I am attempting to configure Tomcat's WebDav application (http://localhost:8080/webdav) to allow everyone to view the directory. However I need authorized users to be able to edit the content of the directory.

Mark Shead

Here some additional info regarding the problem.
First I set the property in the webapps/webdav/web.xml file to allow read and write access. By default this gives everyone access to change content.

    <init-param>
      <param-name>readonly</param-name>
      <param-value>false</param-value>
    </init-param>

I tested this and it worked as expected--everyone was able to make changes to the content. Next I attempted to change the security settings for the directory so only certian users could make changes.

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>The Entire Web Application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Tomcat Supported Realm</realm-name>
  </login-config>

  <security-role>
    <description>
      An example role defined in "conf/tomcat-users.xml"
    </description>
    <role-name>tomcat</role-name>
  </security-role>

This modified things so you need to login as a user defined as having a role of "tomcat" in conf/tomcat-users.xml in order to edit or view anything in the webdav directory.

I need it to allow anyone to access the file over the web, but only prompt for a password if they try to modify the file.

Trying to remove the <security-role> section doesn't work.


Basically whithin the <web-resource-colletion> section of the web.xml file you can define waht methods are protected. So you could protect the PUT command while leaving the GET command open to everyone.

I added the following and the behavior is what I was trying for:

<web-resource-collection>
  ....
  <http-method>DELETE</http-method>
  <http-method>POST</http-method>
  <http-method>PUT</http-method>
  <http-method>LOCK</http-method>
</web-resource-collection>
This prompts for authentication when a user tries to lock a file for editing as well as POSTing and PUTting. I'm not sure if this will have any effect on forms ability to function and send stuff to a jsp page. (For example: will the user be asked for a password if they fill out and submit a form.) This isn't really a problem because all my webdav content will be in a separate folder at this point.

Hopefully that is useful to some other people as well.

[Sure it is, thanks. AG]

Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

About | Sitemap | Contact