Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@jackrabbit.apache.org
Received-SPF: pass (nike.apache.org: local policy)
Message-ID: <474C34BD.9090207@univ-rennes1.fr>
Date: Tue, 27 Nov 2007 16:16:13 +0100
From: Raymond Bourges <raymond.bourges@univ-rennes1.fr>
Reply-To: raymond.bourges@univ-rennes1.fr
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Slide Users Mailing List <slide-user@jakarta.apache.org>
CC: users@jackrabbit.apache.org, user@commons.apache.org
Subject: Re: The state of WebDAV Clients
References: <14055094.2165211196091755412.JavaMail.servlet@kundenserver>
In-Reply-To: <14055094.2165211196091755412.JavaMail.servlet@kundenserver>
Content-Type: multipart/mixed;
 boundary="------------060203020707040206060400"

--------------060203020707040206060400
Content-Type: multipart/alternative;
 boundary="------------000007020402050806000900"


--------------000007020402050806000900
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi,

About: “Oliver made a fix in Subversion, but there was nobody who could 
release a fixed Slide, either as a minor update to the last Slide 
release years ago, or as a new release of the current code in Subversion.”

In ESUP-Portail project we have made a lot of work over Slide. Perhaps 
because of our poor English we didn’t communicate about this. Sorry.

Slide is used in many universities in France and we make a patch for 
Slide 2.1. You can find it here: 
http://www.esup-portail.org/consortium/espace/Securite/ESUP-2007-AVI-004-COR.zip

It takes the form of a patch of AbstractWebdavMethod Class in order to 
use a special EntityResolver that avoid XML Entity attack. It works on 
LOCK method like Oliver’s patch and with other commands like PROPFIND.

About ESUP-Portail project work over Slide we have:
- Authentication Filter (LDAP, SSO with CAS and Shibboleth)
- Specific Slide stores for groups (uPortal groups and Shibboleth’s 
attributes based groups)
- A Quota for WebDAV (RFC 4331) based on Slide event mechanism

Of course we plan to use Jackrabbit WebDAV server now. But, at this 
time, I don’t know if we can rewrite Slide extension in a jackrabbit 
environment. I just sign on jackrabbit mailing lists.

Jackrabbit seems to be to ACP compliant. I find some information in 
“Coming from Slide...” thread in users mailing list.
But have you some information on how to plug specific WebDAV group 
implementations in Jackrabbit? Is it spring enabled for example?

Thanks a lot.

Some information about ESUP-Portail WebDAV project:
- Web site: http://sourcesup.cru.fr/esup-webdav-srv/current/index.html
- The project site: http://sourcesup.cru.fr/projects/esup-webdav-srv/
- A recent presentation of Shibboleth mechanism: 
http://www.terena.org/activities/eurocamp/november07/slides/bourges-the-shibboleth-enabled-webdav.pdf


ossfwot@dubioso.net a écrit :
> Hello Chris,
>
>   
>> JackRabbit does not currently have a WebDAV client implementation
>> according to this post
>> (http://www.nabble.com/Webdav-Client-Examples--tf4803755.html#a13852979).
>>     
>
> The way I read this post, they have the implementation.
> It is just not released as a separate component.
>
> The released version of the Slide WebDAV client is
> based on HttpClient 2.0, which has been unsupported
> for years. It also includes contrib code from
> HttpClient which was never supported in the first
> place.
>
>   
>> I think it is clear that there is a need for
>> a project like this.
>>     
>
> That is good to know.
>
>   
>> Has there been any though in starting an Apache
>> Commons project to provide WebDAV support?
>>     
>
> Not as a Commons project, but it was discussed
> as a part of HttpComponents. The most recent
> discussion took place on general@jakarta:
> http://www.nabble.com/-discuss--Slide-%2B-HttpComponents-%3D%3E-TLP-tf4207242.html
>
> We made sure that the scope of the new
> HttpComponents TLP allows for releasing
> a WebDAV client, whether that is based on
> Slide or Jackrabbit or something else. But
> projects depend on volunteers to do the work.
>
>   
>> My understanding was that the Slide client was
>> stable and would probably provide a good starting
>> point for a WebDAV client.
>>     
>
> It has no unit tests, no developer community,
> and is based on an HttpClient API scheduled
> for replacement. The Jackrabbit WebDAV client
> is also based on an HttpClient API scheduled
> for replacement, but it has a developer community.
> I don't know about their unit tests.
>
>   
>> For more information on my WebDAV research see this post:
>> http://pragmaticchris.blogspot.com/2007/11/java-webdav-clients.html
>>     
>
> Thanks for the pointers. I may post a comment on
> your blog later this week. For now: we did not retire 
> Slide because Jackrabbit is a perfect replacement.
> We retired Slide because it had no developer
> community that could address a security vulnerability:
> http://www.nabble.com/Warning%3A-Security-Bug-in-Slide-tf4736066.html
>
> Oliver made a fix in Subversion, but there was
> nobody who could release a fixed Slide, either
> as a minor update to the last Slide release years
> ago, or as a new release of the current code in
> Subversion. Projects that cannot address security
> vulnerabilities need to be retired. This does not
> depend on the availability of an alternative. It
> depends only on the availability of a developer
> community.
>
> Users of the current Slide codebase are welcome
> to fork and support the code. They are even more
> welcome to form a new project to move away from
> the HttpClient 2.x/3.x API. I'm willing to invest
> some effort into that next year, after we've
> completed the HttpComponents move to TLP. But
> at the moment, I don't see too many people working
> on a WebDAV client. If you know any, please send
> them our way :-) The best starting point for now
> would be the Jackrabbit client code that is just
> waiting for somebody to release it.
>
> Of course you can always continue to use the
> Slide WebDAV client. There wasn't much support
> for some time, so the situation didn't really
> change by the retirement. It is now just obvious
> to anybody that the code is unsupported.
>
> cheers,
>   Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>   


--------------000007020402050806000900
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
About: “Oliver made a fix in Subversion, but there was nobody who could
release a fixed Slide, either as a minor update to the last Slide
release years ago, or as a new release of the current code in
Subversion.”<br>
<br>
In ESUP-Portail project we have made a lot of work over Slide. Perhaps
because of our poor English we didn’t communicate about this. Sorry.<br>
<br>
Slide is used in many universities in France and we make a patch for
Slide 2.1. You can find it here:
<a class="moz-txt-link-freetext" href="http://www.esup-portail.org/consortium/espace/Securite/ESUP-2007-AVI-004-COR.zip">http://www.esup-portail.org/consortium/espace/Securite/ESUP-2007-AVI-004-COR.zip</a><br>
<br>
It takes the form of a patch of AbstractWebdavMethod Class in order to
use a special EntityResolver that avoid XML Entity attack. It works on
LOCK method like Oliver’s patch and with other commands like PROPFIND.<br>
<br>
About ESUP-Portail project work over Slide we have:<br>
- Authentication Filter (LDAP, SSO with CAS and Shibboleth)<br>
- Specific Slide stores for groups (uPortal groups and Shibboleth’s
attributes based groups)<br>
- A Quota for WebDAV (RFC 4331) based on Slide event mechanism<br>
<br>
Of course we plan to use Jackrabbit WebDAV server now. But, at this
time, I don’t know if we can rewrite Slide extension in a jackrabbit
environment. I just sign on jackrabbit mailing lists. <br>
<br>
Jackrabbit seems to be to ACP compliant. I find some information in
“Coming from Slide...” thread in users mailing list.<br>
But have you some information on how to plug specific WebDAV group
implementations in Jackrabbit? Is it spring enabled for example?<br>
<br>
Thanks a lot.<br>
<br>
Some information about ESUP-Portail WebDAV project:<br>
- Web site: <a class="moz-txt-link-freetext" href="http://sourcesup.cru.fr/esup-webdav-srv/current/index.html">http://sourcesup.cru.fr/esup-webdav-srv/current/index.html</a><br>
- The project site: <a class="moz-txt-link-freetext" href="http://sourcesup.cru.fr/projects/esup-webdav-srv/">http://sourcesup.cru.fr/projects/esup-webdav-srv/</a><br>
- A recent presentation of Shibboleth mechanism:
<a class="moz-txt-link-freetext" href="http://www.terena.org/activities/eurocamp/november07/slides/bourges-the-shibboleth-enabled-webdav.pdf">http://www.terena.org/activities/eurocamp/november07/slides/bourges-the-shibboleth-enabled-webdav.pdf</a><br>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ossfwot@dubioso.net">ossfwot@dubioso.net</a> a écrit :
<blockquote
 cite="mid:14055094.2165211196091755412.JavaMail.servlet@kundenserver"
 type="cite">
  <pre wrap="">Hello Chris,

  </pre>
  <blockquote type="cite">
    <pre wrap="">JackRabbit does not currently have a WebDAV client implementation
according to this post
(<a class="moz-txt-link-freetext" href="http://www.nabble.com/Webdav-Client-Examples--tf4803755.html#a13852979">http://www.nabble.com/Webdav-Client-Examples--tf4803755.html#a13852979</a>).
    </pre>
  </blockquote>
  <pre wrap=""><!---->
The way I read this post, they have the implementation.
It is just not released as a separate component.

The released version of the Slide WebDAV client is
based on HttpClient 2.0, which has been unsupported
for years. It also includes contrib code from
HttpClient which was never supported in the first
place.

  </pre>
  <blockquote type="cite">
    <pre wrap="">I think it is clear that there is a need for
a project like this.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
That is good to know.

  </pre>
  <blockquote type="cite">
    <pre wrap="">Has there been any though in starting an Apache
Commons project to provide WebDAV support?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Not as a Commons project, but it was discussed
as a part of HttpComponents. The most recent
discussion took place on general@jakarta:
<a class="moz-txt-link-freetext" href="http://www.nabble.com/-discuss--Slide-%2B-HttpComponents-%3D%3E-TLP-tf4207242.html">http://www.nabble.com/-discuss--Slide-%2B-HttpComponents-%3D%3E-TLP-tf4207242.html</a>

We made sure that the scope of the new
HttpComponents TLP allows for releasing
a WebDAV client, whether that is based on
Slide or Jackrabbit or something else. But
projects depend on volunteers to do the work.

  </pre>
  <blockquote type="cite">
    <pre wrap="">My understanding was that the Slide client was
stable and would probably provide a good starting
point for a WebDAV client.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
It has no unit tests, no developer community,
and is based on an HttpClient API scheduled
for replacement. The Jackrabbit WebDAV client
is also based on an HttpClient API scheduled
for replacement, but it has a developer community.
I don't know about their unit tests.

  </pre>
  <blockquote type="cite">
    <pre wrap="">For more information on my WebDAV research see this post:
<a class="moz-txt-link-freetext" href="http://pragmaticchris.blogspot.com/2007/11/java-webdav-clients.html">http://pragmaticchris.blogspot.com/2007/11/java-webdav-clients.html</a>
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Thanks for the pointers. I may post a comment on
your blog later this week. For now: we did not retire 
Slide because Jackrabbit is a perfect replacement.
We retired Slide because it had no developer
community that could address a security vulnerability:
<a class="moz-txt-link-freetext" href="http://www.nabble.com/Warning%3A-Security-Bug-in-Slide-tf4736066.html">http://www.nabble.com/Warning%3A-Security-Bug-in-Slide-tf4736066.html</a>

Oliver made a fix in Subversion, but there was
nobody who could release a fixed Slide, either
as a minor update to the last Slide release years
ago, or as a new release of the current code in
Subversion. Projects that cannot address security
vulnerabilities need to be retired. This does not
depend on the availability of an alternative. It
depends only on the availability of a developer
community.

Users of the current Slide codebase are welcome
to fork and support the code. They are even more
welcome to form a new project to move away from
the HttpClient 2.x/3.x API. I'm willing to invest
some effort into that next year, after we've
completed the HttpComponents move to TLP. But
at the moment, I don't see too many people working
on a WebDAV client. If you know any, please send
them our way :-) The best starting point for now
would be the Jackrabbit client code that is just
waiting for somebody to release it.

Of course you can always continue to use the
Slide WebDAV client. There wasn't much support
for some time, so the situation didn't really
change by the retirement. It is now just obvious
to anybody that the code is unsupported.

cheers,
  Roland

---------------------------------------------------------------------
To unsubscribe, e-mail: <a class="moz-txt-link-abbreviated" href="mailto:slide-user-unsubscribe@jakarta.apache.org">slide-user-unsubscribe@jakarta.apache.org</a>
For additional commands, e-mail: <a class="moz-txt-link-abbreviated" href="mailto:slide-user-help@jakarta.apache.org">slide-user-help@jakarta.apache.org</a>

  </pre>
</blockquote>
<br>
</body>
</html>

--------------000007020402050806000900--

--------------060203020707040206060400--