Re: The state of WebDAV Clients
Raymond Bourges <raymond.bourges <at> univ-rennes1.fr>
2007-11-27 15:16:13 GMT
Hi,
About: “Oliver made a fix in Subversion, but there was nobody who could
release a fixed Slide, either as a minor update to the last Slide
release years ago, or as a new release of the current code in
Subversion.”
In ESUP-Portail project we have made a lot of work over Slide. Perhaps
because of our poor English we didn’t communicate about this. Sorry.
Slide is used in many universities in France and we make a patch for
Slide 2.1. You can find it here:
http://www.esup-portail.org/consortium/espace/Securite/ESUP-2007-AVI-004-COR.zip
It takes the form of a patch of AbstractWebdavMethod Class in order to
use a special EntityResolver that avoid XML Entity attack. It works on
LOCK method like Oliver’s patch and with other commands like PROPFIND.
About ESUP-Portail project work over Slide we have:
- Authentication Filter (LDAP, SSO with CAS and Shibboleth)
- Specific Slide stores for groups (uPortal groups and Shibboleth’s
attributes based groups)
- A Quota for WebDAV (RFC 4331) based on Slide event mechanism
Of course we plan to use Jackrabbit WebDAV server now. But, at this
time, I don’t know if we can rewrite Slide extension in a jackrabbit
environment. I just sign on jackrabbit mailing lists.
Jackrabbit seems to be to ACP compliant. I find some information in
“Coming from Slide...” thread in users mailing list.
But have you some information on how to plug specific WebDAV group
implementations in Jackrabbit? Is it spring enabled for example?
Thanks a lot.
Some information about ESUP-Portail WebDAV project:
- Web site:
http://sourcesup.cru.fr/esup-webdav-srv/current/index.html
- The project site:
http://sourcesup.cru.fr/projects/esup-webdav-srv/
- A recent presentation of Shibboleth mechanism:
http://www.terena.org/activities/eurocamp/november07/slides/bourges-the-shibboleth-enabled-webdav.pdfossfwot <at> dubioso.net a écrit :
Hello Chris,
JackRabbit does not currently have a WebDAV client implementation
according to this post
(http://www.nabble.com/Webdav-Client-Examples--tf4803755.html#a13852979).
The way I read this post, they have the implementation.
It is just not released as a separate component.
The released version of the Slide WebDAV client is
based on HttpClient 2.0, which has been unsupported
for years. It also includes contrib code from
HttpClient which was never supported in the first
place.
I think it is clear that there is a need for
a project like this.
That is good to know.
Has there been any though in starting an Apache
Commons project to provide WebDAV support?
Not as a Commons project, but it was discussed
as a part of HttpComponents. The most recent
discussion took place on general <at> jakarta:
http://www.nabble.com/-discuss--Slide-%2B-HttpComponents-%3D%3E-TLP-tf4207242.html
We made sure that the scope of the new
HttpComponents TLP allows for releasing
a WebDAV client, whether that is based on
Slide or Jackrabbit or something else. But
projects depend on volunteers to do the work.
My understanding was that the Slide client was
stable and would probably provide a good starting
point for a WebDAV client.
It has no unit tests, no developer community,
and is based on an HttpClient API scheduled
for replacement. The Jackrabbit WebDAV client
is also based on an HttpClient API scheduled
for replacement, but it has a developer community.
I don't know about their unit tests.
For more information on my WebDAV research see this post:
http://pragmaticchris.blogspot.com/2007/11/java-webdav-clients.html
Thanks for the pointers. I may post a comment on
your blog later this week. For now: we did not retire
Slide because Jackrabbit is a perfect replacement.
We retired Slide because it had no developer
community that could address a security vulnerability:
http://www.nabble.com/Warning%3A-Security-Bug-in-Slide-tf4736066.html
Oliver made a fix in Subversion, but there was
nobody who could release a fixed Slide, either
as a minor update to the last Slide release years
ago, or as a new release of the current code in
Subversion. Projects that cannot address security
vulnerabilities need to be retired. This does not
depend on the availability of an alternative. It
depends only on the availability of a developer
community.
Users of the current Slide codebase are welcome
to fork and support the code. They are even more
welcome to form a new project to move away from
the HttpClient 2.x/3.x API. I'm willing to invest
some effort into that next year, after we've
completed the HttpComponents move to TLP. But
at the moment, I don't see too many people working
on a WebDAV client. If you know any, please send
them our way 
The best starting point for now
would be the Jackrabbit client code that is just
waiting for somebody to release it.
Of course you can always continue to use the
Slide WebDAV client. There wasn't much support
for some time, so the situation didn't really
change by the retirement. It is now just obvious
to anybody that the code is unsupported.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe <at> jakarta.apache.org
For additional commands, e-mail: slide-user-help <at> jakarta.apache.org
RSS Feed