WebDAV unlock foreign exclusive write lock

Question

I am implementing a webdav server and have one question regarding opaquelocktoken:

Is it correct that

everybody who knows the opaquelocktoken have write access, e.g. unlock or delete the resource?
propfind will show the opaquelocktoken to everybody?

I have tested the following scenario with the tomcat webdav implementation:

I) I lock a resource by netcat, lock owner is "netcat" II) I retrieve the lock properties for the resource with DAVExplorer III) I try to delete the resource with DAVExplorer

=> It works.

The DAVExplorer sent the following request.

DELETE without opaquelocktoken ==> 423 Locked
PROPFIND for lockdiscovery => opaquelocktoken was delivered
DELETE with opaquelocktoken => 204 No Content

One more information: I have no authentication active. Is this the reason why a client have write access to a resource that was locked by another client?

Julian Reschke Julian Reschke · Accepted Answer · 2014-10-01T16:21:35

a) Locking is for coordinating (serializing) access; not for access control. See RFC 3744 for the WebDAV ACL spec. So yes, in absence of other access controls the lock token will be sufficient.

b) And no, PROPFIND doesn't need to reveal the lock token; whether it does or not is implementation-specific.

WebDAV unlock foreign exclusive write lock

1 Answers