Using Cams with WebDAV

WebDAV is an abbreviation for Web-based Distributed Authoring and Versioning, a set of extensions to the Hypertext Transfer Protocol (HTTP 1.1) which allows users to collaboratively edit and manage files on remote World Wide Web servers. The group of developers responsible for these extensions was also known by the same name and was a working group of the Internet Engineering Task Force (IETF). For more information on the history and goals of WebDAV, please visit the following sites:

• WebDAV on Wikipedia
• RFC 4918: HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)

This document provides instructions for configuring Cams to work with WebDAV services hosted under various web and application server environments. Not all web agents will currently work in environments where WebDAV is used, so read the following documention carefully and contact Cafésoft support if you have any questions.

Cams WebDAV Requirements

Cams support for WebDAV was added at the specified version for the following Cams components:

Table 1 - Cams component versions supporting/not supporting WebDAV

Note that some agents don't currently work in environments where WebDAV is used, usually because they are not compatible with settings for native HTTP authentication (HTTP Basic or Digest authentication). These problems will be eliminated and Cams configuration will be simplified when support for HTTP Basic and Digest authentication are supported directly by Cams. If you don't see the web agent for your environment, please check the latest release notes for your web agent or contact Cafésoft support.

In addition, you may need to install/enable and configure the WebDAV services for your web/application server environment. The remainder of this document provides instructions for creating a WebDAV compatible Cams access control policy and configuring native WebDAV option to work in conjunction with Cams to protect your site.

Cams WebDAV Security Considerations

The primary issues related to Cams WebDAV security configuration are:

1. Your Cams site is probably configured with form-based authentication. Users accessing your site with a normal web browser for which authentication is required are redirected to your configured Cams login page.
2. Popular WebDAV clients like Adobe/Dreamweaver, Microsoft FrontPage, etc. don't support form-based authentication, they support HTTP Basic, HTTP Digest, and perhaps other types of authentication. Consequently, your Cams access control policy must not attempt to redirect WebDAV clients to a login form.
3. WebDAV clients use HTTP request methods like: PROPFIND, PROPATCH, MKCOL, COPY, MOVE, etc. that normal web clients don't, but both client types are likely to use the GET method.
4. Unless you are working in an unusually trusting environment, you'll want to ensure that users of both client types are properly authenticated: normal browser users with form-based login and WebDAV users with HTTP Basic or Digest authentication.

To complicate matters somewhat, Cams does not currently support HTTP Basic or Digest authentication, so you'll need to configure that in your web server environment such that it is compatible with your Cams access control policy. The following sections provide details on supported configuration approaches.

Cams WebDAV Configuration

The key issue when configuring your Cams-protected site to support WebDAV is to enable form-based login for normal HTTP clients and HTTP Basic or HTTP Digest authentication for WebDAV clients. At present, the following configuration approaches are supported:

• Distinguish client type based on URL path - normal web browser clients access your site's files using a URL that starts like: https://www.mysite.com/, and WebDAV clients access your site using a URL that starts like: https://www.mysite.com/dav/. Your Cams access control policy uses the path to limit access based on network address or /IP address or some other constraint. The web server is configured to require HTTP Basic or Digest authentication for the WebDAV path.
• Distinguish client type based on web virtual host - a separate web server virtual host is setup for access by WebDAV clients and your Cams access control policy uses the web server virtual host to limit access based on network address/IP address or some other constraint. The web server is configured to require HTTP Basic or Digest authentication for access to the WebDAV virtual host.

From a Cams perspective, the principle for supporting WebDAV is the same: apply different access control rules for normal web browser users and WebDAV client users.

Cams/WebDAV Support using URL path

The high level configuration steps include:

1. Configure your Cams access control policy for the WebDAV specific path.
2. Configure your web server to authenticate WebDAV clients for that path.

Step 1 is shown in Example 1 and uses the example WebDAV specific pattern "/dav/*". Use the appropriate path for your environment. Find the details for step 2 in the web server and agent specific documentation at the end of this document.

<access-control-policy ...>
	
	<!-- HTTP/HTTPS Resource Permissions -->
	<permission-collection type="http" desc="HTTP/HTTPS permissions"
   ...
      <!-- Permission for the path used by WebDAV clients -->
      <permission desc="WebDAV Requests" actions="">
         <resource-pattern id="*://*:*/dav/*"/>
         <acr-ref id="WebDAV Client Rule"/>
      </permission>
   ...
   </permission-collection>

	<!-- Access Control Rule Library -->
   <acr-lib>
   ...
      <!-- Limit WebDAV Clients to access from the local area network
            NOTE: web server-specific authentication is configured at the web server -->
      <host-acr id="WebDAV Client Rule">
         <allow-address>
            <address>192.168.0.*</address>
         </allow-address>
      </host-acr>
   ...
   </acr-lib>

</access-control-policy>

Example 1 - Sample permission and access control rule for a virtual host used by WebDAV clients

Cams/WebDAV Support using Multiple Virtual Hosts

The high level configuration steps include:

1. Configure your Cams access control policy for the WebDAV virtual host.
2. Configure your web server virtual hosts and authentication for WebDAV clients.

Step 1 is shown in Example 2 and uses the example WebDAV specific virtual host "webdav.mysite.com". Use the appropriate virtual host for your environment. Find the details for step 2 in the web server and agent specific documentation at the end of this document.

<access-control-policy ...>
	
	<!-- HTTP/HTTPS Resource Permissions -->
	<permission-collection type="http" desc="HTTP/HTTPS permissions"
   ...
      <!-- Permission for the virtual host used by WebDAV clients -->
      <permission desc="WebDAV Requests" actions="">
         <resource-pattern id="*://webdav.mysite.com:*/*"/>
         <acr-ref id="WebDAV Client Rule"/>
      </permission>
   ...
   </permission-collection>

	<!-- Access Control Rule Library -->
   <acr-lib>
   ...
      <!-- Limit WebDAV Clients to access from the local area network
            NOTE: web server-specific authentication is configured at the web server -->
      <host-acr id="WebDAV Client Rule">
         <allow-address>
            <address>192.168.0.*</address>
         </allow-address>
      </host-acr>
   ...
   </acr-lib>

</access-control-policy>

Example 2 - Sample permission and access control rule for a virtual host used by WebDAV clients

Using the Apache 2.0 and Apache 2.2 Web Agents with WebDAV

Example configuration directives for the two supported Cams/WebDAV integration approaches are presented.

Apache 2.0 and Apache 2.2 Alias/Location and Authentication Configuration

Apache 2.0 and Apache 2.2 are similar when it comes to path (location) and authentication configuration. Please reference the following Apache documents for complete details:

• Apache 2.0 Location configuration, Apache 2.0 Authentication
• Apache 2.2 Location configuration, Apache 2.2 Authentication

Example 3 shows simple Apache 2.0/2.2 configuration directives for Location-specific authentication configuration. If your server name is www.mysite.com, then normal web browsers clients will access the site with a URL starting with: http://www.mysite.com/ and WebDAV clients will access the site via a URL like: https://www.mysite.com/dav/. The /dav Alias maps to the desired document root directory and the Location enables WebDAV and HTTP basic authentication configured. NOTE: To avoid exposing your WebDAV client password, you should connect only via SSL. Also, AuthType digest is preferred if supported by your WebDAV client.

...


DAVLockDB /tmp/dav_lockdb
Alias /dav htdocs
<Location /dav>
  Dav On
  AuthType basic
  AuthName DAV
  AuthUserFile user.passwd
  <LimitExcept>
     require user webdav
  </LimitExcept>
</Location>

...

Example 3 - Sample Apache 2.0/2.2 Alias/Location configuration with authentication configured for the WebDAV host

Apache 2.0 and Apache 2.2 Virtual Host and Authentication Configuration

Apache 2.0 and Apache 2.2 are for the most part identical when it comes to virtual host and authentication configuration. Please reference the following Apache documents for complete details:

• Apache 2.0 Virtual Host configuration, Apache 2.0 Authentication
• Apache 2.2 Virtual Host configuration, Apache 2.2 Authentication

Example 4 shows simple Apache 2.0/2.2 configuration directives for virtual hosts named www.mysite.com and webdav.mysite.com. Note that both virtual hosts use the same document root, however webdav.mysite.com vrequires that clients authenticate as a user named "webdav" using the HTTP Basic authentication type. AuthType digest is preferred if supported by your WebDAV client.

...


NameVirtualHost *:80
NameVirtualHost *:443


<VirtualHost *:80 *:443>
   ServerName www.mysite.com
   ServerAlias mysite.com
   DocumentRoot htdocs
</VirtualHost>

<VirtualHost *:80 *:443>
   ServerName webdav.mysite.com
   DocumentRoot htdocs

   DAVLockDB /tmp/dav_lockdb
   <Location />
     Dav On
     AuthType basic
     AuthName DAV
     AuthUserFile user.passwd
     <LimitExcept>
        require user webdav
     </LimitExcept>
   </Location>
</VirtualHost>

...

Example 4 - Sample Apache 2.0/2.2 VirtualHost configuration with authentication configured for the WebDAV host

Using the IIS Web Agent with WebDAV

The Cams IIS web agent may be used with the IIS 6.0 WebDAV Web Service Extension. The following instructions lead you through the process of creating and configuring an IIS "virtual directory", which maps to your web site document tree. Your WebDAV client access the site via the virtual directory, which is configured to require HTTP Basic or Digest user authentication.

Step 1 - Enabling the WebDAV Web Service Extension

Start the Internet Information Services Manager and enable the WebDAV Web Service Extension by:

• Selecting the "Web Service Extensions" folder (in the left pane)
• Selecting "WebDAV" (in the right pane)
• Selecting the "Allow" button

See Figure 1 below.

Figure 1 - Enabling the IIS WebDAV Web Service Extension

Step 2 - Create a "dav" virtual directory

In the Internet Information Services Manager:

• In the IIS Manager: Expand the "Web Sites" folder (in the left pane)
• Right click on the web site with which you want to use WebDAV and select the "New -> Virtual Directory" option.
• In the Virtual Directory Creation Wizard:
  • Select "Next"
  • Enter Alias: "dav", then select "Next"
  • Select the "Browse ..." button, then select the physical directory to which you'd like to map the "dav" virtual directory. (For example: C:\InetPub\wwww), the select "Next".
  • In the "Allow the following permissions" section, check the "Read", "Write", and "Browse" check boxes.
  • Select the "Finish" button

A virtual directory like the one shown in See Figure 2 should appear along side the "cams" virtual directory for your website.

Figure 2 - After having created the "dav" virtual directory

Step 3 - Set the "dav" virtual directory security

In the Internet Information Services Manager:

• Right click on the "dav" virtual directory and select the "Properties ..." menu item.
• Select the "Directory Security" tab.
• In the "Authentication and Access Control" section, select the "Edit ..." button.
• In the "Authentication Methods" dialog box that appears:
  • Disable (Uncheck) the "Enable anonymous access" check box
  • In the "Authenticated Access" section, check the desired authentication method. HTTP Digest is preferred to HTTP Basic, though you will need to use whatever authentication type is supported by your WebDAV client. NOTE: If your client supports NTLM authentication, you may want to use that as it is more secure.
  • Select whatever "Default domain" and "Realm" are appropriate for your environment.
• Select the "OK" button to accept authentication settings.
• Add other directory security as desired: "IP address and domain name restrictions" and "Secure communications". NOTE: If you will be authenticating WebDAV clients using HTTP Basic or HTTP Digest authentication, you should require SSL connections to avoid exposing login credentials on the network.
• Select the "OK" button to apply/save the virtual directory security settings.

Figure 3 shows sample authentication method settings as described in Step 3.

Figure 3 - Disabling WebDAV client anonymous access and setting authentication type

Step 4 - Set the "dav" virtual directory permissions

In the Internet Information Services Manager:

• Right click on the "dav" virtual directory and select the "Permissions ..." menu item.
• In the "Group or user names" section, select "Add ... /Select" to select the username that your WebDAV clients will use to authenticate when accessing the "dav" virtual directory. Figure 4 shows addition of a special user name "WebDAV Client" user (username = webdav).
• In the "Permissions" section, select all "Allow" check boxes.
• Select the "OK" button to apply/save the "dav" virtual directory permissions.

Figure 4 - Setting permissions that enable specific users to access the "dav" virtual directory.

Once steps 1 through 4 are completed, you should be able to connect to your web site using your WebDAV client. You can test that HTTP authentication is properly configured using a web browser. Be sure to access your site via the "dav" virtual directory (e.g. http://www.mysite.com/dav/).

Using the Cams ServletFilter Web Agent with WebDAV

The Cams ServletFilter web agent can be used in dozens of J2EE containers, which differ in the way virtual hosts are configured. If that is your preferred configuration approach, please reference the documentation available for your environment.

Example 5 shows sample configuration directives for a J2EE web application deployment descriptor file (web.xml) in which the Cams ServletFilter web agent is used. NOTE: The example is derived from a Tomcat 5.0/5.5 environment where the WebdavServlet provides WebDAV support, however your J2EE container may support it in another way.

<web-app ...>
...

   <!-- Filter/Filter mappings  -->
   <filter>
      <filter-name>Cams Servlet Filter Web Agent</filter-name>
      <filter-class>com.cafesoft.security.webagent.servletFilter.CamsServletFilterWebAgent</filter-class>
      <init-param>
        <param-name>configPath</param-name>
        <param-value>/tmp/apache-tomcat-5.5.20/conf/cams-webagent.conf</param-value>
      </init-param>
      <init-param>
        <param-name>contextClass</param-name>
        <param-value>com.cafesoft.security.common.agent.StandardCamsAgentContext</param-value>
      </init-param>
   </filter>

   <filter-mapping>
      <filter-name>Cams Servlet Filter Web Agent</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <!-- Servlet/Servlet mappings  -->
   <servlet>
      <servlet-name>org.apache.jsp.index_jsp</servlet-name>
      <servlet-class>org.apache.jsp.index_jsp</servlet-class>
   </servlet>
   <servlet>
      <servlet-name>webdav</servlet-name>
      <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
      <init-param>
         <param-name>debug</param-name>
         <param-value>0</param-value>
      </init-param>
      <init-param>
         <param-name>listings</param-name>
      <param-value>true</param-value>
     </init-param>
      <init-param>
         <param-name>readonly</param-name>
         <param-value>false</param-value>
      </init-param>
   </servlet>

   <servlet-mapping>
      <servlet-name>org.apache.jsp.index_jsp</servlet-name>
      <url-pattern>/index.jsp</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>webdav</servlet-name>
      <url-pattern>/dav/*</url-pattern>
   </servlet-mapping>

   <!-- Security constraints -->
   <security-constraint>
      <web-resource-collection>
         <web-resource-name>WebDAV resources</web-resource-name>
         <url-pattern>/dav/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>webdav</role-name>
      </auth-constraint>
   </security-constraint>

   <!-- Login configuration and security role for WebDAV resources -->
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>WebDAV Realm</realm-name>
   </login-config>>
   <security-role>
     <description>The security role needed by WebDAV clients</description>
     <role-name>webdav</role-name>
   </security-role>
...
</web-app>

Example 5 - Sample ServletFilter web agent/WebDAV configuration in web.xml

Using other Cams Web Agents with WebDAV

The sheer number of web servers supported by Cams makes it difficult to provide detailed instructions for every environment. Our hope is that the approaches and examples presented in this document will provide guidance for your environment. As always, please contact Cafésoft support if you have specific questions/needs.

Back | Next | Contents

© Copyright 1996-2009 Cafésoft LLC. All rights reserved.