I am attempting to configure Tomcat's WebDav application (http://localhost:8080/webdav) to allow everyone to view the directory. However I need authorized users to be able to edit the content of the directory.
Created May 7, 2012
First I set the property in the webapps/webdav/web.xml file to allow read and write access. By default this gives everyone access to change content.
<init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param>
I tested this and it worked as expected--everyone was able to make changes to the content. Next I attempted to change the security settings for the directory so only certian users could make changes.
<security-constraint> <web-resource-collection> <web-resource-name>The Entire Web Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Tomcat Supported Realm</realm-name> </login-config> <security-role> <description> An example role defined in "conf/tomcat-users.xml" </description> <role-name>tomcat</role-name> </security-role>
This modified things so you need to login as a user defined as having a role of "tomcat" in conf/tomcat-users.xml in order to edit or view anything in the webdav directory.
Trying to remove the <security-role> section doesn't work.
I added the following and the behavior is what I was trying for:
Hopefully that is useful to some other people as well.
[Sure it is, thanks. AG]
Basically whithin the <web-resource-colletion> section of the web.xml file you can define waht methods are protected. So you could protect the PUT command while leaving the GET command open to everyone.
<web-resource-collection>
....
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>LOCK</http-method>
</web-resource-collection>
This prompts for authentication when a user tries to lock a file for editing as well as POSTing and PUTting. I'm not sure if this will have any effect on forms ability to function and send stuff to a jsp page. (For example: will the user be asked for a password if they fill out and submit a form.) This isn't really a problem because all my webdav content will be in a separate folder at this point.