit the request to the redirect reference
resource with Apply-To-Redirect-Ref.
Section 7: It's too strong to claim that non-referencing clients can't process 302 responses occurring in Multi-Status responses. They just have an extra round trip for each 302.
Remove last sentence of the paragraph that recommends changes to RFC 2518.
It is recommended that future editors of define the
DAV:location pseudo-property in , so that non-referencing
clients will also be able to use the response to operate on the target
resource. (This will also enable clients to operate on traditional
HTTP/1.1 302 responses in Multi-Status responses.) Until then, non-referencing
clients will not be able to process 302 responses from
redirect reference resources encountered while processing a collection.
The Apply-To-Redirect-Ref header (defined in ) MAY be used
with any request on a collection. If present, it will be applied to all
redirect reference resources encountered while processing the
collection.
Section 7.1: Is MOVE atomic from the perspective of a client?
Agrees that there should be no 302s for member redirect references, but finds the rationale dubious.
Remove 7.1.
Reword 7.2 to avoid concerns with "poses special problems" and "due to atomicity".
DELETE removes the binding that corresponds to the Request-URI. MOVE
removes that binding and creates a new binding to the same resource. In
cases where DELETE and MOVE are applied to a collection, these
operations affect all the descendents of the collection, but they do so
indirectly. There is no need to visit each descendent in order to
process the request. Consequently, even if there are redirect reference
resources in a tree that is being deleted or moved, there will be no 302
responses from the redirect reference resources.
LOCK poses special problems because it is atomic. An attempt to lock
(with Depth: infinity) a collection that contains redirect references
will always fail. The Multi-Status response will contain a 302 response
for each redirect reference.
Reference-aware clients can lock the collection by using Apply-To-Redirect-Ref,
and, if desired, lock the targets of the redirect
references individually.
Non-referencing clients must resort to locking each resource
individually.
Suppose a PROPFIND request with Depth: infinity is submitted to the
following collection, with the members shown here:
In this example the Depth header is set to infinity, and the Apply-To-Redirect-Ref
header is not used. The collection contains one URI that
identifies a redirect reference resource. The response element for the
redirect reference resource has a status of 302 (Found), and includes a
DAV:prop element with the DAV:location pseudo-property and the
DAV:resourcetype property to allow clients to retrieve the properties of
its target resource. (The response element for the redirect reference
resource does not include the requested properties. The client can
submit another PROPFIND request to the URI in the DAV:location pseudo-property
to retrieve those properties.)
Suppose a PROPFIND request with Apply-To-Redirect-Ref and Depth:
infinity is submitted to the following collection, with the members
shown here:
Since the Apply-To-Redirect-Ref header is present, the response shows
the properties of the redirect reference resource in the collection
rather than reporting a 302 status.
Suppose a COPY request is submitted to the following collection, with
the members shown:
In this case, since /MyCollection/nunavut is a redirect reference
resource, the COPY operation was only a partial success. The redirect
reference resource was not copied, but a 302 response was returned for
it. So the resulting collection is as follows:
Suppose a LOCK request is submitted to the following collection, with
the members shown:
The server returns a 302 response code for the redirect reference
resource in the collection. Consequently, neither the collection nor
any of the resources identified by its internal member URIs were locked.
A referencing-aware client can submit a separate LOCK request to the URI
in the DAV:location pseudo-property returned for the redirect reference
resource, and can resubmit the LOCK request with the Apply-To-Redirect-Ref
header to the collection. At that point both the reference resource
and its target resource will be locked (as well as the collection and
all the resources identified by its other members).
Operations on targets of redirect reference resources have no effect on
the reference resource.
Why does the spec talk about relative URIs in DAV:reftarget in MKRESOURCE
requests? Is the server required to resolve the relative URI and store it as absolute?
Is the server required to keep DAV:reftarget pointing to the target resource
as the reference / target move, or is DAV:reftarget a dead property?
DAV:reftarget is readonly and present only on redirect references that are
also WebDAV resources.
Add a method for setting the target. Change definition of Redirect-Ref header
so that it has the target as its value (comes back on all 302 responses).
Server MUST store the target exactly as it is set. It MUST NOT resolve
relatives to absolutes and MUST NOT update if target resource moves.
See also issue 17, 43, 50, 57
Add language to forbid servers from automatically updating redirect resources when their targets move.
Agreed.
See also issue 6.
Section 9:
Base URI should be the Request-URI or href minus its final segment.
Fix this.
The URI in the href in a DAV:reftarget property MAY be a relative URI.
In this case, the base URI to be used for resolving the relative URI to
absolute form is the URI used in the HTTP message to identify the
redirect reference resource to which the DAV:reftarget property belongs.
When DAV:reftarget occurs in the body of a MKRESOURCE request, the base
URI is constructed as follows: Its scheme component is "http", its
authority component is the value of the Host header in the request, and
its path component is the Request-URI in the request. See Section 5 of
for a discussion of relative URI references and how to resolve
them.
When DAV:reftarget appears in the context of a Multi-Status response, it
is in a DAV:response element that contains a single DAV:href element.
The value of this DAV:href element serves as the base URI for resolving
a relative URI in DAV:reftarget. The value of DAV:href may itself be
relative, in which case it must be resolved first in order to serve as
the base URI for the relative URI in DAV:reftarget. If the DAV:href
element is relative, its base URI is constructed from the scheme
component "http", the value of the Host header in the request, and the
request-URI.
In this example, the base URI is http://www.somehost.edu/north/inuvik.
Then, following the rules in Section 5, the relative URI in
DAV:reftarget resolves to the absolute URI
http://www.somehost.edu/north/mapcollection/inuvik.gif.
In this example, the relative URI statistics/population/1997.html is
returned as the value of reftarget for the reference resource identified
by href /geog/stats.html. The href is itself a relative URI, which
resolves to http://www.xxsrv.com/geog/stats.html. This is the base URI
for resolving the relative URI in reftarget. The absolute URI of
reftarget is http://www.xxsrv.com/geog/statistics/population/1997.html.
The behavior described in this section would have a very serious impact on the efficiency of mapping Request-URIs to resources in HTTP request processing.
Also specify another type of redirect resource that does not behave as in section 10, but instead would "expose the behavior we see today in various HTTP servers that allow their users to create 300 resources." Be sure we know what behavior will be if the redirect location is not an HTTP URL, but, say ftp.
We won't define 2 sorts of redirect references here.
Servers SHOULD respond with 302 as described here, but if they can't do that, respond with 404 Not Found.
(It's hard to modularize the behavior specified - it impacts processing Not Found cases of all methods, so you can't just add it to an HTTP server in a redirect ref module.)
Section 10: Forbid DAV:reftarget from ending in "/"
Make the note warn about the possibility of two slashes in a row, recommend against ending target with a slash, since that could result in two slashes in a row.
In a Request-URI /segment1/segment2/segment3, any of the three segments
may identify a redirect reference resource. (See , Section 3.3,
for definitions of "path" and "segment".) If any segment in a Request-
URI identifies a redirect reference resource, the response is a 302.
The value of the Location header in the 302 response is as follows:
The leftmost path segment of the request-URI that identifies a redirect
reference resource, together with all path segments and separators to
the left of it, is replaced by the value of the redirect reference
resource's DAV:reftarget property (resolved to an absolute URI). The
remainder of the request-URI is concatenated to this path.
Note: If the DAV:reftarget property ends with a "/" and the remainder of
the Request-URI is non-empty (and therefore must begin with a "/"), the
final "/" in the DAV:reftarget property is dropped before the remainder
of the Request-URI is appended.
Consider Request-URI /x/y/z.html. Suppose that /x/ is a redirect
reference resource whose target resource is collection /a/, which
contains redirect reference resource y whose target resource is
collection /b/, which contains redirect reference resource z.html whose
target resource is /c/d.html.
In this case the client must follow up three separate 302 responses
before finally reaching the target resource. The server responds to the
initial request with a 302 with Location: /a/y/z.html, and the client
resubmits the request to /a/y/z.html. The server responds to this
request with a 302 with Location: /b/z.html, and the client resubmits
the request to /b/z.html. The server responds to this request with a
302 with Location: /c/d.html, and the client resubmits the request to
/c/d.html. This final request succeeds.
Replace current language explaining the purpose of the Redirect-Ref header with language that simply states that it marks blind 302 responses from redirect resources. (Section 6.3, 11.1)
Section 6.3 was removed in response to issue 48.
In 11.1, change the definition of the Redirect-Ref header to have the value of the target (relative URI) as its value. Then we don't need a method for retrieving the target's relative URI. Presence of the Redirect-Ref header lets the client know that the resource accepts Apply-To-RR header and the new method for updating target.
Reject Yaron's suggested language, but make the above changes.
"plain HTTP/1.1 redirect" - find some good name for this an use it consistently
Redirect-Ref = "Redirect-Ref:"
The Redirect-Ref header is used in all 302 responses from redirect
reference resources. Its presence informs reference-aware clients that
the response is not a plain HTTP/1.1 redirect, but is a response from a
redirect reference resource.
11.2:
"If the Apply-To-Redirect-Ref header is used on a request to any other sort of resource besides a redirect reference resource, the server SHOULD ignore it."
Don't need to say this since HTP already says that any header that is not understood should be ignored.
Need to keep this to specify what a server that does support this
protocol needs to do when the header appears in a request to a non-redirect-ref
resource. However, say "MUST".
Apply-To-Redirect-Ref = "Apply-To-Redirect-Ref" ":"
The optional Apply-To-Redirect-Ref header can be used on any request to
a redirect reference resource. When it is used, the request MUST be
applied to the reference resource itself, and a 302 response MUST NOT be
returned.
If the Apply-To-Redirect-Ref header is used on a request to any other
sort of resource besides a redirect reference resource, the server
SHOULDMUST ignore it.
reftargetDAV:A property of redirect reference resources that provides an
efficient way for clients to discover the URI of the target
resource. This is a read-only property after its initial
creation. Its value can only be set in a MKRESOURCE request.href containing the URI of the target resource. This value
MAY be a relative URI. The reftarget property can occur in
the entity bodies of MKRESOURCE requests and of responses to
PROPFIND requests.
12.2:
Make DAV:location a real (live) property, get rid of the DAV:reftarget property
locationDAV:For use with 302 (Found) response codes in Multi-Status
responses. It contains the absolute URI of the temporary
location of the resource. In the context of redirect
reference resources, this value is the absolute URI of the
target resource. It is analogous to the Location header in
HTTP 302 responses defined in Section 10.3.3 "302
Found." Including the location pseudo-property in a Multi-
Status response requires an extension to the syntax of the
DAV:response element defined in , which is defined
in below. This pseudo-property is not expected
to be stored on the reference resource. It is modeled as a
property only so that it can be returned inside a DAV:prop
element in a Multi-Status response.href containing the absolute URI of the target resource.redirectrefDAV:Used as the value of the DAV:resourcetype property to
specify that the resource type is a redirect reference
resource.
As described in , the DAV:location pseudo-property and the
DAV:resourcetype property may be returned in the DAV:response element of
a 207 Multi-Status response, to allow clients to resubmit their requests
to the target resource of a redirect reference resource.
Whenever these properties are included in a Multi-Status response, they
are placed in a DAV:prop element associated with the href to which they
apply. This structure provides a framework for future extensions by
other standards that may need to include additional properties in their
responses.
Consequently, the definition of the DAV:response XML element changes to
the following:
Sections 9.1 and 15 of describe the use of compliance classes
with the DAV header in responses to OPTIONS, to indicate which parts of
the WebDAV Distributed Authoring protocols the resource supports. This
specification defines an OPTIONAL extension to . It defines a
new compliance class, called redirectrefs, for use with the DAV header
in responses to OPTIONS requests. If a resource does support redirect
references, its response to an OPTIONS request may indicate that it
does, by listing the new redirectrefs compliance class in the DAV
headerand by listing the MKRESOURCE method as one it supports.
When responding to an OPTIONS request, any type of resource can include
redirectrefs in the value of the DAV header. Doing so indicates that
the server permits a redirect reference resource at the request URI.
The DAV header in the response indicates that the resource
/somecollection/someresource is level 1 and level 2 compliant, as
defined in . In addition, /somecollection/someresource supports
redirect reference resources. The Allow header indicates that
MKRESOURCE requests can be submitted to /somecollection/someresource.
The Public header shows that other Request-URIs on the server support
additional methods.
This section is provided to make applications that implement this protocol aware of the
security implications of this protocol.
All of the security considerations of HTTP/1.1 and the WebDAV
Distributed Authoring Protocol specification also apply to this protocol
specification. In addition, redirect reference resources introduce
several new security concerns and increase the risk of some existing
threats. These issues are detailed below.
By creating redirect reference resources on a trusted server, it is
possible for a hostile agent to induce users to send private information
to a target on a different server. This risk is mitigated somewhat,
since clients are required to notify the user of the redirection for any
request other than GET or HEAD. (See , Section 10.3.3 302 Found.)
Although redirect loops were already possible in HTTP 1.1, the
introduction of the MKRESOURCE method creates a new avenue for clients
to create loops accidentally or maliciously. If the reference resource
and its target are on the same server, the server may be able to detect
MKRESOURCE requests that would create loops. See also , Section
10.3 "Redirection 3xx."
Denial of service attacks were already possible by posting URLs that
were intended for limited use at heavily used Web sites. The
introduction of MKRESOURCE creates a new avenue for similar denial of
service attacks. Clients can now create redirect reference resources at
heavily used sites to target locations that were not designed for heavy
usage.
Section 16.4:
"In some environments, the owner of a resource might be able to use access control to prevent others from creating references to that resource."
That would not be consistent with the concept of redirect references as weak links (e.g. think of moving a resource to a different locationo that is already the target of some redirection reference.
There are several ways that redirect reference resources may reveal
information about collection structures. First, the DAV:reftarget
property of every redirect reference resource contains the URI of the
target resource. Anyone who has access to the reference resource can
discover the collection path that leads to the target resource. The
owner of the target resource may have wanted to limit knowledge of this
collection structure.
Sufficiently powerful access control mechanisms can control this risk to
some extent. Property-level access control could prevent users from
examining the DAV:reftarget property. (The Location header returned in
responses to requests on redirect reference resources reveals the same
information, however.) In some environments, the owner of a resource
might be able to use access control to prevent others from creating
references to that resource.
This risk is no greater than the similar risk posed by HTML links.
Section 17:
Could get rid of a lot of this section, since this protocol extends WebDAV. Just reference [WebDAV].
This specification follows the practices of in encoding all
human-readable content using XML and in the treatment of names.
Consequently, this specification complies with the IETF Character Set
Policy .
WebDAV applications MUST support the character set tagging, character
set encoding, and the language tagging functionality of the XML
specification. This constraint ensures that the human-readable content
of this specification complies with .
As in , names in this specification fall into three categories:
names of protocol elements such as methods and headers, names of XML
elements, and names of properties. Naming of protocol elements follows
the precedent of HTTP, using English names encoded in USASCII for
methods and headers. The names of XML elements used in this
specification are English names encoded in UTF-8.
For error reporting, follows the convention of HTTP/1.1 status
codes, including with each status code a short, English description of
the code (e.g., 423 Locked). Internationalized applications will ignore
this message, and display an appropriate message in the user's language
and character set.
This specification introduces no new strings that are displayed to users
as part of normal, error-free operation of the protocol.
For rationales for these decisions and advice for application
implementors, see .
Expand the IANA section to list all methods, headers, XML elements, MIME types, URL schemes, etc., defined by the spec.
Agreed.
All IANA considerations mentioned in also
apply to this document.
This draft has benefited from thoughtful discussion by Jim Amsden, Peter
Carlson, Steve Carter, Tyson Chihaya, Ken Coar, Ellis Cohen, Bruce
Cragun, Spencer Dawkins, Mark Day, Rajiv Dulepet, David Durand, Roy
Fielding, Yaron Goland, Fred Hitt, Alex Hopmann, James Hunt, Marcus
Jager, Chris Kaler, Manoj Kasichainula, Rohit Khare, Daniel LaLiberte,
Steve Martin, Larry Masinter, Jeff McAffer, Joe Orton,
Surendra Koduru Reddy, Juergen Reuter, Max
Rible, Sam Ruby, Bradley Sergeant, Nick Shelness, John Stracke, John
Tigue, John Turner, Kevin Wiggen, and others.
IETF Policy on Character Sets and LanguagesUNINETTP.O.Box 6883 ElgeseterN-7002 TRONDHEIMNORWAY+47 73 59 70 94Harald.T.Alvestrand@uninett.no
Applications
Internet Engineering Task Forcecharacter encodingKey words for use in RFCs to Indicate Requirement LevelsHarvard University1350 Mass. Ave.CambridgeMA 02138- +1 617 495 3864-
General
keywordUniform Resource Identifiers (URI): Generic SyntaxWorld Wide Web ConsortiumMIT Laboratory for Computer Science, NE43-356545 Technology SquareCambridgeMA02139+1(617)258-8682timbl@w3.orgDepartment of Information and Computer ScienceUniversity of California, IrvineIrvineCA92697-3425+1(949)824-1715fielding@ics.uci.eduXerox PARC3333 Coyote Hill RoadPalo AltoCA94034+1(415)812-4333masinter@parc.xerox.com
Applications
uniform resourceURI
A Uniform Resource Identifier (URI) is a compact string of characters
for identifying an abstract or physical resource. This document
defines the generic syntax of URI, including both absolute and
relative forms, and guidelines for their use; it revises and replaces
the generic definitions in RFC 1738 and RFC 1808.
This document defines a grammar that is a superset of all valid URI,
such that an implementation can parse the common components of a URI
reference without knowing the scheme-specific requirements of every
possible identifier type. This document does not define a generative
grammar for URI; that task will be performed by the individual
specifications of each URI scheme.
This paper describes a "superset" of operations that can be applied
to URI. It consists of both a grammar and a description of basic
functionality for URI. To understand what is a valid URI, both the
grammar and the associated description have to be studied. Some of
the functionality described is not applicable to all URI schemes, and
some operations are only possible when certain media types are
retrieved using the URI, regardless of the scheme used.
HTTP Extensions for Distributed Authoring -- WEBDAVMicrosoft Corporationyarong@microsoft.comDept. Of Information and Computer Science, University of California, Irvineejw@ics.uci.eduNetscapeasad@netscape.comNovellsrcarter@novell.comNovelldcjensen@novell.comHypertext Transfer Protocol -- HTTP/1.1University of California, Irvinefielding@ics.uci.eduW3Cjg@w3.orgCompaq Computer Corporationmogul@wrl.dec.comMIT Laboratory for Computer Sciencefrystyk@w3.orgXerox Corporationmasinter@parc.xerox.comMicrosoft Corporationpaulle@microsoft.comW3Ctimbl@w3.orgExtensible Markup Language (XML) 1.0 (2nd ed)Textuality and Netscapetbray@textuality.comMicrosoftjeanpa@microsoft.comUniversity of Illinois at Chicago and Text Encoding Initiativecmsmcq@uic.eduSun Microsystemseve.maler@east.sun.com
Julian Reschke takes editorial role (added to authors list). Cleanup
XML indentation. Start adding all unresolved last call issues. Update
some author's contact information. Update references, split into "normative"
and "informational". Remove non-RFC2616 headers ("Public") from examples.
Fixed width problems in artwork. Start resolving editorial issues.
Added Joe Orton and Juergen Reuter to Acknowledgements section. Close more
editorial issues. Remove dependencies on BIND spec.
More editorial fixes. Clarify that MKRESOURCE can only be used to create
redirect references (switch to new method in a future draft). Clarify
that redirect references do not have bodies.