Parent Directory
|
Revision Log
| Links to HEAD: | (view) (download) (annotate) |
| Sticky Revision: |
Quick-fix for security issue raised here www.milw0rm.com/exploits/4567
fix for 31698 (LockMethod does not fire WebdavEvent)
Added fine grained locking
Create content with the null lock as well as some store implementations (like the simple file store) need this.
merge with release branch
fixed problems with requests that have no content and not content-length header (e.g. the OPTIONS request from DavExplorer)
Make lock, options and put chunking aware.
Removed methodNeedsTransactionSupport method as it always returned true anyway
cleanup org.apache.util package: - remove unused code - use commons codec instead of own Md5Encoder - move remaining classes to org.apache.slide.webdav.util
Remove all author tags from Java source files
Introduced a global read/write lock that can be configured to allow at most a single write request per time. It can also be configured to either allow read requests or disallow them while another request writes. However, this switch will have no effect when requests are done inside external transactions. Made this mode the default one in Domain.xmlk
Lock duration will be used as timeout of transaction now
Finished migration to MS Exchange Server compatible external transaction control
Preparation of exchange compatible locking
locktypes other than write are now requected as Bad Request
fixes for the ContextPath/ServletPath issue; I introduced the "slideContextPath" as the path prefix of all slide uris exposed via webdav
Merged bugfix 2004/03/14 10:14:57 (serverURL) into main branch.
Removed hack in LockMethod that made lock timeout infinite on null resources. Instead experied locks on null resource cause the resource to be deleted in AbstractWebdavMethod.
Replaced JDOM b9 with JDOM HEAD version checked out at 26th, February, 2004. Adapted XMLOutputter code to this.
Added notification support with methods SUBSCRIBE, POLL, NOTIFY To do: UNSUBSCRIBE
Merged from release branch
Fixed lock-null problems
Several changes: - Finished ACL-12 stuff - Fixed bugs in the LOCK/UNLOCK area - Refactoring of the REPORT method Testsuite (xmltestcases) is not yet clean ... but we are working on that :-)
Draft-12 compatibility of security implementation (see separate mail to slide-dev list)
Refactoring: users, groups and roles paths are controlled now solely by NamespaceConfig
- COPY, MOVE with depth=0 problems fixed - header parsing now handled centrally in AbstractWebdavMethod
Handling of lock-null resource was not correctly implemented according to RFC2518: 7.4 Write Locks and Null Resources It is possible to assert a write lock on a null resource in order to lock the name. A write locked null resource, referred to as a lock-null resource, MUST respond with a 404 (Not Found) or 405 (Method Not Allowed) to any HTTP/1.1 or DAV methods except for PUT, MKCOL, OPTIONS, PROPFIND, LOCK, and UNLOCK. A lock-null resource MUST appear as a member of its parent collection. Additionally the lock-null resource MUST have defined on it all mandatory DAV properties. Most of these properties, such as all the get* properties, will have no value as a lock-null resource does not support the GET method. Lock-Null resources MUST have defined values for lockdiscovery and supportedlock properties. Until a method such as PUT or MKCOL is successfully executed on the lock-null resource the resource MUST stay in the lock-null state. However, once a PUT or MKCOL is successfully executed on a lock-null resource the resource ceases to be in the lock-null state. If the resource is unlocked, for any reason, without a PUT, MKCOL, or similar method having been successfully executed upon it then the resource MUST return to the null state.
do not read the xml body into a string, if it is parsed afterwards using the stream.
Make use of constant S_LOCK_TOKEN
added support for extern ACL_Semantic (eckehard)
Fixed bug: according to RFC 2518, the Lock-Token response header must be "Lock-Token" ":" Coded-URL, where Coded-URL is "<" absolute-URI ">". The "<" and ">" were missing
unbind implemented as delete (michael)
bind method implemented as copy
Fixed some locking problems:
1) the DAV:owner element specified an a LOCK request was ignored
- added field ownerInfo to NodeLock
- handled setting (LOCK) and retrieving (PROPFIND DAV:lockdiscovery)
2) added element DAV:principal-URL to the DAV:lockdiscovery property
- as proposed on February 08, 2003 by Lisa Dusseault in
w3c-dist-auth-request@w3.org, the DAV:lockdiscovery property should
include an element DAV:principal-URL with the semantics of the
WebDAV/ACL specification. This feature can be switched-off in case of
interoperability problems
(servlet init-param "lockdiscoveryIncludesPrincipalURL").
Uniform error handling.
On a successful LOCK request that created a new lock, the response should include a 'Lock-Token' header, as specified in RFC 2518, 9.5: "The Lock-Token response header is used with the LOCK method to indicate the lock token created as a result of a successful LOCK request to create a new lock." Including the Lock-Token header in the response fixes interoperability with cadaver 0.20.3.
Commenting out the throw clause had changed program flow so that a NPE was being thrown from JDOM. Inserted a return instead.
Removed escaping of '<' and '>' in the messges of the exceptions thrown in parseRequest(). (ralf)
Refactoring of the WebDAV servlet, as announced on slide-dev: - Added interface org.apache.slide.webdav.WebdavMethod - Renamed class org.apache.slide.webdav.method.WebdavMethod to org.apache.slide.webdav.method.AbstractWebdavMethod, and made it implement org.apache.slide.webdav.WebdavMethod - No longer passing request & response objects in the constructors of the WebdavMethod implementations, move logic out of constructors - WebdavServlet adjusted to use the new constructors, and the new WebdavMethod interface instead of the old class I'm pretty sure I've not broken anything here, and the testsuite run didn't report anything different to before, but you never know ;)
The owner element may be ommitted in the lock method. Use a default instead of creating an exception. BUT ... the owner element is not stored in the slide store level, but the principal URI instead. This seems like an additional bug.
Finished replacement of org.w3c.dom by JDOM. Whether we should use JDOM or not, using both DOM and JDOM was ugly and resource consuming. Also did some minor code clean-up. (ralf)
Replaced usage of org.w3c.dom by JDOM. (ralf)
Constants for DAV and Slide namespace URIs and prefixes has been removed from class WebdavConstants. The appropriate constants of NamespaceCache are now used instead. (ralf)
Fixed bug: XML header was missing in XML response document. XML response is now formatted (indention and line breaks). (ralf)
Removed unused import statement. (ralf)
Use JDOM to create the response instead of the XMLPrinter.
- Fix typo for LICENSE
- License term changed from "Tomcat" to "Slide". (It's the Slide project!)
infinity is spelled with a small "i" (as stated in the DTD, in contrast to the as wrong seen examples)
the timeout header is Infinite instaed of Infinity
removed some redundant comments
encode the owner URL, if it contains reserved or I18N characters.
1) BUG: PropPatch did not rollback, if one action could not be executed 2) The property itself decides, if it is read-only or can be modified by propPatch 3) all live properties have get/set methods, they are now used.
- Use PropertyWriter instead of DOMWriter.
- Fix NumberFormatException which can occur when parsing a timeout header like: Timeout: Second-300, Infinite Now, the portion after the first comma is ignored.
call enumLocks(..., false). see separate e-mail. PropFind is still with implicit true.
prevent dirty read by setting forcedEnlist.
- Added a WebdavServletConfig class that wraps around ServletConfig and provides convenient access to configuration parameters (like depth limit) - Changed WebdavMethod and subclasses to accept a WebdavServletConfig object in their constructor instead of GenericServlet and ServletContext, and use the config when required - Changed WebdavServlet to create the WevdavServletConfig and pass it to the constructors of the various WebdavMethod subclasses - You can now use the 'default-mime-type' init-parameter to define which MIME type will be used if clients don't provide the ContentType header (but the default default MIME type should probably be 'application/octet-stream' instead of 'text/plain')
- Only create the DOM DocumentBuilder when the WebdavMethod actually needs to parse XML content - Don't store the DocumentBuilder as member, as it is only needed once in every WebdavMethod subclass that needs XML parsing - Return SC_BAD_REQUEST only when a SAXException occurs while parsing the XML request, and return SC_INTERNAL_SERVER_ERROR for ParserConfigurationException and IOException. - Patch submitted by Christopher Lenz.
if the serviceAccessException carries a cause exception, this cause is used to determine the response code. The mapping of exxception to response code is now performed (mostly) in a seperate methd named getErrorCode().
The response code for a lock (on a collection) which is already locked should not packed in a 207, instead the response code is delivered directly.
- Return a multistatus when there is a problem locking a collection using a infinite depth lock. - Catch ObjectLockedException, which can occur when creating the lock-null resource. - Hack: Use max timeout when creating a lock-null resource (since they can't be automatically removed).
1) do not print a stacktrace in a pre_condition failed situation 2) make sure the transaction is aborted in case of an error
a timeout of 0 seconds is possible now.
removed the NRD from the API, to be put in NodePermission, see e-mails.
The lock and security store (child and parent) do now support a RevisionDescriptor in their interface. Mostly this is set (currently) to null. See seperate e-mail.
removed a stackTrace in case of a locked resource was locked again.
- Complete move of WebdavStatus.
removed another println
removed a println
- Create a set of utils which are shared between the three components of Slide to avoid having a version of the file in multiple spots in the repository. - Make necessary changes in the classes.
- Add proper URL encoding / decoding based on Catalina code. - The only supported char encoding is Unicode (UTF-8), but this will eventually be configurable.
if the body of a propfind method was coded in utf-8, the body was not properly decoded by the Reader wrapper.. Now a Stream is used and the bytes are converted to a String using the right encoding. Remy, isn't this a reader bug in Tomcat? The encoding stays quoted in speachmarks, do we want to change this?
preparation to enable only the changing methods to stat a transaction (e.g. Put)
- Update teh WebDAV servlet to use the new SlideToken.
- Move the DAV servlet to src/webdav/server.
This form allows you to request diffs between any two revisions of this file. For each of the two "sides" of the diff, enter a numeric revision.
| infrastructure at apache.org | ViewVC Help |
| Powered by ViewVC 1.1.26 |