Main
User's Guide
Administrator's Guide
Programmer's Corner
|
Introduction |
Slide supports ACL (access control) according to draft 12 of the WebDAV ACL specification.
By default, when running inside Tomcat, authentication for the WebDAV servlet is controlled by the realm
wrappers.catalina.SlideRealm
which accesses user names and passwords directly from the Slide namespace at /slide/users .
In Slide, authentication and authorization (access control) can be en- or disabled independently from each other.
|
Enabling or disabling authentication |
By default, authentication is enabled in Slide.
To disable authentication, open the webapp deployment descriptor, i.e. WEB-INF/web.xml in the webapp directory,
and uncomment the two elements given by the xpath expressions
/web-app/security-constraint and /web-app/login-config :
<!--
<security-constraint>
<web-resource-collection>
<web-resource-name>DAV resource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>COPY</http-method>
[...]
<http-method>REBIND</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>root</role-name>
<role-name>guest</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Slide DAV Server</realm-name>
</login-config>
-->
|
Enabling or disabling authorization (access control) |
By default, access control is enabled in Slide. If authentication is disabled (see above), the current user is "unauthenticated"
and he/she has all permissions granted to DAV:unauthenticated.
To disable access control, search for a configuration file named slide.properties in the classpath
(if not there, you can create a new one at e.g. $CATALINA_HOME/common/classes)
and set or add:
org.apache.slide.security=false
|
Other parameters (Domain.xml) |
There are some other namespace-specific parameters in the Slide configuration file Domain.xml, which
influence the access control behavior of the server.
-
acl_semantics
(xpath: /slide/namespace/configuration/parameter[@name="acl_semantics"] ):
Class name of the access control implementation. Default value is org.apache.slide.security.ACLSecurityImpl.
Allows to plug-in a customized security implementation.
-
acl_inheritance_type
(xpath: /slide/namespace/configuration/parameter[@name="acl_inheritance_type"] ):
Controls inheritance of ACEs over the namespace hierarchy.
Can be one of none (no inheritance takes place), root (ACEs are inherited only from the root node),
path (ACEs are inherited over the URI path) or full (ACEs are inherited over all available parent
bindings). Default value is path, full is not yet implemented.
-
nested_roles_maxdepth
(xpath: /slide/namespace/configuration/parameter[@name="nested_roles_maxdepth"] ):
Defines the max. depth of nested roles/groups hierarchies. Default value is 0 (meaning no nesting). Value 1 means one sublevel, and so forth.
|
More parameters (web.xml) |
There exist some servlet init parameters in the webapp deployment descriptor, i.e. WEB-INF/web.xml
in the webapp directory, which influence the access control behavior of the server at the WebDAV level.
-
extendedAllprop
(xpath: /web-app/servlet/init-param[param-name="extendedAllprop"] ):
According to WebDAV DeltaV, ACL and Binding specifications,
a DAV:allprop PROPFIND should not return any of the properties defined
in any of those documents.
For testing purposes, the specified behaviour can be disabled by
setting this parameter "true".
-
lockdiscoveryIncludesPrincipalURL
(xpath: /web-app/servlet/init-param[param-name="lockdiscoveryIncludesPrincipalURL"] ):
As proposed on February 08, 2003 by Lisa Dusseault in
w3c-dist-auth-request@w3.org, the DAV:lockdiscovery property should
include an element DAV:principal-URL with the semantics of the
WebDAV/ACL specification. This feature can be switched-off in case
of interoperability problems.
|
Creation and maintenance principal resources (users, roles/groups) through WebDAV |
Although the creation and maintenance of principal resources (users, roles/groups) is out of scope of the WebDAV/ACL
specification, in Slide it is currently possible through a proprietary extension to the MKCOL method, provided the
SlideRealm (wrappers.catalina.SlideRealm ) is active.
Resources created by MKCOL at the locations specified by the parameters:
userspath (xpath: /slide/namespace/configuration/userspath ,
groupspath (xpath: /slide/namespace/configuration/groupspath ), or
rolespath (xpath: /slide/namespace/configuration/rolespath )
automatically become principals,
i.e. the property DAV:resourcetype automatically will contain the DAV:principal element.
To set the password of a user, issue a PROPPATCH request setting the password property (namespace of the property:
http://jakarta.apache.org/slide/).
To associate users to a role/group, issue a PROPPATCH request setting the DAV:group-member-set property.
NOTE: to add a user(s) to a role/group, the value of the DAV:group-member-set property must
list all members of the role/group, not just the user(s) being added.
|
|