Received: by taz.hyperreal.com (8.6.12/8.6.5) id MAA11530;
 Fri, 5 Jul 1996 12:12:21 -0700
Received: from madhaus.utcs.utoronto.ca by taz.hyperreal.com (8.6.12/8.6.5)
 with ESMTP id MAA11491; Fri, 5 Jul 1996 12:12:03 -0700
From: rasmus@madhaus.utcs.utoronto.ca
Received: from rathaus (rathaus [128.100.102.12]) by madhaus.utcs.utoronto.ca
 (8.7.4/8.7.1) with SMTP id PAA07200 for <new-httpd@hyperreal.com>;
 Fri, 5 Jul 1996 15:11:53 -0400 (EDT)
Date: Fri, 5 Jul 1996 15:11:53 -0400 (EDT)
Subject: Re: PUT handler spec?
To: new-httpd@hyperreal.com
In-Reply-To: <199607051844.OAA23000@hershey.ai.mit.edu>
Message-ID: <ML-2.3.836593913.1051.rasmus@rathaus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

Seems like a lot of tricks to do what really should be a simple thing.

How about something like:

- Browser sends a PUT request with a URI
- Server sees the PUT request and automatically asks for authentication
- Browser sends authentication username and password
- Server authenticates through the normal mechanism
    if authenticated, server looks at owner of URI, or if not present,
    the owner of the directory.  If authenticated user does not match
    this owner, FAIL, otherwise, go ahead and replace/create the URI

This would seem to me to be a secure way of doing things.  You wouldn't
be able to step on other peoples' files, unless you knew their http
authentication password.  Could this not simply be an extension of the
existing auth modules?

-Rasmus