Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add WAC-Allow definition and requirements #210

Merged
merged 8 commits into from
Nov 27, 2020
Merged

Add WAC-Allow definition and requirements #210

Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3974603
Add WAC-Allow
csarven Nov 15, 2020
b29874c
Merge branch 'master' into feature/wac-allow
csarven Nov 15, 2020
6d1bc9e
Update WAC-Allow header's ABNF
csarven Nov 24, 2020
d227395
Incorporate error handling for WAC-Allow
csarven Nov 24, 2020
0b650f6
Add brief explanation of WAC-Allow ABNF
csarven Nov 24, 2020
ab5dd9c
Update WAC-Allow ABNF and text
csarven Nov 24, 2020
313375c
Minor
csarven Nov 24, 2020
86e378f
Make quoted access modes optional with recommendations
csarven Nov 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 36 additions & 6 deletions main/authorization.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,14 @@ Authorization {#authorization}

## Web Access Control ## {#web-access-control}

Web Access Control (WAC) is a decentralized cross-domain access control
system. The WAC mechanism is concerned with giving access to agents denoted by
a [[#webid]] to perform various kinds of read-write operations on resources
identified by URLs. The Access Control List (ACL) vocabulary is used to
describe authorization policies about authorized agents with modes of access
on target resources.
Web Access Control (<abbr title="Web Access Control">WAC</abbr>) is a
decentralized cross-domain access control system. The WAC mechanism is
concerned with giving access to agents denoted by a [[#webid]] to perform
various kinds of read-write operations on resources identified by URLs. The
<cite><a href="http://www.w3.org/ns/auth/acl">Access Control List</a></cite>
(<abbr title="Access Control List">ACL</abbr>) ontology is used to describe
authorization policies about authorized agents with modes of access on target
resources.

Servers MUST conform to the Web Access Control specification [[!WAC]].

Expand All @@ -19,3 +21,31 @@ the HTTP `Link` header with a `rel` value of `acl` [[#acl]].
In the event that a server can't apply an ACL to a resource, it MUST deny
access.
[[Source](https://github.com/solid/specification/issues/130#issue-532777017)]

Servers exposing client's access privileges on a resource URL MUST advertise
by including the `WAC-Allow` HTTP header in the response of HTTP `HEAD` and
csarven marked this conversation as resolved.
Show resolved Hide resolved
`GET` requests.

The syntax for `WAC-Allow`, using the ABNF syntax is:

```
WAC-Allow = "WAC-Allow" ":" OWS permissions OWS
permissions = user-permissions OWS "," OWS public-permissions
csarven marked this conversation as resolved.
Show resolved Hide resolved
user-permissions = "user=" quoted-access-modes
public-permissions = "public=" quoted-access-modes
csarven marked this conversation as resolved.
Show resolved Hide resolved
quoted-access-modes = DQUOTE *( access-modes / SP ) DQUOTE
csarven marked this conversation as resolved.
Show resolved Hide resolved
access-modes = "read" / "write" / "append" / "control"
csarven marked this conversation as resolved.
Show resolved Hide resolved
OWS = *( SP / HTAB )
```

The `access-modes` corresponds to the modes of access (`acl:Read`,
`acl:Write`, `acl:Append`, `acl:Control`) as defined in the ACL ontology.

Clients can discover their access privileges on a resource by making an HTTP
`HEAD` or `GET` request on the target URL, and checking the `WAC-Allow` HTTP
header value for `user` and `public` paramaters listing the allowed access
modes.

[[Source](https://github.com/solid/specification/issues/171)]
[[Source](https://github.com/solid/specification/issues/170)]
[[Source](https://github.com/solid/specification/issues/181)]