WEBDAV Working Group J. Whitehead Internet-Draft U.C. Santa Cruz Expires: October 4, 2004 G. Clemm IBM J. Reschke, Ed. greenbytes April 5, 2004 Web Distributed Authoring and Versioning (WebDAV) Redirect Reference Resources draft-ietf-webdav-redirectref-protocol-08 Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October 4, 2004. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This specification defines redirect reference resources. A redirect reference resource is a resource whose default response is an HTTP/ 1.1 3xx (Redirection) status code (see [RFC2616], Section 10.3), redirecting the client to a different resource, the target resource. A redirect reference makes it possible to access the target resource indirectly, through any URI mapped to the redirect reference Whitehead, et al. Expires October 4, 2004 [Page 1] Internet-Draft WebDAV Redirect Reference Resources April 2004 resource. There are no integrity guarantees associated with redirect reference resources. Distribution of this document is unlimited. Please send comments to the Distributed Authoring and Versioning (WebDAV) working group at , which may be joined by sending a message with subject "subscribe" to . Discussions of the WEBDAV working group are archived at URL: . Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 5 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Overview of Redirect Reference Resources . . . . . . . . . . 6 5. MKREDIRECTREF Method . . . . . . . . . . . . . . . . . . . . 7 5.1 Example: Creating a Redirect Reference Resource with MKREDIRECTREF . . . . . . . . . . . . . . . . . . . . . . 8 6. Operations on Redirect Reference Resources . . . . . . . . . 8 7. Operations on Collections That Contain Redirect Reference Resources . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1 LOCK on a Collection That Contains Redirect References . . 9 7.2 Example: PROPFIND on a Collection with Redirect Reference Resources . . . . . . . . . . . . . . . . . . . 10 7.3 Example: PROPFIND with Apply-To-Redirect-Ref on a Collection with Redirect Reference Resources . . . . . . . 12 7.4 Example: COPY on a Collection That Contains a Redirect Reference Resource . . . . . . . . . . . . . . . . . . . . 13 7.5 Example: LOCK on a Collection That Contains a Redirect Reference Resource . . . . . . . . . . . . . . . . . . . . 14 8. Operations on Targets of Redirect Reference Resources . . . 16 9. Relative URIs in DAV:reftarget . . . . . . . . . . . . . . . 16 9.1 Example: Resolving a Relative URI in a Multi-Status Response . . . . . . . . . . . . . . . . . . . . . . . . . 16 10. Redirect References to Collections . . . . . . . . . . . . . 17 11. Headers . . . . . . . . . . . . . . . . . . . . . . . . . . 19 11.1 Redirect-Ref Response Header . . . . . . . . . . . . . . 19 11.2 Apply-To-Redirect-Ref Request Header . . . . . . . . . . 19 12. Redirect Reference Resource Properties . . . . . . . . . . . 19 12.1 DAV:redirect-lifetime (protected) . . . . . . . . . . . 19 12.2 DAV:reftarget (protected) . . . . . . . . . . . . . . . 20 13. XML Elements . . . . . . . . . . . . . . . . . . . . . . . . 20 13.1 redirectref XML Element . . . . . . . . . . . . . . . . 20 14. Extensions to the DAV:response XML Element for Multi-Status Responses . . . . . . . . . . . . . . . . . . . 20 Whitehead, et al. Expires October 4, 2004 [Page 2] Internet-Draft WebDAV Redirect Reference Resources April 2004 15. Capability Discovery . . . . . . . . . . . . . . . . . . . . 20 15.1 Example: Discovery of Support for Redirect Reference Resources . . . . . . . . . . . . . . . . . . . . . . . 21 16. Security Considerations . . . . . . . . . . . . . . . . . . 21 16.1 Privacy Concerns . . . . . . . . . . . . . . . . . . . . 21 16.2 Redirect Loops . . . . . . . . . . . . . . . . . . . . . 22 16.3 Redirect Reference Resources and Denial of Service . . . 22 16.4 Revealing Private Locations . . . . . . . . . . . . . . 22 17. Internationalization Considerations . . . . . . . . . . . . 22 18. IANA Considerations . . . . . . . . . . . . . . . . . . . . 23 19. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 23 20. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 21. Normative References . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 24 A. Changes to the WebDAV Document Type Definition . . . . . . . 24 B. Change Log (to be removed by RFC Editor before publication) . . . . . . . . . . . . . . . . . . . . . . . . 25 B.1 Since draft-ietf-webdav-redirectref-protocol-02 . . . . . 25 B.2 Since draft-ietf-webdav-redirectref-protocol-03 . . . . . 25 B.3 Since draft-ietf-webdav-redirectref-protocol-04 . . . . . 25 B.4 Since draft-ietf-webdav-redirectref-protocol-05 . . . . . 25 B.5 Since draft-ietf-webdav-redirectref-protocol-06 . . . . . 25 B.6 Since draft-ietf-webdav-redirectref-protocol-07 . . . . . 25 C. Resolved issues (to be removed by RFC Editor before publication) . . . . . . . . . . . . . . . . . . . . . . . . 26 C.1 title . . . . . . . . . . . . . . . . . . . . . . . . . . 26 C.2 lc-38-not-hierarchical . . . . . . . . . . . . . . . . . . 26 C.3 lc-37-integrity . . . . . . . . . . . . . . . . . . . . . 26 C.4 5_mkresource . . . . . . . . . . . . . . . . . . . . . . . 27 C.5 lc-41-no-webdav . . . . . . . . . . . . . . . . . . . . . 27 C.6 lc-24-properties . . . . . . . . . . . . . . . . . . . . . 27 C.7 lc-55-iana . . . . . . . . . . . . . . . . . . . . . . . . 28 C.8 A_DTD_cleanup . . . . . . . . . . . . . . . . . . . . . . 28 D. Open issues (to be removed by RFC Editor prior to publication) . . . . . . . . . . . . . . . . . . . . . . . . 28 D.1 old_clients . . . . . . . . . . . . . . . . . . . . . . . 28 D.2 lc-85-301 . . . . . . . . . . . . . . . . . . . . . . . . 29 D.3 lc-36-server . . . . . . . . . . . . . . . . . . . . . . . 29 D.4 lc-33-forwarding . . . . . . . . . . . . . . . . . . . . . 29 D.5 3-terminology-redirectref . . . . . . . . . . . . . . . . 30 D.6 lc-58-update . . . . . . . . . . . . . . . . . . . . . . . 30 D.7 lc-48-s6 . . . . . . . . . . . . . . . . . . . . . . . . . 30 D.8 lc-57-noautoupdate . . . . . . . . . . . . . . . . . . . . 31 D.9 12.1-property-name . . . . . . . . . . . . . . . . . . . . 31 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Intellectual Property and Copyright Statements . . . . . . . 33 Whitehead, et al. Expires October 4, 2004 [Page 3] Internet-Draft WebDAV Redirect Reference Resources April 2004 1. Introduction This is one of a pair of specifications that extend the WebDAV Distributed Authoring Protocol to enable clients to create new access paths to existing resources. This capability is useful for several reasons: The WebDAV Distributed Authoring Protocol makes it possible to organize HTTP resources into hierarchies, placing them into groupings, known as collections, which are more easily browsed and manipulated than a single flat collection. However, hierarchies require categorization decisions that locate resources at a single location in the hierarchy, a drawback when a resource has multiple valid categories. For example, in a hierarchy of vehicle descriptions containing collections for cars and boats, a description of a combination car/boat vehicle could belong in either collection. Ideally, the description should be accessible from both. Allowing clients to create new URIs that access the existing resource lets them put that resource into multiple collections. Hierarchies also make resource sharing more difficult, since resources that have utility across many collections are still forced into a single collection. For example, the mathematics department at one university might create a collection of information on fractals that contains bindings to some local resources, but also provides access to some resources at other universities. For many reasons, it may be undesirable to make physical copies of the shared resources on the local server: to conserve disk space, to respect copyright constraints, or to make any changes in the shared resources visible automatically. Being able to create new access paths to existing resources in other collections or even on other servers is useful for this sort of case. The redirect reference resources defined here provide a mechanism for creating alternative access paths to existing resources. A redirect reference resource is a resource in one collection whose purpose is to forward requests to another resource (its target), possibly in a different collection. In this way, it allows clients to submit requests to the target resource from another collection. It redirects most requests to the target resource using a HTTP status code from the 3xx range (Redirection), thereby providing a form of mediated access to the target resource. A redirect reference is a resource with properties but no body of its own. Properties of a redirect reference resource can contain such information as who created the reference, when, and why. Since redirect reference resources are implemented using HTTP 3xx responses, it generally takes two round trips to submit a request to Whitehead, et al. Expires October 4, 2004 [Page 4] Internet-Draft WebDAV Redirect Reference Resources April 2004 the intended resource. Redirect references work equally well for local resources and for resources that reside on a different server from the reference. The remainder of this document is structured as follows: Section 3 defines terms that will be used throughout the specification. Section 4 provides an overview of redirect reference resources. Section 5 discusses how to create a redirect reference resource. Section 6 defines the semantics of existing methods when applied to redirect reference resources, and Section 7 discusses their semantics when applied to collections that contain redirect reference resources. Sections 8 through 10 discuss several other issues raised by the existence of redirect reference resources. Sections 11 through 14 define the new headers, properties, and XML elements required to support redirect reference resources. Section 15 discusses capability discovery. Sections 16 through 18 present the security, internationalization, and IANA concerns raised by this specification. The remaining sections provide a variety of supporting information. 2. Notational Conventions Since this document describes a set of extensions to the WebDAV Distributed Authoring Protocol [RFC2518], itself an extension to the HTTP/1.1 protocol, the augmented BNF used here to describe protocol elements is exactly the same as described in Section 2.1 of [RFC2616]. Since this augmented BNF uses the basic production rules provided in Section 2.2 of [RFC2616], these rules apply to this document as well. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Terminology The terminology used here follows and extends that in the WebDAV Distributed Authoring Protocol specification [RFC2518]. Definitions of the terms resource, Uniform Resource Identifier (URI), and Uniform Resource Locator (URL) are provided in [RFC2396]. Redirect Reference Resource A resource created to redirect all requests made to it, using an HTTP status code from the 3xx range, to a defined target resource. Non-Reference Resource Whitehead, et al. Expires October 4, 2004 [Page 5] Internet-Draft WebDAV Redirect Reference Resources April 2004 A resource that is not a reference to another resource. Target Resource The resource to which requests are forwarded by a reference resource. A target resource can be anything that can be identified by an absolute URI (see [RFC2396], "absoluteURI"). This document uses the terms "precondition", "postcondition" and "protected property" as defined in [RFC3253]. Servers MUST report pre-/postcondition failures as described in section 1.6 of this document. 4. Overview of Redirect Reference Resources For all operations submitted to a redirect reference resource, the default response is a 302 (Found), accompanied by the Redirect-Ref header (defined in Section 11.1 below) and the Location header set to the URI of the target resource. With this information, the client can resubmit the request to the URI of the target resource. A redirect reference resource never automatically forwards requests to its target resource. Redirect resources bring the same benefits as links in HTML documents. They can be created and maintained without the involvement or even knowledge of their target resource. This reduces the cost of linking between resources." If the client is aware that it is operating on a redirect reference resource, it can resolve the reference by retrieving the reference resource's DAV:reftarget property (defined in Section 12.2 below), whose value contains the URI of the target resource. It can then submit requests to the target resource. A redirect reference resource is a new type of resource. To distinguish redirect reference resources from non-reference resources, a new value of the DAV:resourcetype property (defined in [RFC2518]), DAV:redirectref, is defined in Section 13.1 below. Since a redirect reference resource is a resource, methods can be applied to the reference resource as well as to its target resource. The Apply-To-Redirect-Ref request header (defined in Section 11.2 below) is provided so that referencing-aware clients can control whether an operation is applied to the redirect reference resource or standard HTTP/WebDAV behaviour (redirection with a 3xx status code) should occur. The Apply-To-Redirect-Ref header can be used with most requests to redirect reference resources. This header is particularly useful with PROPFIND, to retrieve the reference resource's own properties. Whitehead, et al. Expires October 4, 2004 [Page 6] Internet-Draft WebDAV Redirect Reference Resources April 2004 5. MKREDIRECTREF Method The MKREDIRECTREF method requests the creation of a redirect reference resource. If a MKREDIRECTREF request fails, the server state preceding the request MUST be restored. Responses from a MKREDIRECTREF request MUST NOT be cached, as MKREDIRECTREF has non-idempotent semantics. Marshalling: The request body MUST be a DAV:mkredirectref XML element. The DAV:href element is defined in [RFC2518] (Section 12.3) and MUST contain either an absoluteURI or a relativeURI (see [RFC2396], Section 3 and 5). If the request succeeds, the server MUST return 201 (Created) status. If a response body for a successful request is included, it MUST be a DAV:mkredirectref-response XML element. Note that this document does not define any elements for the MKREDIRECTREF response body, but the DAV:mkredirectref-response element is defined to ensure interoperability between future extensions that do define elements for the MKREDIRECTREF response body. Preconditions: (DAV:resource-must-be-null): A resource MUST NOT exist at the request-URL. (DAV:parent-resource-must-be-non-null): The request-URL minus the last past segment MUST identify a collection. (DAV:name-allowed): The last segment of the request URL is available for use as a resource name. Whitehead, et al. Expires October 4, 2004 [Page 7] Internet-Draft WebDAV Redirect Reference Resources April 2004 (DAV:locked-update-allowed): If the collection identified by the Request-URL minus the last path segment is write-locked, then the appropriate token MUST be specified in an If request header. (DAV:redirect-lifetime-supported): If the request body contains a DAV:redirect-lifetime element, the server MUST support the specified liftime. Support for DAV:temporary is REQUIRED, while support for DAV:permanent is OPTIONAL. Postconditions: (DAV:new-redirectref): a new redirect reference resource is created whose DAV:reftarget property has the value specified in the request body. 5.1 Example: Creating a Redirect Reference Resource with MKREDIRECTREF >> Request: MKREDIRECTREF /~whitehead/dav/spec08.ref HTTP/1.1 Host: www.example.com Content-Type: text/xml; charset="utf-8" Content-Length: xxx /i-d/draft-webdav-protocol-08.txt >> Response: HTTP/1.1 201 Created This request resulted in the creation of a new redirect reference resource at http://www.example.com/~whitehead/dav/spec08.ref, which points to the resource identified by the DAV:reftarget property. In this example, the target resource is identified by the URI http:// www.example.com/i-d/draft-webdav-protocol-08.txt. The redirect reference resource's DAV:resourcetype property is set to DAV:redirectref. 6. Operations on Redirect Reference Resources Although non-referencing-aware clients cannot create reference resources, they should be able to submit requests through the Whitehead, et al. Expires October 4, 2004 [Page 8] Internet-Draft WebDAV Redirect Reference Resources April 2004 reference resources created by reference-aware WebDAV clients. They should be able to follow any references to their targets. To make this possible, a server that receives any request made via a redirect reference resource MUST return a 3xx range (Redirection) status code, unless the request includes an Apply-To-Redirect-Ref header specifying "T". The client and server MUST follow [RFC2616] Section 10.3, but with these additional rules: o The Location response header MUST contain an absolute URI that identifies the target of the reference resource. o The response MUST include the Redirect-Ref header. This header allows reference-aware WebDAV clients to recognize the resource as a reference resource and understand the reason for the redirection. A reference-aware WebDAV client can, like a non-referencing client, resubmit the request to the URI in the Location header in order to operate on the target resource. Alternatively, it can resubmit the request to the URI of the redirect reference resource with the "Apply-To-Redirect-Ref: T" header in order to operate on the reference resource itself. In this case, the request MUST be applied to the reference resource itself, and a 3xx response MUST NOT be returned. As redirect references do not have bodies, GET and PUT requests with "Apply-To-Redirect-Ref: T" MUST fail with status 403 (forbidden). 7. Operations on Collections That Contain Redirect Reference Resources Consistent with the rules in Section 6, the response for each redirect reference encountered while processing a collection MUST be a 3xx (Redirection) unless a "Apply-To-Redirect-Ref: T" header is included with the request. The overall response will therefore be a 207 (Multi-Status). For each DAV:response element representing a redirect reference, the server MUST include an additional DAV:location element, specifying the value of the "Location" header that would be returned otherwise. The extension is defined in Section 14 below. The Apply-To-Redirect-Ref header (defined in Section 11.2) MAY be used with any request on a collection. If present, it will be applied to all redirect reference resources encountered while processing the collection. 7.1 LOCK on a Collection That Contains Redirect References An attempt to lock (with Depth: infinity) a collection that contains Whitehead, et al. Expires October 4, 2004 [Page 9] Internet-Draft WebDAV Redirect Reference Resources April 2004 redirect references without specifying "Apply-To-Redirect-Ref: T" will always fail. The Multi-Status response will contain a 3xx response for each redirect reference. Reference-aware clients can lock the collection by using Apply-To-Redirect-Ref, and, if desired, lock the targets of the redirect references individually. Non-referencing clients must resort to locking each resource individually. 7.2 Example: PROPFIND on a Collection with Redirect Reference Resources Suppose a PROPFIND request with Depth: infinity is submitted to the following collection, with the members shown here: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut >> Request: PROPFIND /MyCollection/ HTTP/1.1 Host: example.com Depth: infinity Apply-To-Redirect-Ref: F Content-Type: text/xml Content-Length: xxxx Whitehead, et al. Expires October 4, 2004 [Page 10] Internet-Draft WebDAV Redirect Reference Resources April 2004 >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: xxxx /MyCollection/ diary, interests, hobbies HTTP/1.1 200 OK /MyCollection/diary.html diary, travel, family, history HTTP/1.1 200 OK /MyCollection/nunavut HTTP/1.1 302 Found http://example.ca/art/inuit/ In this example the Depth header is set to infinity, and the Apply-To-Redirect-Ref header is set to "F". The collection contains one URI that identifies a redirect reference resource. The response element for the redirect reference resource has a status of 302 (Found), and includes a DAV:location extension element to allow clients to retrieve the properties of its target resource. (The response element for the redirect reference resource does not include the requested properties. The client can submit another PROPFIND request to the URI in the DAV:location pseudo-property to retrieve those properties.) Whitehead, et al. Expires October 4, 2004 [Page 11] Internet-Draft WebDAV Redirect Reference Resources April 2004 7.3 Example: PROPFIND with Apply-To-Redirect-Ref on a Collection with Redirect Reference Resources Suppose a PROPFIND request with "Apply-To-Redirect-Ref: T" and Depth: infinity is submitted to the following collection, with the members shown here: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut >> Request: PROPFIND /MyCollection/ HTTP/1.1 Host: example.com Depth: infinity Apply-To-Redirect-Ref: T Content-Type: text/xml Content-Length: xxxx >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: xxxx /MyCollection/ HTTP/1.1 200 OK HTTP/1.1 404 Not Found Whitehead, et al. Expires October 4, 2004 [Page 12] Internet-Draft WebDAV Redirect Reference Resources April 2004 /MyCollection/diary.html HTTP/1.1 200 OK HTTP/1.1 404 Not Found /MyCollection/nunavut http://example.ca/art/inuit/ HTTP/1.1 200 OK Since the "Apply-To-Redirect-Ref: T" header is present, the response shows the properties of the redirect reference resource in the collection rather than reporting a 302 status. 7.4 Example: COPY on a Collection That Contains a Redirect Reference Resource Suppose a COPY request is submitted to the following collection, with the members shown: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut with target /Someplace/nunavut.map Whitehead, et al. Expires October 4, 2004 [Page 13] Internet-Draft WebDAV Redirect Reference Resources April 2004 >> Request: COPY /MyCollection/ HTTP/1.1 Host: example.com Depth: infinity Destination: http://example.com/OtherCollection/ >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx /MyCollection/nunavut HTTP/1.1 302 Found http://example.com//Someplace/nunavut.map In this case, since /MyCollection/nunavut is a redirect reference resource, the COPY operation was only a partial success. The redirect reference resource was not copied, but a 302 response was returned for it. So the resulting collection is as follows: /OtherCollection/ (non-reference resource) diary.html 7.5 Example: LOCK on a Collection That Contains a Redirect Reference Resource Suppose a LOCK request is submitted to the following collection, with the members shown: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut Whitehead, et al. Expires October 4, 2004 [Page 14] Internet-Draft WebDAV Redirect Reference Resources April 2004 >> Request: LOCK /MyCollection/ HTTP/1.1 Host: example.com Apply-To-Redirect-Ref: F Content-Type: text/xml >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: nnnn /MyCollection/ HTTP/1.1 424 Failed Dependency /MyCollection/diary.html HTTP/1.1 424 Failed Dependency /MyCollection/nunavut HTTP/1.1 302 Found http://example.ca/art/inuit/ The server returns a 302 response code for the redirect reference resource in the collection. Consequently, neither the collection nor any of the resources identified by its internal member URIs were locked. A referencing-aware client can submit a separate LOCK request to the URI in the DAV:location element returned for the redirect reference resource, and can resubmit the LOCK request with the Apply-To-Redirect-Ref header to the collection. At that point both the reference resource and its target resource will be locked (as well as the collection and all the resources identified by its other members). Whitehead, et al. Expires October 4, 2004 [Page 15] Internet-Draft WebDAV Redirect Reference Resources April 2004 8. Operations on Targets of Redirect Reference Resources Operations on targets of redirect reference resources have no effect on the reference resource. 9. Relative URIs in DAV:reftarget The URI in the href in a DAV:reftarget property MAY be a relative URI. In this case, the base URI to be used for resolving the relative URI to absolute form is the URI used in the HTTP message to identify the redirect reference resource to which the DAV:reftarget property belongs. When DAV:reftarget appears in the context of a Multi-Status response, it is in a DAV:response element that contains a single DAV:href element. The value of this DAV:href element serves as the base URI for resolving a relative URI in DAV:reftarget. The value of DAV:href may itself be relative, in which case it must be resolved first in order to serve as the base URI for the relative URI in DAV:reftarget. If the DAV:href element is relative, its base URI is constructed from the scheme component "http", the value of the Host header in the request, and the request-URI. 9.1 Example: Resolving a Relative URI in a Multi-Status Response >> Request: PROPFIND /geog/ HTTP/1.1 Host: example.com Apply-To-Redirect-Ref: T Depth: 1 Content-Type: text/xml Content-Length: nnn Whitehead, et al. Expires October 4, 2004 [Page 16] Internet-Draft WebDAV Redirect Reference Resources April 2004 >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: nnn /geog/ HTTP/1.1 200 OK HTTP/1.1 404 Not Found /geog/stats.html statistics/population/1997.html HTTP/1.1 200 OK In this example, the relative URI statistics/population/1997.html is returned as the value of reftarget for the reference resource identified by href /geog/stats.html. The href is itself a relative URI, which resolves to http://example.com/geog/stats.html. This is the base URI for resolving the relative URI in reftarget. The absolute URI of reftarget is http://example.com/geog/statistics/ population/1997.html. 10. Redirect References to Collections In a Request-URI /segment1/segment2/segment3, any of the three segments may identify a redirect reference resource. (See [RFC2396], Section 3.3, for definitions of "path" and "segment".) If any Whitehead, et al. Expires October 4, 2004 [Page 17] Internet-Draft WebDAV Redirect Reference Resources April 2004 segment in a Request-URI identifies a redirect reference resource, the response SHOULD be a 3xx. The value of the Location header in the response is as follows: The leftmost path segment of the request-URI that identifies a redirect reference resource, together with all path segments and separators to the left of it, is replaced by the value of the redirect reference resource's DAV:reftarget property (resolved to an absolute URI). The remainder of the request-URI is concatenated to this path. Note: If the DAV:reftarget property ends with a "/" and the remainder of the Request-URI is non-empty (and therefore must begin with a "/ "), the final "/" in the DAV:reftarget property is dropped before the remainder of the Request-URI is appended. Consider Request-URI /x/y/z.html. Suppose that /x/ is a redirect reference resource whose target resource is collection /a/, which contains redirect reference resource y whose target resource is collection /b/, which contains redirect reference resource z.html whose target resource is /c/d.html. /x/y/z.html | | /x -> /a | v /a/y/z.html | | /a/y -> /b | v /b/z.html | | /b/z.html -> /c/d.html | v /c/d.html In this case the client must follow up three separate 3xx responses before finally reaching the target resource. The server responds to the initial request with a 3xx with Location: /a/y/z.html, and the client resubmits the request to /a/y/z.html. The server responds to this request with a 3xx with Location: /b/z.html, and the client resubmits the request to /b/z.html. The server responds to this request with a 3xx with Location: /c/d.html, and the client resubmits the request to /c/d.html. This final request succeeds. Whitehead, et al. Expires October 4, 2004 [Page 18] Internet-Draft WebDAV Redirect Reference Resources April 2004 Note: the behavior described above may have a very serious impact on the efficiency of mapping Request-URIs to resources in HTTP request processing. Therefore servers MAY respond with a 404 status code if the cost of checking all leading path segments for redirect references seems prohibitive. 11. Headers 11.1 Redirect-Ref Response Header Redirect-Ref = "Redirect-Ref:" (absoluteURI | relativeURI) ; see sections 3 and 5 of [RFC2396] The Redirect-Ref header is used in all 3xx responses from redirect reference resources. The value is the (possibly relative) URI of the link target as specified during redirect reference resource creation. 11.2 Apply-To-Redirect-Ref Request Header Apply-To-Redirect-Ref = "Apply-To-Redirect-Ref" ":" ("T" | "F") The optional Apply-To-Redirect-Ref header can be used on any request to a redirect reference resource. When it is present and set to "T", the request MUST be applied to the reference resource itself, and a 3xx response MUST NOT be returned. If the Apply-To-Redirect-Ref header is used on a request to any other sort of resource besides a redirect reference resource, the server MUST ignore it. 12. Redirect Reference Resource Properties The properties defined below are REQUIRED on redirect reference resources. 12.1 DAV:redirect-lifetime (protected) This property provides information about the lifetime of a redirect. It can either be DAV:permanent (HTTP status 301) or DAV:temporary (HTTP status 302). Future protocols MAY define additional values. Whitehead, et al. Expires October 4, 2004 [Page 19] Internet-Draft WebDAV Redirect Reference Resources April 2004 12.2 DAV:reftarget (protected) This property provides an efficient way for clients to discover the URI of the target resource. This is a read-only property after its initial creation. Its value can only be set in a MKREDIRECTREF request. The value is a DAV:href element containing the URI of the target resource. 13. XML Elements 13.1 redirectref XML Element Name: redirectref Namespace: DAV: Purpose: Used as the value of the DAV:resourcetype property to specify that the resource type is a redirect reference resource. 14. Extensions to the DAV:response XML Element for Multi-Status Responses As described in Section 7, the DAV:location element may be returned in the DAV:response element of a 207 Multi-Status response, to allow clients to resubmit their requests to the target resource of a redirect reference resource. Consequently, the definition of the DAV:response XML element changes to the following: 15. Capability Discovery Sections 9.1 and 15 of [RFC2518] describe the use of compliance classes with the DAV header in responses to OPTIONS, to indicate which parts of the WebDAV Distributed Authoring protocols the resource supports. This specification defines an OPTIONAL extension Whitehead, et al. Expires October 4, 2004 [Page 20] Internet-Draft WebDAV Redirect Reference Resources April 2004 to [RFC2518]. It defines a new compliance class, called redirectrefs, for use with the DAV header in responses to OPTIONS requests. If a resource does support redirect references, its response to an OPTIONS request may indicate that it does, by listing the new redirectrefs compliance class in the DAV header and by listing the MKREDIRECTREF method as one it supports. When responding to an OPTIONS request, any type of resource can include redirectrefs in the value of the DAV header. Doing so indicates that the server permits a redirect reference resource at the request URI. 15.1 Example: Discovery of Support for Redirect Reference Resources >> Request: OPTIONS /somecollection/someresource HTTP/1.1 Host: example.org >> Response: HTTP/1.1 200 OK Allow: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, COPY, MOVE Allow: MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, MKREDIRECTREF DAV: 1, 2, redirectrefs The DAV header in the response indicates that the resource / somecollection/someresource is level 1 and level 2 compliant, as defined in [RFC2518]. In addition, /somecollection/someresource supports redirect reference resources. The Allow header indicates that MKREDIRECTREF requests can be submitted to /somecollection/ someresource. 16. Security Considerations This section is provided to make applications that implement this protocol aware of the security implications of this protocol. All of the security considerations of HTTP/1.1 and the WebDAV Distributed Authoring Protocol specification also apply to this protocol specification. In addition, redirect reference resources introduce several new security concerns and increase the risk of some existing threats. These issues are detailed below. 16.1 Privacy Concerns By creating redirect reference resources on a trusted server, it is possible for a hostile agent to induce users to send private Whitehead, et al. Expires October 4, 2004 [Page 21] Internet-Draft WebDAV Redirect Reference Resources April 2004 information to a target on a different server. This risk is mitigated somewhat, since clients are required to notify the user of the redirection for any request other than GET or HEAD. (See [RFC2616], Section 10.3.3 302 Found.) 16.2 Redirect Loops Although redirect loops were already possible in HTTP 1.1, the introduction of the MKREDIRECTREF method creates a new avenue for clients to create loops accidentally or maliciously. If the reference resource and its target are on the same server, the server may be able to detect MKREDIRECTREF requests that would create loops. See also [RFC2616], Section 10.3 "Redirection 3xx." 16.3 Redirect Reference Resources and Denial of Service Denial of service attacks were already possible by posting URLs that were intended for limited use at heavily used Web sites. The introduction of MKREDIRECTREF creates a new avenue for similar denial of service attacks. Clients can now create redirect reference resources at heavily used sites to target locations that were not designed for heavy usage. 16.4 Revealing Private Locations There are several ways that redirect reference resources may reveal information about collection structures. First, the DAV:reftarget property of every redirect reference resource contains the URI of the target resource. Anyone who has access to the reference resource can discover the collection path that leads to the target resource. The owner of the target resource may have wanted to limit knowledge of this collection structure. Sufficiently powerful access control mechanisms can control this risk to some extent. Property-level access control could prevent users from examining the DAV:reftarget property. (The Location header returned in responses to requests on redirect reference resources reveals the same information, however.) This risk is no greater than the similar risk posed by HTML links. 17. Internationalization Considerations All internationalization considerations mentioned in [RFC2518] also apply to this document. Whitehead, et al. Expires October 4, 2004 [Page 22] Internet-Draft WebDAV Redirect Reference Resources April 2004 18. IANA Considerations All IANA considerations mentioned in [RFC2518] also apply to this document. 19. Contributors Many thanks to Jason Crawford, Jim Davis, Chuck Fay and Judith Slein who can take credit for big parts of the original design of this specification. 20. Acknowledgements This document has benefited from thoughtful discussion by Jim Amsden, Peter Carlson, Steve Carter, Tyson Chihaya, Ken Coar, Ellis Cohen, Bruce Cragun, Spencer Dawkins, Mark Day, Rajiv Dulepet, David Durand, Lisa Dusseault, Stefan Eissing, Roy Fielding, Yaron Goland, Fred Hitt, Alex Hopmann, James Hunt, Marcus Jager, Chris Kaler, Manoj Kasichainula, Rohit Khare, Daniel LaLiberte, Steve Martin, Larry Masinter, Jeff McAffer, Joe Orton, Surendra Koduru Reddy, Juergen Reuter, Max Rible, Sam Ruby, Bradley Sergeant, Nick Shelness, John Stracke, John Tigue, John Turner, Kevin Wiggen, and others. 21 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2396] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. [RFC2518] Goland, Y., Whitehead, E., Faizi, A., Carter, S. and D. Jensen, "HTTP Extensions for Distributed Authoring -- WEBDAV", RFC 2518, February 1999. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [RFC3253] Clemm, G., Amsden, J., Ellison, T., Kaler, C. and J. Whitehead, "Versioning Extensions to WebDAV (Web Distributed Authoring and Versioning)", RFC 3253, March 2002. Whitehead, et al. Expires October 4, 2004 [Page 23] Internet-Draft WebDAV Redirect Reference Resources April 2004 Authors' Addresses Jim Whitehead UC Santa Cruz, Dept. of Computer Science 1156 High Street Santa Cruz, CA 95064 US EMail: ejw@cse.ucsc.edu Geoff Clemm IBM 20 Maguire Road Lexington, MA 02421 US EMail: geoffrey.clemm@us.ibm.com Julian F. Reschke (editor) greenbytes GmbH Salzmannstrasse 152 Muenster, NW 48159 Germany Phone: +49 251 2807760 Fax: +49 251 2807761 EMail: julian.reschke@greenbytes.de URI: http://greenbytes.de/tech/webdav/ Appendix A. Changes to the WebDAV Document Type Definition Whitehead, et al. Expires October 4, 2004 [Page 24] Internet-Draft WebDAV Redirect Reference Resources April 2004 Appendix B. Change Log (to be removed by RFC Editor before publication) B.1 Since draft-ietf-webdav-redirectref-protocol-02 Julian Reschke takes editorial role (added to authors list). Cleanup XML indentation. Start adding all unresolved last call issues. Update some author's contact information. Update references, split into "normative" and "informational". Remove non-RFC2616 headers ("Public") from examples. Fixed width problems in artwork. Start resolving editorial issues. B.2 Since draft-ietf-webdav-redirectref-protocol-03 Added Joe Orton and Juergen Reuter to Acknowledgements section. Close more editorial issues. Remove dependencies on BIND spec. B.3 Since draft-ietf-webdav-redirectref-protocol-04 More editorial fixes. Clarify that MKRESOURCE can only be used to create redirect references (switch to new method in a future draft). Clarify that redirect references do not have bodies. B.4 Since draft-ietf-webdav-redirectref-protocol-05 Close (accept) issue "lc-79-accesscontrol". Add issue "rfc2606-compliance". Close issues "lc-50-blindredirect", "lc-71-relative", "lc-74-terminology". Update contact info for Geoff Clemm. Moved some of the original authors names to new Contributors section. Add and close issue "9-MKRESOURCE-vs-relative-URI". Close issue "lc-72-trailingslash". Close issue "lc-60-ex". Update issue "lc-85-301" with proposal. Close issue "lc-06-reftarget-relative" (9-MKRESOURCE-vs-relative-URI was a duplicate of this one). Also remove section 9.1 (example for MKRESOURCE vs relative URIs). Add and resolve issue "11.2-apply-to-redirect-ref-syntax" (header now has values "T" and "F"). Also some cleanup for "rfc2606-compliance". Typo fixes. Add and resolve "15.1-options-response". B.5 Since draft-ietf-webdav-redirectref-protocol-06 Resolve issues "lc-19-direct-ref", "lc-28-lang", "lc-29-lang", "lc-44-pseudo", "lc-53-s10", "lc-61-pseudo", "lc-63-move", "lc-80-i18n" and "rfc2606-compliance". Start work on index. Add new issue "old_clients". B.6 Since draft-ietf-webdav-redirectref-protocol-07 Closed issue "lc-38-not-hierarchical". Cleaned up DTD fragments in appendix. Close (reject) issues "lc-55-iana" and "lc-41-no-webdav". Whitehead, et al. Expires October 4, 2004 [Page 25] Internet-Draft WebDAV Redirect Reference Resources April 2004 Add issue "5_mkresource" and start work on MKREDIRECTREF (issue closed, but more work on MKREDIRECTREF needs to be done for updates and status codes other than 302). Start resolution of "lc-85-301", replacing "302" by more generic language. Update issue "lc-57-noautoupdate". Close issue "lc-37-integrity" (duplicate of "lc-57-autoupdate"). Started work on "lc-85-301". Add L. Dusseault and S. Eissing to Acknowledgments section. Appendix C. Resolved issues (to be removed by RFC Editor before publication) Issues that were either rejected or resolved in this version of this document. C.1 title Type: edit julian.reschke@greenbytes.de (2004-01-04): Expand "WebDAV" in document title. Resolution: Done (no change tracking). C.2 lc-38-not-hierarchical Type: change yarong@Exchange.Microsoft.com (2000-02-11): Not Hierarchical: The first sentence of the second paragraph of the introduction of the redirect spec asserts that the URIs of WebDAV compliant resources match to collections. The WebDAV standard makes no such requirement. I therefore move that this sentence be stricken. Resolution (2003-11-19): State the more general HTTP rationale first (alternative names for the same resource), then introduce the collection hierarchy rationale, which applies only if you are in a WebDAV-compliant space. C.3 lc-37-integrity Type: change Whitehead, et al. Expires October 4, 2004 [Page 26] Internet-Draft WebDAV Redirect Reference Resources April 2004 yarong@Exchange.Microsoft.com (2000-02-11): Integrity: Intro, para 7 "Servers are not required to enforce the integrity of redirect references." Integrity is not defined. Replace with something clearer. Resolution (2004-01-19): Remove that sentence. Issue will be resolved as part of the resolution of "lc-57-noautoupdate". C.4 5_mkresource Type: change julian.reschke@greenbytes.de (2004-01-04): Umbrella issue for all changes caused by replacing the generic MKRESOURCE method by MKREDIRECTREF. C.5 lc-41-no-webdav Type: change yarong@Exchange.Microsoft.com (2000-02-11): Make redirect references independent of the rest of WebDAV. The creation method for redirect references shouldn't require an XML request body. Resolution (2004-01-04): MKRESOURCE will be replaced by a specific method that doesn't rely on any PROPPATCH semantics, however it will still use XML (see also BIND spec for similar marshalling). C.6 lc-24-properties Type: change reuterj@ira.uka.de (2000-02-07): Section 5.1: Replace the sentence "The properties of the new resource are as specified by the DAV:propertyupdate request body, using PROPPATCH semantics" with the following: "The MKRESOURCE request MAY contain a DAV:propertyupdate request body to initialize resource properties. Herein, the semantics is the same as when sending a MKRESOURCE request without a request body, followed by a PROPPATCH with the DAV:propertyupdate request body." Resolution (2004-01-04): MKRESOURCE will be replaced by simpler/more Whitehead, et al. Expires October 4, 2004 [Page 27] Internet-Draft WebDAV Redirect Reference Resources April 2004 specific method. C.7 lc-55-iana Type: change yarong@Exchange.Microsoft.com (2000-02-11): Expand the IANA section to list all methods, headers, XML elements, MIME types, URL schemes, etc., defined by the spec. Resolution (2004-01-02): Rejected: this section is about registering new spaces of identifiers. See RFC2434. C.8 A_DTD_cleanup Type: change julian.reschke@greenbytes.de (2003-11-18): Cleanup DTD. Appendix D. Open issues (to be removed by RFC Editor prior to publication) D.1 old_clients Type: change julian.reschke@greenbytes.de (2003-11-10): There are (at least) two major design goals, but unfortunately both are in direct contradiction: #1: Maximum consistency with HTTP/1.1 (RFC2616). This means that any request that addresses a redirect reference resource MUST result in a 3xx status code (obviously the whole point is that GET MUST result in a redirection, and if it does, it's hard to say why other methods such as PUT or DELETE should behave differently). Therefore, the redirect reference protocol introduces a new request header ("Apply-To-Redirect-Ref") through which a client can indicate that the request indeed should be applied to the redirect reference resource itself. #2: Maximum usability with existing clients. For instance, the Microsoft Webfolder client will not be able to DELETE a redirect reference resource unless the server deviates from #1. Right now I'm not sure about the best way to resolve this. Currently the spec chooses #1 (back when this decision was made, there was probably the assumption that existing clients would quickly be updated -- Whitehead, et al. Expires October 4, 2004 [Page 28] Internet-Draft WebDAV Redirect Reference Resources April 2004 something that probably isn't true today). However this may result in implementers either just ignoring these rules, or adding special workarounds based on "User Agent" detection. D.2 lc-85-301 Type: change ejw@cse.ucsc.edu (2000-01-03): Support creation of other than 302 redirects, especially 301. julian.reschke@greenbytes.de (2003-10-13): HTTP seems to distinguish the following use cases: (a) permanent redirect (301), (b) temporary redirect (302 or 307), (c) redirect to a GET location after POST (303) and (d) agent-driven negotiation (300). Among these, (a) and (b) seem to be well understood, so we should support both. (c) doesn't seem to be applicable. (d) may become interesting when user agents start supporting it, so the spec should be flexible enough to support a feature extension for that. For now I propose that the client is able to specify the redirection type as a resource type, such as "DAV:permanent-redirect-reference" and "DAV:temporary-redirect-reference". This spec would only define the behaviour for these two resource types and would allow future extensions using new resource types and suggested response codes. Resolution (2004-01-19): Support creation of both permanent (301, optional) and temporary (302, required) redirects. Keep protocol extensible for other types. Make lifetime visible as protected property. D.3 lc-36-server Type: change yarong@Exchange.Microsoft.com (2000-02-11): Servers: Replace "server" with "unrelated system" throughout. Resolution: Try replacing "server" with "host" in some contexts, rephrasing in passive voice in others. See also issue 40. D.4 lc-33-forwarding Type: change yarong@Exchange.Microsoft.com (2000-02-11): Forwarding: Replace "forward" with "redirect" throughout. Resolution: Use "redirect" for the behavior redirect resources do exhibit. Use "forward" for the contrasting behavior (passing a method on to the target with no client action needed). Define these two terms. See also issue 40. D.5 3-terminology-redirectref Type: change julian.reschke@greenbytes.de (2003-07-27): Consider global rename of "redirect reference resource" to "redirect resource". D.6 lc-58-update Type: change yarong@Exchange.Microsoft.com (2000-02-11): There needs to be a way to update the target of a redirect reference. Resolution: Agreed. See also issues 6, 43. D.7 lc-48-s6 Type: change yarong@Exchange.Microsoft.com (2000-02-11): Replace all of section 6 with just this: A redirect resource, upon receiving a request without an Apply-To-Redirect-Ref header, MUST respond with a 302 (Found) response. The 302 (Found) response MUST include a location header identifying the target and a Redirect-Ref header. If a redirect resource receives a request with an Apply-To-Redirect-Ref header then the redirect reference resource MUST apply the method to itself rather than blindly returning a 302 (Found) response. Whitehead, et al. Expires October 4, 2004 [Page 30] Internet-Draft WebDAV Redirect Reference Resources April 2004 Resolution: Keep a summary along the lines of Yaron's proposal (don't use the word "blindly"). Keep the bullets detailing the headers to be returned. Delete the rest, including the examples. See also issue 28, 29, 30, 31, 32. D.8 lc-57-noautoupdate Type: change yarong@Exchange.Microsoft.com (2000-02-11): Add language to forbid servers from automatically updating redirect resources when their targets move. julian.reschke@greenbytes.de (2004-01-05): I don't think we can forbid that. This spec consists of (a) clarifications of how a server that supports redirects should behave for specific WebDAV methods, and (b) extensions to explicitly create them (or to apply a method to the redirect itself). As such, we shouldn't add any requirements that HTTP doesn't add. What we could do is (1) note why auto-update may be a bad idea, and possibly (2) define that redirects created by MKREDIRECTREF should not behave that way (or alternatively define more specific resource types). D.9 12.1-property-name Type: change julian.reschke@greenbytes.de (2003-10-06): Sync names for DAV:reftarget property and "Redirect-Ref" response headers. Whitehead, et al. Expires October 4, 2004 [Page 31] Internet-Draft WebDAV Redirect Reference Resources April 2004 Index A Apply-To-Redirect-Ref header 19 C Condition Names DAV:locked-update-allowed (pre) 8 DAV:name-allowed (pre) 7 DAV:new-redirectref (post) 8 DAV:redirect-lifetime-supported (pre) 8 parent-resource-must-be-non-null (pre) 7 resource-must-be-null (pre) 7 D DAV header compliance class 'redirectrefs' 20 DAV:locked-update-allowed precondition 8 DAV:name-allowed precondition 7 DAV:new-redirectref postcondition 8 DAV:parent-resource-must-be-non-null precondition 7 DAV:redirect-lifetime property 19 DAV:redirect-lifetime-supported precondition 8 DAV:redirectref resource type 20 DAV:reftarget property 20 DAV:resource-must-be-null precondition 7 H Headers Apply-To-Redirect-Ref 19 Redirect-Ref 19 M Methods MKREDIRECTREF 7 MKREDIRECTREF method 7 P Properties DAV:redirect-lifetime 19 DAV:reftarget 20 R Redirect-Ref header 19 Resource Types DAV:redirectref 20 Whitehead, et al. Expires October 4, 2004 [Page 32] Internet-Draft WebDAV Redirect Reference Resources April 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Whitehead, et al. Expires October 4, 2004 [Page 33]