The Jakarta Project The Jakarta Slide Project

Main

User's Guide

Administrator's Guide

Programmer's Corner

Introduction

Slide supports ACL (access control) according to draft 12 of the WebDAV ACL specification.

By default, when running inside Tomcat, authentication for the WebDAV servlet is controlled by the realm wrappers.catalina.SlideRealm which accesses user names and passwords directly from the Slide namespace at /slide/users.

In Slide, authentication and authorization (access control) can be en- or disabled independently from each other.

Enabling or disabling authentication

By default, authentication is enabled in Slide.

To disable authentication, open the webapp deployment descriptor, i.e. WEB-INF/web.xml in the webapp directory, and uncomment the two elements given by the xpath expressions /web-app/security-constraint and /web-app/login-config: 

<!--
<security-constraint>
    <web-resource-collection>
        <web-resource-name>DAV resource</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>COPY</http-method>
        [...]
        <http-method>REBIND</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>root</role-name>
        <role-name>guest</role-name>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Slide DAV Server</realm-name>
</login-config>
-->

Enabling or disabling authorization (access control)

By default, access control is enabled in Slide. If authentication is disabled (see above), the current user is "unauthenticated" and he/she has all permissions granted to DAV:unauthenticated.

To disable access control, search for a configuration file named slide.properties in the classpath (if not there, you can create a new one at e.g. $CATALINA_HOME/common/classes) and set or add: 

org.apache.slide.security=false
Other parameters (Domain.xml)

There are some other namespace-specific parameters in the Slide configuration file Domain.xml, which influence the access control behavior of the server.

  • acl_semantics
    (xpath: /slide/namespace/configuration/parameter[@name="acl_semantics"]):
    Class name of the access control implementation. Default value is org.apache.slide.security.ACLSecurityImpl. Allows to plug-in a customized security implementation.
  • acl_inheritance_type
    (xpath: /slide/namespace/configuration/parameter[@name="acl_inheritance_type"]):
    Controls inheritance of ACEs over the namespace hierarchy. Can be one of none (no inheritance takes place), root (ACEs are inherited only from the root node), path (ACEs are inherited over the URI path) or full (ACEs are inherited over all available parent bindings). Default value is path, full is not yet implemented.
  • nested_roles_maxdepth
    (xpath: /slide/namespace/configuration/parameter[@name="nested_roles_maxdepth"]):
    Defines the max. depth of nested roles/groups hierarchies. Default value is 0 (meaning no nesting). Value 1 means one sublevel, and so forth.
More parameters (web.xml)

There exist some servlet init parameters in the webapp deployment descriptor, i.e. WEB-INF/web.xml in the webapp directory, which influence the access control behavior of the server at the WebDAV level.

  • extendedAllprop
    (xpath: /web-app/servlet/init-param[param-name="extendedAllprop"]):
    According to WebDAV DeltaV, ACL and Binding specifications, a DAV:allprop PROPFIND should not return any of the properties defined in any of those documents. For testing purposes, the specified behaviour can be disabled by setting this parameter "true".
  • lockdiscoveryIncludesPrincipalURL
    (xpath: /web-app/servlet/init-param[param-name="lockdiscoveryIncludesPrincipalURL"]):
    As proposed on February 08, 2003 by Lisa Dusseault in w3c-dist-auth-request@w3.org, the DAV:lockdiscovery property should include an element DAV:principal-URL with the semantics of the WebDAV/ACL specification. This feature can be switched-off in case of interoperability problems.

Creation and maintenance principal resources (users, roles/groups) through WebDAV

Although the creation and maintenance of principal resources (users, roles/groups) is out of scope of the WebDAV/ACL specification, in Slide it is currently possible through a proprietary extension to the MKCOL method, provided the SlideRealm (wrappers.catalina.SlideRealm) is active.

Resources created by MKCOL at the locations specified by the parameters:

  • userspath (xpath: /slide/namespace/configuration/userspath,
  • groupspath (xpath: /slide/namespace/configuration/groupspath), or
  • rolespath (xpath: /slide/namespace/configuration/rolespath)

    • automatically become principals, i.e. the property DAV:resourcetype automatically will contain the DAV:principal element.

    To set the password of a user, issue a PROPPATCH request setting the password property (namespace of the property: http://jakarta.apache.org/slide/).

    To associate users to a role/group, issue a PROPPATCH request setting the DAV:group-member-set property.
    NOTE: to add a user(s) to a role/group, the value of the DAV:group-member-set property must list all members of the role/group, not just the user(s) being added.

    Copyright © 1999-2004, Apache Software Foundation