I am attempting to configure Tomcat's WebDav application (http://localhost:8080/webdav) to allow everyone to view the directory. However I need authorized users to be able to edit the content of the directory.

Created May 7, 2012

Mark Shead

Here some additional info regarding the problem.
First I set the property in the webapps/webdav/web.xml file to allow read and write access. By default this gives everyone access to change content.

    <init-param>
      <param-name>readonly</param-name>
      <param-value>false</param-value>
    </init-param>

I tested this and it worked as expected--everyone was able to make changes to the content. Next I attempted to change the security settings for the directory so only certian users could make changes.

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>The Entire Web Application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Tomcat Supported Realm</realm-name>
  </login-config>

  <security-role>
    <description>
      An example role defined in "conf/tomcat-users.xml"
    </description>
    <role-name>tomcat</role-name>
  </security-role>

This modified things so you need to login as a user defined as having a role of "tomcat" in conf/tomcat-users.xml in order to edit or view anything in the webdav directory.

I need it to allow anyone to access the file over the web, but only prompt for a password if they try to modify the file.
Trying to remove the <security-role> section doesn't work.
Basically whithin the <web-resource-colletion> section of the web.xml file you can define waht methods are protected. So you could protect the PUT command while leaving the GET command open to everyone.
I added the following and the behavior is what I was trying for:
<web-resource-collection> .... <http-method>DELETE</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>LOCK</http-method> </web-resource-collection>
This prompts for authentication when a user tries to lock a file for editing as well as POSTing and PUTting. I'm not sure if this will have any effect on forms ability to function and send stuff to a jsp page. (For example: will the user be asked for a password if they fill out and submit a form.) This isn't really a problem because all my webdav content will be in a separate folder at this point.
Hopefully that is useful to some other people as well.
[Sure it is, thanks. AG]

Post a comment

Email Article

Print Article

Most Popular jGuru Stories

Editor's Picks

Most Popular

The Java Game Development Tutorial

Files and Directories in Java

Load Testing your Applications with Apache JMeter

Unit Testing Java Programs

Using SOAP with Java