Hi,

About: “Oliver made a fix in Subversion, but there was nobody who could release a fixed Slide, either as a minor update to the last Slide release years ago, or as a new release of the current code in Subversion.”

In ESUP-Portail project we have made a lot of work over Slide. Perhaps because of our poor English we didn’t communicate about this. Sorry.

Slide is used in many universities in France and we make a patch for Slide 2.1. You can find it here: http://www.esup-portail.org/consortium/espace/Securite/ESUP-2007-AVI-004-COR.zip

It takes the form of a patch of AbstractWebdavMethod Class in order to use a special EntityResolver that avoid XML Entity attack. It works on LOCK method like Oliver’s patch and with other commands like PROPFIND.

About ESUP-Portail project work over Slide we have:
- Authentication Filter (LDAP, SSO with CAS and Shibboleth)
- Specific Slide stores for groups (uPortal groups and Shibboleth’s attributes based groups)
- A Quota for WebDAV (RFC 4331) based on Slide event mechanism

Of course we plan to use Jackrabbit WebDAV server now. But, at this time, I don’t know if we can rewrite Slide extension in a jackrabbit environment. I just sign on jackrabbit mailing lists.

Jackrabbit seems to be to ACP compliant. I find some information in “Coming from Slide...” thread in users mailing list.
But have you some information on how to plug specific WebDAV group implementations in Jackrabbit? Is it spring enabled for example?

Thanks a lot.

Some information about ESUP-Portail WebDAV project:
- Web site: http://sourcesup.cru.fr/esup-webdav-srv/current/index.html
- The project site: http://sourcesup.cru.fr/projects/esup-webdav-srv/
- A recent presentation of Shibboleth mechanism: http://www.terena.org/activities/eurocamp/november07/slides/bourges-the-shibboleth-enabled-webdav.pdf


ossfwot <at> dubioso.net a écrit :

Hello Chris,

JackRabbit does not currently have a WebDAV client implementation according to this post (http://www.nabble.com/Webdav-Client-Examples--tf4803755.html#a13852979).

The way I read this post, they have the implementation. It is just not released as a separate component. The released version of the Slide WebDAV client is based on HttpClient 2.0, which has been unsupported for years. It also includes contrib code from HttpClient which was never supported in the first place.

I think it is clear that there is a need for a project like this.

That is good to know.

Has there been any though in starting an Apache Commons project to provide WebDAV support?

Not as a Commons project, but it was discussed as a part of HttpComponents. The most recent discussion took place on general <at> jakarta: http://www.nabble.com/-discuss--Slide-%2B-HttpComponents-%3D%3E-TLP-tf4207242.html We made sure that the scope of the new HttpComponents TLP allows for releasing a WebDAV client, whether that is based on Slide or Jackrabbit or something else. But projects depend on volunteers to do the work.

My understanding was that the Slide client was stable and would probably provide a good starting point for a WebDAV client.

It has no unit tests, no developer community, and is based on an HttpClient API scheduled for replacement. The Jackrabbit WebDAV client is also based on an HttpClient API scheduled for replacement, but it has a developer community. I don't know about their unit tests.

For more information on my WebDAV research see this post: http://pragmaticchris.blogspot.com/2007/11/java-webdav-clients.html

Thanks for the pointers. I may post a comment on your blog later this week. For now: we did not retire Slide because Jackrabbit is a perfect replacement. We retired Slide because it had no developer community that could address a security vulnerability: http://www.nabble.com/Warning%3A-Security-Bug-in-Slide-tf4736066.html Oliver made a fix in Subversion, but there was nobody who could release a fixed Slide, either as a minor update to the last Slide release years ago, or as a new release of the current code in Subversion. Projects that cannot address security vulnerabilities need to be retired. This does not depend on the availability of an alternative. It depends only on the availability of a developer community. Users of the current Slide codebase are welcome to fork and support the code. They are even more welcome to form a new project to move away from the HttpClient 2.x/3.x API. I'm willing to invest some effort into that next year, after we've completed the HttpComponents move to TLP. But at the moment, I don't see too many people working on a WebDAV client. If you know any, please send them our way The best starting point for now would be the Jackrabbit client code that is just waiting for somebody to release it. Of course you can always continue to use the Slide WebDAV client. There wasn't much support for some time, so the situation didn't really change by the retirement. It is now just obvious to anybody that the code is unsupported. cheers, Roland --------------------------------------------------------------------- To unsubscribe, e-mail: slide-user-unsubscribe <at> jakarta.apache.org For additional commands, e-mail: slide-user-help <at> jakarta.apache.org