mirror of
https://github.com/etesync/android
synced 2024-11-15 12:28:57 +00:00
a12942c606
* relevant RFCs go into the doc/ directory for reference purposes * read-only calendar collections are set as read-only in Android * HTTP exception refactoring to mark 4xx HTTP errors as hard sync errors (numAuthExcetions/numParseExceptions) for Android sync manager * query current-user-privilege-set for resources, detect read-only resources * show read-only resources as read-only in SelectCollectionsFragment * minor refactoring (DavProp.*)
4036 lines
143 KiB
Plaintext
4036 lines
143 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group G. Clemm
|
||
Request for Comments: 3744 IBM
|
||
Category: Standards Track J. Reschke
|
||
greenbytes
|
||
E. Sedlar
|
||
Oracle Corporation
|
||
J. Whitehead
|
||
U.C. Santa Cruz
|
||
May 2004
|
||
|
||
|
||
Web Distributed Authoring and Versioning (WebDAV)
|
||
Access Control Protocol
|
||
|
||
Status of this Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||
|
||
Abstract
|
||
|
||
This document specifies a set of methods, headers, message bodies,
|
||
properties, and reports that define Access Control extensions to the
|
||
WebDAV Distributed Authoring Protocol. This protocol permits a
|
||
client to read and modify access control lists that instruct a server
|
||
whether to allow or deny operations upon a resource (such as
|
||
HyperText Transfer Protocol (HTTP) method invocations) by a given
|
||
principal. A lightweight representation of principals as Web
|
||
resources supports integration of a wide range of user management
|
||
repositories. Search operations allow discovery and manipulation of
|
||
principals using human names.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 1]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||
1.1. Terms. . . . . . . . . . . . . . . . . . . . . . . . . . 6
|
||
1.2. Notational Conventions . . . . . . . . . . . . . . . . . 8
|
||
2. Principals . . . . . . . . . . . . . . . . . . . . . . . . . . 8
|
||
3. Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . 8
|
||
3.1. DAV:read Privilege . . . . . . . . . . . . . . . . . . . 10
|
||
3.2. DAV:write Privilege. . . . . . . . . . . . . . . . . . . 10
|
||
3.3. DAV:write-properties Privilege . . . . . . . . . . . . . 10
|
||
3.4. DAV:write-content Privilege. . . . . . . . . . . . . . . 11
|
||
3.5. DAV:unlock Privilege . . . . . . . . . . . . . . . . . . 11
|
||
3.6. DAV:read-acl Privilege . . . . . . . . . . . . . . . . . 11
|
||
3.7. DAV:read-current-user-privilege-set Privilege. . . . . . 12
|
||
3.8. DAV:write-acl Privilege. . . . . . . . . . . . . . . . . 12
|
||
3.9. DAV:bind Privilege . . . . . . . . . . . . . . . . . . . 12
|
||
3.10. DAV:unbind Privilege . . . . . . . . . . . . . . . . . . 12
|
||
3.11. DAV:all Privilege. . . . . . . . . . . . . . . . . . . . 13
|
||
3.12. Aggregation of Predefined Privileges . . . . . . . . . . 13
|
||
4. Principal Properties . . . . . . . . . . . . . . . . . . . . . 13
|
||
4.1. DAV:alternate-URI-set. . . . . . . . . . . . . . . . . . 14
|
||
4.2. DAV:principal-URL. . . . . . . . . . . . . . . . . . . . 14
|
||
4.3. DAV:group-member-set . . . . . . . . . . . . . . . . . . 14
|
||
4.4. DAV:group-membership . . . . . . . . . . . . . . . . . . 14
|
||
5. Access Control Properties. . . . . . . . . . . . . . . . . . . 15
|
||
5.1. DAV:owner. . . . . . . . . . . . . . . . . . . . . . . . 15
|
||
5.1.1. Example: Retrieving DAV:owner . . . . . . . . . . 15
|
||
5.1.2. Example: An Attempt to Set DAV:owner. . . . . . . 16
|
||
5.2. DAV:group. . . . . . . . . . . . . . . . . . . . . . . . 18
|
||
5.3. DAV:supported-privilege-set. . . . . . . . . . . . . . . 18
|
||
5.3.1. Example: Retrieving a List of Privileges
|
||
Supported on a Resource . . . . . . . . . . . . . 19
|
||
5.4. DAV:current-user-privilege-set . . . . . . . . . . . . . 21
|
||
5.4.1. Example: Retrieving the User's Current Set of
|
||
Assigned Privileges . . . . . . . . . . . . . . . 22
|
||
5.5. DAV:acl. . . . . . . . . . . . . . . . . . . . . . . . . 23
|
||
5.5.1. ACE Principal . . . . . . . . . . . . . . . . . . 23
|
||
5.5.2. ACE Grant and Deny. . . . . . . . . . . . . . . . 25
|
||
5.5.3. ACE Protection. . . . . . . . . . . . . . . . . . 25
|
||
5.5.4. ACE Inheritance . . . . . . . . . . . . . . . . . 25
|
||
5.5.5. Example: Retrieving a Resource's Access Control
|
||
List. . . . . . . . . . . . . . . . . . . . . . . 25
|
||
5.6. DAV:acl-restrictions . . . . . . . . . . . . . . . . . . 27
|
||
5.6.1. DAV:grant-only. . . . . . . . . . . . . . . . . . 27
|
||
5.6.2. DAV:no-invert ACE Constraint. . . . . . . . . . . 28
|
||
5.6.3. DAV:deny-before-grant . . . . . . . . . . . . . . 28
|
||
5.6.4. Required Principals . . . . . . . . . . . . . . . 28
|
||
5.6.5. Example: Retrieving DAV:acl-restrictions. . . . . 28
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 2]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
5.7. DAV:inherited-acl-set. . . . . . . . . . . . . . . . . . 29
|
||
5.8. DAV:principal-collection-set . . . . . . . . . . . . . . 30
|
||
5.8.1. Example: Retrieving DAV:principal-collection-set. 30
|
||
5.9. Example: PROPFIND to retrieve access control properties. 32
|
||
6. ACL Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 36
|
||
7. Access Control and existing methods. . . . . . . . . . . . . . 37
|
||
7.1. Any HTTP method. . . . . . . . . . . . . . . . . . . . . 37
|
||
7.1.1. Error Handling. . . . . . . . . . . . . . . . . . 37
|
||
7.2. OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . 38
|
||
7.2.1. Example - OPTIONS . . . . . . . . . . . . . . . . 39
|
||
7.3. MOVE . . . . . . . . . . . . . . . . . . . . . . . . . . 39
|
||
7.4. COPY . . . . . . . . . . . . . . . . . . . . . . . . . . 39
|
||
7.5. LOCK . . . . . . . . . . . . . . . . . . . . . . . . . . 39
|
||
8. Access Control Methods . . . . . . . . . . . . . . . . . . . . 40
|
||
8.1. ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . 40
|
||
8.1.1. ACL Preconditions . . . . . . . . . . . . . . . . 40
|
||
8.1.2. Example: the ACL method . . . . . . . . . . . . . 42
|
||
8.1.3. Example: ACL method failure due to protected
|
||
ACE conflict. . . . . . . . . . . . . . . . . . . 43
|
||
8.1.4. Example: ACL method failure due to an
|
||
inherited ACE conflict. . . . . . . . . . . . . . 44
|
||
8.1.5. Example: ACL method failure due to an attempt
|
||
to set grant and deny in a single ACE . . . . . . 45
|
||
9. Access Control Reports . . . . . . . . . . . . . . . . . . . . 46
|
||
9.1. REPORT Method. . . . . . . . . . . . . . . . . . . . . . 46
|
||
9.2. DAV:acl-principal-prop-set Report. . . . . . . . . . . . 47
|
||
9.2.1. Example: DAV:acl-principal-prop-set Report. . . . 48
|
||
9.3. DAV:principal-match REPORT . . . . . . . . . . . . . . . 49
|
||
9.3.1. Example: DAV:principal-match REPORT . . . . . . . 50
|
||
9.4. DAV:principal-property-search REPORT . . . . . . . . . . 51
|
||
9.4.1. Matching. . . . . . . . . . . . . . . . . . . . . 53
|
||
9.4.2. Example: successful DAV:principal-property-search
|
||
REPORT. . . . . . . . . . . . . . . . . . . . . . 54
|
||
9.5. DAV:principal-search-property-set REPORT . . . . . . . . 56
|
||
9.5.1. Example: DAV:principal-search-property-set
|
||
REPORT. . . . . . . . . . . . . . . . . . . . . . 58
|
||
10. XML Processing . . . . . . . . . . . . . . . . . . . . . . . . 59
|
||
11. Internationalization Considerations. . . . . . . . . . . . . . 59
|
||
12. Security Considerations. . . . . . . . . . . . . . . . . . . . 60
|
||
12.1. Increased Risk of Compromised Users. . . . . . . . . . . 60
|
||
12.2. Risks of the DAV:read-acl and
|
||
DAV:current-user-privilege-set Privileges. . . . . . . . 60
|
||
12.3. No Foreknowledge of Initial ACL. . . . . . . . . . . . . 61
|
||
13. Authentication . . . . . . . . . . . . . . . . . . . . . . . . 61
|
||
14. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 62
|
||
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 62
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 3]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62
|
||
16.1. Normative References . . . . . . . . . . . . . . . . . . 62
|
||
16.2. Informative References . . . . . . . . . . . . . . . . . 63
|
||
Appendices
|
||
A. WebDAV XML Document Type Definition Addendum . . . . . . . . . 64
|
||
B. WebDAV Method Privilege Table (Normative). . . . . . . . . . . 67
|
||
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
|
||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 71
|
||
Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 72
|
||
|
||
1. Introduction
|
||
|
||
The goal of the WebDAV access control extensions is to provide an
|
||
interoperable mechanism for handling discretionary access control for
|
||
content and metadata managed by WebDAV servers. WebDAV access
|
||
control can be implemented on content repositories with security as
|
||
simple as that of a UNIX file system, as well as more sophisticated
|
||
models. The underlying principle of access control is that who you
|
||
are determines what operations you can perform on a resource. The
|
||
"who you are" is defined by a "principal" identifier; users, client
|
||
software, servers, and groups of the previous have principal
|
||
identifiers. The "operations you can perform" are determined by a
|
||
single "access control list" (ACL) associated with a resource. An
|
||
ACL contains a set of "access control entries" (ACEs), where each ACE
|
||
specifies a principal and a set of privileges that are either granted
|
||
or denied to that principal. When a principal submits an operation
|
||
(such as an HTTP or WebDAV method) to a resource for execution, the
|
||
server evaluates the ACEs in the ACL to determine if the principal
|
||
has permission for that operation.
|
||
|
||
Since every ACE contains the identifier of a principal, client
|
||
software operated by a human must provide a mechanism for selecting
|
||
this principal. This specification uses http(s) scheme URLs to
|
||
identify principals, which are represented as WebDAV-capable
|
||
resources. There is no guarantee that the URLs identifying
|
||
principals will be meaningful to a human. For example,
|
||
http://www.example.com/u/256432 and
|
||
http://www.example.com/people/Greg.Stein are both valid URLs that
|
||
could be used to identify the same principal. To remedy this, every
|
||
principal resource has the DAV:displayname property containing a
|
||
human-readable name for the principal.
|
||
|
||
Since a principal can be identified by multiple URLs, it raises the
|
||
problem of determining exactly which principal is being referenced in
|
||
a given ACE. It is impossible for a client to determine that an ACE
|
||
granting the read privilege to http://www.example.com/people/
|
||
Greg.Stein also affects the principal at http://www.example.com/u/
|
||
256432. That is, a client has no mechanism for determining that two
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 4]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
URLs identify the same principal resource. As a result, this
|
||
specification requires clients to use just one of the many possible
|
||
URLs for a principal when creating ACEs. A client can discover which
|
||
URL to use by retrieving the DAV:principal-URL property (Section 4.2)
|
||
from a principal resource. No matter which of the principal's URLs
|
||
is used with PROPFIND, the property always returns the same URL.
|
||
|
||
With a system having hundreds to thousands of principals, the problem
|
||
arises of how to allow a human operator of client software to select
|
||
just one of these principals. One approach is to use broad
|
||
collection hierarchies to spread the principals over a large number
|
||
of collections, yielding few principals per collection. An example
|
||
of this is a two level hierarchy with the first level containing 36
|
||
collections (a-z, 0-9), and the second level being another 36,
|
||
creating collections /a/a/, /a/b/, ..., /a/z/, such that a principal
|
||
with last name "Stein" would appear at /s/t/Stein. In effect, this
|
||
pre-computes a common query, search on last name, and encodes it into
|
||
a hierarchy. The drawback with this scheme is that it handles only a
|
||
small set of predefined queries, and drilling down through the
|
||
collection hierarchy adds unnecessary steps (navigate down/up) when
|
||
the user already knows the principal's name. While organizing
|
||
principal URLs into a hierarchy is a valid namespace organization,
|
||
users should not be forced to navigate this hierarchy to select a
|
||
principal.
|
||
|
||
This specification provides the capability to perform substring
|
||
searches over a small set of properties on the resources representing
|
||
principals. This permits searches based on last name, first name,
|
||
user name, job title, etc. Two separate searches are supported, both
|
||
via the REPORT method, one to search principal resources
|
||
(DAV:principal-property-search, Section 9.4), the other to determine
|
||
which properties may be searched at all (DAV:principal-search-
|
||
property-set, Section 9.5).
|
||
|
||
Once a principal has been identified in an ACE, a server evaluating
|
||
that ACE must know the identity of the principal making a protocol
|
||
request, and must validate that that principal is who they claim to
|
||
be, a process known as authentication. This specification
|
||
intentionally omits discussion of authentication, as the HTTP
|
||
protocol already has a number of authentication mechanisms [RFC2617].
|
||
Some authentication mechanism (such as HTTP Digest Authentication,
|
||
which all WebDAV compliant implementations are required to support)
|
||
must be available to validate the identity of a principal.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 5]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
The following issues are out of scope for this document:
|
||
|
||
o Access control that applies only to a particular property on a
|
||
resource (excepting the access control properties DAV:acl and
|
||
DAV:current-user-privilege-set), rather than the entire resource,
|
||
|
||
o Role-based security (where a role can be seen as a dynamically
|
||
defined group of principals),
|
||
|
||
o Specification of the ways an ACL on a resource is initialized,
|
||
|
||
o Specification of an ACL that applies globally to all resources,
|
||
rather than to a particular resource.
|
||
|
||
o Creation and maintenance of resources representing people or
|
||
computational agents (principals), and groups of these.
|
||
|
||
This specification is organized as follows. Section 1.1 defines key
|
||
concepts used throughout the specification, and is followed by a more
|
||
in-depth discussion of principals (Section 2), and privileges
|
||
(Section 3). Properties defined on principals are specified in
|
||
Section 4, and access control properties for content resources are
|
||
specified in Section 5. The ways ACLs are to be evaluated is
|
||
described in Section 6. Client discovery of access control
|
||
capability using OPTIONS is described in Section 7.2. Interactions
|
||
between access control functionality and existing HTTP and WebDAV
|
||
methods are described in the remainder of Section 7. The access
|
||
control setting method, ACL, is specified in Section 8. Four reports
|
||
that provide limited server-side searching capabilities are described
|
||
in Section 9. Sections on XML processing (Section 10),
|
||
Internationalization considerations (Section 11), security
|
||
considerations (Section 12), and authentication (Section 13) round
|
||
out the specification. An appendix (Appendix A) provides an XML
|
||
Document Type Definition (DTD) for the XML elements defined in the
|
||
specification.
|
||
|
||
1.1. Terms
|
||
|
||
This document uses the terms defined in HTTP [RFC2616] and WebDAV
|
||
[RFC2518]. In addition, the following terms are defined:
|
||
|
||
principal
|
||
|
||
A "principal" is a distinct human or computational actor that
|
||
initiates access to network resources. In this protocol, a
|
||
principal is an HTTP resource that represents such an actor.
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 6]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
group
|
||
|
||
A "group" is a principal that represents a set of other
|
||
principals.
|
||
|
||
privilege
|
||
|
||
A "privilege" controls access to a particular set of HTTP
|
||
operations on a resource.
|
||
|
||
aggregate privilege
|
||
|
||
An "aggregate privilege" is a privilege that contains a set of
|
||
other privileges.
|
||
|
||
abstract privilege
|
||
|
||
The modifier "abstract", when applied to a privilege on a
|
||
resource, means the privilege cannot be set in an access control
|
||
element (ACE) on that resource.
|
||
|
||
access control list (ACL)
|
||
|
||
An "ACL" is a list of access control elements that define access
|
||
control to a particular resource.
|
||
|
||
access control element (ACE)
|
||
|
||
An "ACE" either grants or denies a particular set of (non-
|
||
abstract) privileges for a particular principal.
|
||
|
||
inherited ACE
|
||
|
||
An "inherited ACE" is an ACE that is dynamically shared from the
|
||
ACL of another resource. When a shared ACE changes on the primary
|
||
resource, it is also changed on inheriting resources.
|
||
|
||
protected property
|
||
|
||
A "protected property" is one whose value cannot be updated except
|
||
by a method explicitly defined as updating that specific property.
|
||
In particular, a protected property cannot be updated with a
|
||
PROPPATCH request.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 7]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
1.2. Notational Conventions
|
||
|
||
The augmented BNF used by this document to describe protocol elements
|
||
is described in Section 2.1 of [RFC2616]. Because this augmented BNF
|
||
uses the basic production rules provided in Section 2.2 of [RFC2616],
|
||
those rules apply to this document as well.
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in [RFC2119].
|
||
|
||
Definitions of XML elements in this document use XML element type
|
||
declarations (as found in XML Document Type Declarations), described
|
||
in Section 3.2 of [REC-XML]. When an XML element type in the "DAV:"
|
||
namespace is referenced in this document outside of the context of an
|
||
XML fragment, the string "DAV:" will be prefixed to the element name.
|
||
|
||
2. Principals
|
||
|
||
A principal is a network resource that represents a distinct human or
|
||
computational actor that initiates access to network resources.
|
||
Users and groups are represented as principals in many
|
||
implementations; other types of principals are also possible. A URI
|
||
of any scheme MAY be used to identify a principal resource. However,
|
||
servers implementing this specification MUST expose principal
|
||
resources at an http(s) URL, which is a privileged scheme that points
|
||
to resources that have additional properties, as described in Section
|
||
4. So, a principal resource can have multiple URIs, one of which has
|
||
to be an http(s) scheme URL. Although an implementation SHOULD
|
||
support PROPFIND and MAY support PROPPATCH to access and modify
|
||
information about a principal, it is not required to do so.
|
||
|
||
A principal resource may be a group, where a group is a principal
|
||
that represents a set of other principals, called the members of the
|
||
group. If a person or computational agent matches a principal
|
||
resource that is a member of a group, they also match the group.
|
||
Membership in a group is recursive, so if a principal is a member of
|
||
group GRPA, and GRPA is a member of group GRPB, then the principal is
|
||
also a member of GRPB.
|
||
|
||
3. Privileges
|
||
|
||
Ability to perform a given method on a resource MUST be controlled by
|
||
one or more privileges. Authors of protocol extensions that define
|
||
new HTTP methods SHOULD specify which privileges (by defining new
|
||
privileges, or mapping to ones below) are required to perform the
|
||
method. A principal with no privileges to a resource MUST be denied
|
||
any HTTP access to that resource, unless the principal matches an ACE
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 8]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
constructed using the DAV:all, DAV:authenticated, or
|
||
DAV:unauthenticated pseudo-principals (see Section 5.5.1). Servers
|
||
MUST report a 403 "Forbidden" error if access is denied, except in
|
||
the case where the privilege restricts the ability to know the
|
||
resource exists, in which case 404 "Not Found" may be returned.
|
||
|
||
Privileges may be containers of other privileges, in which case they
|
||
are termed "aggregate privileges". If a principal is granted or
|
||
denied an aggregate privilege, it is semantically equivalent to
|
||
granting or denying each of the aggregated privileges individually.
|
||
For example, an implementation may define add-member and remove-
|
||
member privileges that control the ability to add and remove a member
|
||
of a group. Since these privileges control the ability to update the
|
||
state of a group, these privileges would be aggregated by the
|
||
DAV:write privilege on a group, and granting the DAV:write privilege
|
||
on a group would also grant the add-member and remove-member
|
||
privileges.
|
||
|
||
Privileges may be declared to be "abstract" for a given resource, in
|
||
which case they cannot be set in an ACE on that resource. Aggregate
|
||
and non-aggregate privileges are both capable of being abstract.
|
||
Abstract privileges are useful for modeling privileges that otherwise
|
||
would not be exposed via the protocol. Abstract privileges also
|
||
provide server implementations with flexibility in implementing the
|
||
privileges defined in this specification. For example, if a server
|
||
is incapable of separating the read resource capability from the read
|
||
ACL capability, it can still model the DAV:read and DAV:read-acl
|
||
privileges defined in this specification by declaring them abstract,
|
||
and containing them within a non-abstract aggregate privilege (say,
|
||
read-all) that holds DAV:read, and DAV:read-acl. In this way, it is
|
||
possible to set the aggregate privilege, read-all, thus coupling the
|
||
setting of DAV:read and DAV:read-acl, but it is not possible to set
|
||
DAV:read, or DAV:read-acl individually. Since aggregate privileges
|
||
can be abstract, it is also possible to use abstract privileges to
|
||
group or organize non-abstract privileges. Privilege containment
|
||
loops are not allowed; therefore, a privilege MUST NOT contain
|
||
itself. For example, DAV:read cannot contain DAV:read.
|
||
|
||
The set of privileges that apply to a particular resource may vary
|
||
with the DAV:resourcetype of the resource, as well as between
|
||
different server implementations. To promote interoperability,
|
||
however, this specification defines a set of well-known privileges
|
||
(e.g., DAV:read, DAV:write, DAV:read-acl, DAV:write-acl, DAV:read-
|
||
current-user-privilege-set, and DAV:all), which can at least be used
|
||
to classify the other privileges defined on a particular resource.
|
||
The access permissions on null resources (defined in [RFC2518],
|
||
Section 3) are solely those they inherit (if any), and they are not
|
||
discoverable (i.e., the access control properties specified in
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 9]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Section 5 are not defined on null resources). On the transition from
|
||
null to stateful resource, the initial access control list is set by
|
||
the server's default ACL value policy (if any).
|
||
|
||
Server implementations MAY define new privileges beyond those defined
|
||
in this specification. Privileges defined by individual
|
||
implementations MUST NOT use the DAV: namespace, and instead should
|
||
use a namespace that they control, such as an http scheme URL.
|
||
|
||
3.1. DAV:read Privilege
|
||
|
||
The read privilege controls methods that return information about the
|
||
state of the resource, including the resource's properties. Affected
|
||
methods include GET and PROPFIND. Any implementation-defined
|
||
privilege that also controls access to GET and PROPFIND must be
|
||
aggregated under DAV:read - if an ACL grants access to DAV:read, the
|
||
client may expect that no other privilege needs to be granted to have
|
||
access to GET and PROPFIND. Additionally, the read privilege MUST
|
||
control the OPTIONS method.
|
||
|
||
<!ELEMENT read EMPTY>
|
||
|
||
3.2. DAV:write Privilege
|
||
|
||
The write privilege controls methods that lock a resource or modify
|
||
the content, dead properties, or (in the case of a collection)
|
||
membership of the resource, such as PUT and PROPPATCH. Note that
|
||
state modification is also controlled via locking (see section 5.3 of
|
||
[RFC2518]), so effective write access requires that both write
|
||
privileges and write locking requirements are satisfied. Any
|
||
implementation-defined privilege that also controls access to methods
|
||
modifying content, dead properties or collection membership must be
|
||
aggregated under DAV:write, e.g., if an ACL grants access to
|
||
DAV:write, the client may expect that no other privilege needs to be
|
||
granted to have access to PUT and PROPPATCH.
|
||
|
||
<!ELEMENT write EMPTY>
|
||
|
||
3.3. DAV:write-properties Privilege
|
||
|
||
The DAV:write-properties privilege controls methods that modify the
|
||
dead properties of the resource, such as PROPPATCH. Whether this
|
||
privilege may be used to control access to any live properties is
|
||
determined by the implementation. Any implementation-defined
|
||
privilege that also controls access to methods modifying dead
|
||
properties must be aggregated under DAV:write-properties - e.g., if
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 10]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
an ACL grants access to DAV:write-properties, the client can safely
|
||
expect that no other privilege needs to be granted to have access to
|
||
PROPPATCH.
|
||
|
||
<!ELEMENT write-properties EMPTY>
|
||
|
||
3.4. DAV:write-content Privilege
|
||
|
||
The DAV:write-content privilege controls methods that modify the
|
||
content of an existing resource, such as PUT. Any implementation-
|
||
defined privilege that also controls access to content must be
|
||
aggregated under DAV:write-content - e.g., if an ACL grants access to
|
||
DAV:write-content, the client can safely expect that no other
|
||
privilege needs to be granted to have access to PUT. Note that PUT -
|
||
when applied to an unmapped URI - creates a new resource and
|
||
therefore is controlled by the DAV:bind privilege on the parent
|
||
collection.
|
||
|
||
<!ELEMENT write-content EMPTY>
|
||
|
||
3.5. DAV:unlock Privilege
|
||
|
||
The DAV:unlock privilege controls the use of the UNLOCK method by a
|
||
principal other than the lock owner (the principal that created a
|
||
lock can always perform an UNLOCK). While the set of users who may
|
||
lock a resource is most commonly the same set of users who may modify
|
||
a resource, servers may allow various kinds of administrators to
|
||
unlock resources locked by others. Any privilege controlling access
|
||
by non-lock owners to UNLOCK MUST be aggregated under DAV:unlock.
|
||
|
||
A lock owner can always remove a lock by issuing an UNLOCK with the
|
||
correct lock token and authentication credentials. That is, even if
|
||
a principal does not have DAV:unlock privilege, they can still remove
|
||
locks they own. Principals other than the lock owner can remove a
|
||
lock only if they have DAV:unlock privilege and they issue an UNLOCK
|
||
with the correct lock token. Lock timeout is not affected by the
|
||
DAV:unlock privilege.
|
||
|
||
<!ELEMENT unlock EMPTY>
|
||
|
||
3.6. DAV:read-acl Privilege
|
||
|
||
The DAV:read-acl privilege controls the use of PROPFIND to retrieve
|
||
the DAV:acl property of the resource.
|
||
|
||
<!ELEMENT read-acl EMPTY>
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 11]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
3.7. DAV:read-current-user-privilege-set Privilege
|
||
|
||
The DAV:read-current-user-privilege-set privilege controls the use of
|
||
PROPFIND to retrieve the DAV:current-user-privilege-set property of
|
||
the resource.
|
||
|
||
Clients are intended to use this property to visually indicate in
|
||
their UI items that are dependent on the permissions of a resource,
|
||
for example, by graying out resources that are not writable.
|
||
|
||
This privilege is separate from DAV:read-acl because there is a need
|
||
to allow most users access to the privileges permitted the current
|
||
user (due to its use in creating the UI), while the full ACL contains
|
||
information that may not be appropriate for the current authenticated
|
||
user. As a result, the set of users who can view the full ACL is
|
||
expected to be much smaller than those who can read the current user
|
||
privilege set, and hence distinct privileges are needed for each.
|
||
|
||
<!ELEMENT read-current-user-privilege-set EMPTY>
|
||
|
||
3.8. DAV:write-acl Privilege
|
||
|
||
The DAV:write-acl privilege controls use of the ACL method to modify
|
||
the DAV:acl property of the resource.
|
||
|
||
<!ELEMENT write-acl EMPTY>
|
||
|
||
3.9. DAV:bind Privilege
|
||
|
||
The DAV:bind privilege allows a method to add a new member URL to the
|
||
specified collection (for example via PUT or MKCOL). It is ignored
|
||
for resources that are not collections.
|
||
|
||
<!ELEMENT bind EMPTY>
|
||
|
||
3.10. DAV:unbind Privilege
|
||
|
||
The DAV:unbind privilege allows a method to remove a member URL from
|
||
the specified collection (for example via DELETE or MOVE). It is
|
||
ignored for resources that are not collections.
|
||
|
||
<!ELEMENT unbind EMPTY>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 12]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
3.11. DAV:all Privilege
|
||
|
||
DAV:all is an aggregate privilege that contains the entire set of
|
||
privileges that can be applied to the resource.
|
||
|
||
<!ELEMENT all EMPTY>
|
||
|
||
3.12. Aggregation of Predefined Privileges
|
||
|
||
Server implementations are free to aggregate the predefined
|
||
privileges (defined above in Sections 3.1-3.10) subject to the
|
||
following limitations:
|
||
|
||
DAV:read-acl MUST NOT contain DAV:read, DAV:write, DAV:write-acl,
|
||
DAV:write-properties, DAV:write-content, or DAV:read-current-user-
|
||
privilege-set.
|
||
|
||
DAV:write-acl MUST NOT contain DAV:write, DAV:read, DAV:read-acl, or
|
||
DAV:read-current-user-privilege-set.
|
||
|
||
DAV:read-current-user-privilege-set MUST NOT contain DAV:write,
|
||
DAV:read, DAV:read-acl, or DAV:write-acl.
|
||
|
||
DAV:write MUST NOT contain DAV:read, DAV:read-acl, or DAV:read-
|
||
current-user-privilege-set.
|
||
|
||
DAV:read MUST NOT contain DAV:write, DAV:write-acl, DAV:write-
|
||
properties, or DAV:write-content.
|
||
|
||
DAV:write MUST contain DAV:bind, DAV:unbind, DAV:write-properties and
|
||
DAV:write-content.
|
||
|
||
4. Principal Properties
|
||
|
||
Principals are manifested to clients as a WebDAV resource, identified
|
||
by a URL. A principal MUST have a non-empty DAV:displayname property
|
||
(defined in Section 13.2 of [RFC2518]), and a DAV:resourcetype
|
||
property (defined in Section 13.9 of [RFC2518]). Additionally, a
|
||
principal MUST report the DAV:principal XML element in the value of
|
||
the DAV:resourcetype property. The element type declaration for
|
||
DAV:principal is:
|
||
|
||
<!ELEMENT principal EMPTY>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 13]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
This protocol defines the following additional properties for a
|
||
principal. Since it can be expensive for a server to retrieve access
|
||
control information, the name and value of these properties SHOULD
|
||
NOT be returned by a PROPFIND allprop request (as defined in Section
|
||
12.14.1 of [RFC2518]).
|
||
|
||
4.1. DAV:alternate-URI-set
|
||
|
||
This protected property, if non-empty, contains the URIs of network
|
||
resources with additional descriptive information about the
|
||
principal. This property identifies additional network resources
|
||
(i.e., it contains one or more URIs) that may be consulted by a
|
||
client to gain additional knowledge concerning a principal. One
|
||
expected use for this property is the storage of an LDAP [RFC2255]
|
||
scheme URL. A user-agent encountering an LDAP URL could use LDAP
|
||
[RFC2251] to retrieve additional machine-readable directory
|
||
information about the principal, and display that information in its
|
||
user interface. Support for this property is REQUIRED, and the value
|
||
is empty if no alternate URI exists for the principal.
|
||
|
||
<!ELEMENT alternate-URI-set (href*)>
|
||
|
||
4.2. DAV:principal-URL
|
||
|
||
A principal may have many URLs, but there must be one "principal URL"
|
||
that clients can use to uniquely identify a principal. This
|
||
protected property contains the URL that MUST be used to identify
|
||
this principal in an ACL request. Support for this property is
|
||
REQUIRED.
|
||
|
||
<!ELEMENT principal-URL (href)>
|
||
|
||
4.3. DAV:group-member-set
|
||
|
||
This property of a group principal identifies the principals that are
|
||
direct members of this group. Since a group may be a member of
|
||
another group, a group may also have indirect members (i.e., the
|
||
members of its direct members). A URL in the DAV:group-member-set
|
||
for a principal MUST be the DAV:principal-URL of that principal.
|
||
|
||
<!ELEMENT group-member-set (href*)>
|
||
|
||
4.4. DAV:group-membership
|
||
|
||
This protected property identifies the groups in which the principal
|
||
is directly a member. Note that a server may allow a group to be a
|
||
member of another group, in which case the DAV:group-membership of
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 14]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
those other groups would need to be queried in order to determine the
|
||
groups in which the principal is indirectly a member. Support for
|
||
this property is REQUIRED.
|
||
|
||
<!ELEMENT group-membership (href*)>
|
||
|
||
5. Access Control Properties
|
||
|
||
This specification defines a number of new properties for WebDAV
|
||
resources. Access control properties may be retrieved just like
|
||
other WebDAV properties, using the PROPFIND method. Since it is
|
||
expensive, for many servers, to retrieve access control information,
|
||
a PROPFIND allprop request (as defined in Section 12.14.1 of
|
||
[RFC2518]) SHOULD NOT return the names and values of the properties
|
||
defined in this section.
|
||
|
||
Access control properties (especially DAV:acl and DAV:inherited-acl-
|
||
set) are defined on the resource identified by the Request-URI of a
|
||
PROPFIND request. A direct consequence is that if the resource is
|
||
accessible via multiple URI, the value of access control properties
|
||
is the same across these URI.
|
||
|
||
HTTP resources that support the WebDAV Access Control Protocol MUST
|
||
contain the following properties. Null resources (described in
|
||
Section 3 of [RFC2518]) MUST NOT contain the following properties.
|
||
|
||
5.1. DAV:owner
|
||
|
||
This property identifies a particular principal as being the "owner"
|
||
of the resource. Since the owner of a resource often has special
|
||
access control capabilities (e.g., the owner frequently has permanent
|
||
DAV:write-acl privilege), clients might display the resource owner in
|
||
their user interface.
|
||
|
||
Servers MAY implement DAV:owner as protected property and MAY return
|
||
an empty DAV:owner element as property value in case no owner
|
||
information is available.
|
||
|
||
<!ELEMENT owner (href?)>
|
||
|
||
5.1.1. Example: Retrieving DAV:owner
|
||
|
||
This example shows a client request for the value of the DAV:owner
|
||
property from a collection resource with URL http://www.example.com/
|
||
papers/. The principal making the request is authenticated using
|
||
Digest authentication. The value of DAV:owner is the URL http://
|
||
www.example.com/acl/users/gstein, wrapped in the DAV:href XML
|
||
element.
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 15]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
>> Request <<
|
||
|
||
PROPFIND /papers/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Depth: 0
|
||
Authorization: Digest username="jim",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/papers/", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:propfind xmlns:D="DAV:">
|
||
<D:prop>
|
||
<D:owner/>
|
||
</D:prop>
|
||
</D:propfind>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/papers/</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:owner>
|
||
<D:href>http://www.example.com/acl/users/gstein</D:href>
|
||
</D:owner>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
5.1.2. Example: An Attempt to Set DAV:owner
|
||
|
||
The following example shows a client request to modify the value of
|
||
the DAV:owner property on the resource with URL <http://
|
||
www.example.com/papers>. Since DAV:owner is a protected property on
|
||
this particular server, it responds with a 207 (Multi-Status)
|
||
response that contains a 403 (Forbidden) status code for the act of
|
||
setting DAV:owner. Section 8.2.1 of [RFC2518] describes PROPPATCH
|
||
status code information, Section 11 of [RFC2518] describes the
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 16]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Multi-Status response and Sections 1.6 and 3.12 of [RFC3253] describe
|
||
additional error marshaling for PROPPATCH attempts on protected
|
||
properties.
|
||
|
||
>> Request <<
|
||
|
||
PROPPATCH /papers/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Depth: 0
|
||
Authorization: Digest username="jim",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/papers/", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:propertyupdate xmlns:D="DAV:">
|
||
<D:set>
|
||
<D:prop>
|
||
<D:owner>
|
||
<D:href>http://www.example.com/acl/users/jim</D:href>
|
||
</D:owner>
|
||
</D:prop>
|
||
</D:set>
|
||
</D:propertyupdate>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/papers/</D:href>
|
||
<D:propstat>
|
||
<D:prop><D:owner/></D:prop>
|
||
<D:status>HTTP/1.1 403 Forbidden</D:status>
|
||
<D:responsedescription>
|
||
<D:error><D:cannot-modify-protected-property/></D:error>
|
||
Failure to set protected property (DAV:owner)
|
||
</D:responsedescription>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 17]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
5.2. DAV:group
|
||
|
||
This property identifies a particular principal as being the "group"
|
||
of the resource. This property is commonly found on repositories
|
||
that implement the Unix privileges model.
|
||
|
||
Servers MAY implement DAV:group as protected property and MAY return
|
||
an empty DAV:group element as property value in case no group
|
||
information is available.
|
||
|
||
<!ELEMENT group (href?)>
|
||
|
||
5.3. DAV:supported-privilege-set
|
||
|
||
This is a protected property that identifies the privileges defined
|
||
for the resource.
|
||
|
||
<!ELEMENT supported-privilege-set (supported-privilege*)>
|
||
|
||
Each privilege appears as an XML element, where aggregate privileges
|
||
list as sub-elements all of the privileges that they aggregate.
|
||
|
||
<!ELEMENT supported-privilege
|
||
(privilege, abstract?, description, supported-privilege*)>
|
||
<!ELEMENT privilege ANY>
|
||
|
||
An abstract privilege MUST NOT be used in an ACE for that resource.
|
||
Servers MUST fail an attempt to set an abstract privilege.
|
||
|
||
<!ELEMENT abstract EMPTY>
|
||
|
||
A description is a human-readable description of what this privilege
|
||
controls access to. Servers MUST indicate the human language of the
|
||
description using the xml:lang attribute and SHOULD consider the HTTP
|
||
Accept-Language request header when selecting one of multiple
|
||
available languages.
|
||
|
||
<!ELEMENT description #PCDATA>
|
||
|
||
It is envisioned that a WebDAV ACL-aware administrative client would
|
||
list the supported privileges in a dialog box, and allow the user to
|
||
choose non-abstract privileges to apply in an ACE. The privileges
|
||
tree is useful programmatically to map well-known privileges (defined
|
||
by WebDAV or other standards groups) into privileges that are
|
||
supported by any particular server implementation. The privilege
|
||
tree also serves to hide complexity in implementations allowing large
|
||
number of privileges to be defined by displaying aggregates to the
|
||
user.
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 18]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
5.3.1. Example: Retrieving a List of Privileges Supported on a Resource
|
||
|
||
This example shows a client request for the DAV:supported-privilege-
|
||
set property on the resource http://www.example.com/papers/. The
|
||
value of the DAV:supported-privilege-set property is a tree of
|
||
supported privileges (using "[XML Namespace , localname]" to identify
|
||
each privilege):
|
||
|
||
[DAV:, all] (aggregate, abstract)
|
||
|
|
||
+-- [DAV:, read] (aggregate)
|
||
|
|
||
+-- [DAV:, read-acl] (abstract)
|
||
+-- [DAV:, read-current-user-privilege-set] (abstract)
|
||
|
|
||
+-- [DAV:, write] (aggregate)
|
||
|
|
||
+-- [DAV:, write-acl] (abstract)
|
||
+-- [DAV:, write-properties]
|
||
+-- [DAV:, write-content]
|
||
|
|
||
+-- [DAV:, unlock]
|
||
|
||
This privilege tree is not normative (except that it reflects the
|
||
normative aggregation rules given in Section 3.12), and many possible
|
||
privilege trees are possible.
|
||
|
||
>> Request <<
|
||
|
||
PROPFIND /papers/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Depth: 0
|
||
Authorization: Digest username="gclemm",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/papers/", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:propfind xmlns:D="DAV:">
|
||
<D:prop>
|
||
<D:supported-privilege-set/>
|
||
</D:prop>
|
||
</D:propfind>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 19]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/papers/</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:supported-privilege-set>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:all/></D:privilege>
|
||
<D:abstract/>
|
||
<D:description xml:lang="en">
|
||
Any operation
|
||
</D:description>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:read/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Read any object
|
||
</D:description>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:read-acl/></D:privilege>
|
||
<D:abstract/>
|
||
<D:description xml:lang="en">Read ACL</D:description>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege>
|
||
<D:read-current-user-privilege-set/>
|
||
</D:privilege>
|
||
<D:abstract/>
|
||
<D:description xml:lang="en">
|
||
Read current user privilege set property
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:write/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Write any object
|
||
</D:description>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:write-acl/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 20]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Write ACL
|
||
</D:description>
|
||
<D:abstract/>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:write-properties/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Write properties
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:write-content/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Write resource content
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:unlock/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Unlock resource
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
</D:supported-privilege>
|
||
</D:supported-privilege-set>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
5.4. DAV:current-user-privilege-set
|
||
|
||
DAV:current-user-privilege-set is a protected property containing the
|
||
exact set of privileges (as computed by the server) granted to the
|
||
currently authenticated HTTP user. Aggregate privileges and their
|
||
contained privileges are listed. A user-agent can use the value of
|
||
this property to adjust its user interface to make actions
|
||
inaccessible (e.g., by graying out a menu item or button) for which
|
||
the current principal does not have permission. This property is
|
||
also useful for determining what operations the current principal can
|
||
perform, without having to actually execute an operation.
|
||
|
||
<!ELEMENT current-user-privilege-set (privilege*)>
|
||
<!ELEMENT privilege ANY>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 21]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
If the current user is granted a specific privilege, that privilege
|
||
must belong to the set of privileges that may be set on this
|
||
resource. Therefore, each element in the DAV:current-user-
|
||
privilege-set property MUST identify a non-abstract privilege from
|
||
the DAV:supported-privilege-set property.
|
||
|
||
5.4.1. Example: Retrieving the User's Current Set of Assigned
|
||
Privileges
|
||
|
||
Continuing the example from Section 5.3.1, this example shows a
|
||
client requesting the DAV:current-user-privilege-set property from
|
||
the resource with URL http://www.example.com/papers/. The username
|
||
of the principal making the request is "khare", and Digest
|
||
authentication is used in the request. The principal with username
|
||
"khare" has been granted the DAV:read privilege. Since the DAV:read
|
||
privilege contains the DAV:read-acl and DAV:read-current-user-
|
||
privilege-set privileges (see Section 5.3.1), the principal with
|
||
username "khare" can read the ACL property, and the DAV:current-
|
||
user-privilege-set property. However, the DAV:all, DAV:read-acl,
|
||
DAV:write-acl and DAV:read-current-user-privilege-set privileges are
|
||
not listed in the value of DAV:current-user-privilege-set, since (for
|
||
this example) they are abstract privileges. DAV:write is not listed
|
||
since the principal with username "khare" is not listed in an ACE
|
||
granting that principal write permission.
|
||
|
||
>> Request <<
|
||
|
||
PROPFIND /papers/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Depth: 0
|
||
Authorization: Digest username="khare",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/papers/", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:propfind xmlns:D="DAV:">
|
||
<D:prop>
|
||
<D:current-user-privilege-set/>
|
||
</D:prop>
|
||
</D:propfind>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 22]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/papers/</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:current-user-privilege-set>
|
||
<D:privilege><D:read/></D:privilege>
|
||
</D:current-user-privilege-set>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
5.5. DAV:acl
|
||
|
||
This is a protected property that specifies the list of access
|
||
control entries (ACEs), which define what principals are to get what
|
||
privileges for this resource.
|
||
|
||
<!ELEMENT acl (ace*) >
|
||
|
||
Each DAV:ace element specifies the set of privileges to be either
|
||
granted or denied to a single principal. If the DAV:acl property is
|
||
empty, no principal is granted any privilege.
|
||
|
||
<!ELEMENT ace ((principal | invert), (grant|deny), protected?,
|
||
inherited?)>
|
||
|
||
5.5.1. ACE Principal
|
||
|
||
The DAV:principal element identifies the principal to which this ACE
|
||
applies.
|
||
|
||
<!ELEMENT principal (href | all | authenticated | unauthenticated
|
||
| property | self)>
|
||
|
||
The current user matches DAV:href only if that user is authenticated
|
||
as being (or being a member of) the principal identified by the URL
|
||
contained by that DAV:href.
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 23]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
The current user always matches DAV:all.
|
||
|
||
<!ELEMENT all EMPTY>
|
||
|
||
The current user matches DAV:authenticated only if authenticated.
|
||
|
||
<!ELEMENT authenticated EMPTY>
|
||
|
||
The current user matches DAV:unauthenticated only if not
|
||
authenticated.
|
||
|
||
<!ELEMENT unauthenticated EMPTY>
|
||
|
||
DAV:all is the union of DAV:authenticated, and DAV:unauthenticated.
|
||
For a given request, the user matches either DAV:authenticated, or
|
||
DAV:unauthenticated, but not both (that is, DAV:authenticated and
|
||
DAV:unauthenticated are disjoint sets).
|
||
|
||
The current user matches a DAV:property principal in a DAV:acl
|
||
property of a resource only if the value of the identified property
|
||
of that resource contains at most one DAV:href XML element, the URI
|
||
value of DAV:href identifies a principal, and the current user is
|
||
authenticated as being (or being a member of) that principal. For
|
||
example, if the DAV:property element contained <DAV:owner/>, the
|
||
current user would match the DAV:property principal only if the
|
||
current user is authenticated as matching the principal identified by
|
||
the DAV:owner property of the resource.
|
||
|
||
<!ELEMENT property ANY>
|
||
|
||
The current user matches DAV:self in a DAV:acl property of the
|
||
resource only if that resource is a principal and that principal
|
||
matches the current user or, if the principal is a group, a member of
|
||
that group matches the current user.
|
||
|
||
<!ELEMENT self EMPTY>
|
||
|
||
Some servers may support ACEs applying to those users NOT matching
|
||
the current principal, e.g., all users not in a particular group.
|
||
This can be done by wrapping the DAV:principal element with
|
||
DAV:invert.
|
||
|
||
<!ELEMENT invert principal>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 24]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
5.5.2. ACE Grant and Deny
|
||
|
||
Each DAV:grant or DAV:deny element specifies the set of privileges to
|
||
be either granted or denied to the specified principal. A DAV:grant
|
||
or DAV:deny element of the DAV:acl of a resource MUST only contain
|
||
non-abstract elements specified in the DAV:supported-privilege-set of
|
||
that resource.
|
||
|
||
<!ELEMENT grant (privilege+)>
|
||
<!ELEMENT deny (privilege+)>
|
||
<!ELEMENT privilege ANY>
|
||
|
||
5.5.3. ACE Protection
|
||
|
||
A server indicates an ACE is protected by including the DAV:protected
|
||
element in the ACE. If the ACL of a resource contains an ACE with a
|
||
DAV:protected element, an attempt to remove that ACE from the ACL
|
||
MUST fail.
|
||
|
||
<!ELEMENT protected EMPTY>
|
||
|
||
5.5.4. ACE Inheritance
|
||
|
||
The presence of a DAV:inherited element indicates that this ACE is
|
||
inherited from another resource that is identified by the URL
|
||
contained in a DAV:href element. An inherited ACE cannot be modified
|
||
directly, but instead the ACL on the resource from which it is
|
||
inherited must be modified.
|
||
|
||
Note that ACE inheritance is not the same as ACL initialization. ACL
|
||
initialization defines the ACL that a newly created resource will use
|
||
(if not specified). ACE inheritance refers to an ACE that is
|
||
logically shared - where an update to the resource containing an ACE
|
||
will affect the ACE of each resource that inherits that ACE. The
|
||
method by which ACLs are initialized or by which ACEs are inherited
|
||
is not defined by this document.
|
||
|
||
<!ELEMENT inherited (href)>
|
||
|
||
5.5.5. Example: Retrieving a Resource's Access Control List
|
||
|
||
Continuing the example from Sections 5.3.1 and 5.4.1, this example
|
||
shows a client requesting the DAV:acl property from the resource with
|
||
URL http://www.example.com/papers/. There are two ACEs defined in
|
||
this ACL:
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 25]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
ACE #1: The group identified by URL http://www.example.com/acl/
|
||
groups/maintainers (the group of site maintainers) is granted
|
||
DAV:write privilege. Since (for this example) DAV:write contains the
|
||
DAV:write-acl privilege (see Section 5.3.1), this means the
|
||
"maintainers" group can also modify the access control list.
|
||
|
||
ACE #2: All principals (DAV:all) are granted the DAV:read privilege.
|
||
Since (for this example) DAV:read contains DAV:read-acl and
|
||
DAV:read-current-user-privilege-set, this means all users (including
|
||
all members of the "maintainers" group) can read the DAV:acl property
|
||
and the DAV:current-user-privilege-set property.
|
||
|
||
>> Request <<
|
||
|
||
PROPFIND /papers/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Depth: 0
|
||
Authorization: Digest username="masinter",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/papers/", response="...", opaque="..."
|
||
|
||
<D:propfind xmlns:D="DAV:">
|
||
<D:prop>
|
||
<D:acl/>
|
||
</D:prop>
|
||
</D:propfind>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/papers/</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:acl>
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:href
|
||
>http://www.example.com/acl/groups/maintainers</D:href>
|
||
</D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:write/></D:privilege>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 26]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
</D:grant>
|
||
</D:ace>
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:all/>
|
||
</D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
</D:acl>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
5.6. DAV:acl-restrictions
|
||
|
||
This protected property defines the types of ACLs supported by this
|
||
server, to avoid clients needlessly getting errors. When a client
|
||
tries to set an ACL via the ACL method, the server may reject the
|
||
attempt to set the ACL as specified. The following properties
|
||
indicate the restrictions the client must observe before setting an
|
||
ACL:
|
||
|
||
<grant-only> Deny ACEs are not supported
|
||
|
||
<no-invert> Inverted ACEs are not supported
|
||
|
||
<deny-before-grant> All deny ACEs must occur before any grant ACEs
|
||
|
||
<required-principal> Indicates which principals are required to be
|
||
present
|
||
|
||
|
||
<!ELEMENT acl-restrictions (grant-only?, no-invert?,
|
||
deny-before-grant?,
|
||
required-principal?)>
|
||
|
||
5.6.1. DAV:grant-only
|
||
|
||
This element indicates that ACEs with deny clauses are not allowed.
|
||
|
||
<!ELEMENT grant-only EMPTY>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 27]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
5.6.2. DAV:no-invert ACE Constraint
|
||
|
||
This element indicates that ACEs with the <invert> element are not
|
||
allowed.
|
||
|
||
<!ELEMENT no-invert EMPTY>
|
||
|
||
5.6.3. DAV:deny-before-grant
|
||
|
||
This element indicates that all deny ACEs must precede all grant
|
||
ACEs.
|
||
|
||
<!ELEMENT deny-before-grant EMPTY>
|
||
|
||
5.6.4. Required Principals
|
||
|
||
The required principal elements identify which principals must have
|
||
an ACE defined in the ACL.
|
||
|
||
<!ELEMENT required-principal
|
||
(all? | authenticated? | unauthenticated? | self? | href* |
|
||
property*)>
|
||
|
||
For example, the following element requires that the ACL contain a
|
||
|
||
DAV:owner property ACE:
|
||
|
||
<D:required-principal xmlns:D="DAV:">
|
||
<D:property><D:owner/></D:property>
|
||
</D:required-principal>
|
||
|
||
5.6.5. Example: Retrieving DAV:acl-restrictions
|
||
|
||
In this example, the client requests the value of the DAV:acl-
|
||
restrictions property. Digest authentication provides credentials
|
||
for the principal operating the client.
|
||
|
||
>> Request <<
|
||
|
||
PROPFIND /papers/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Depth: 0
|
||
Authorization: Digest username="srcarter",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/papers/", response="...", opaque="..."
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 28]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:propfind xmlns:D="DAV:">
|
||
<D:prop>
|
||
<D:acl-restrictions/>
|
||
</D:prop>
|
||
</D:propfind>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/papers/</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:acl-restrictions>
|
||
<D:grant-only/>
|
||
<D:required-principal>
|
||
<D:all/>
|
||
</D:required-principal>
|
||
</D:acl-restrictions>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
5.7. DAV:inherited-acl-set
|
||
|
||
This protected property contains a set of URLs that identify other
|
||
resources that also control the access to this resource. To have a
|
||
privilege on a resource, not only must the ACL on that resource
|
||
(specified in the DAV:acl property of that resource) grant the
|
||
privilege, but so must the ACL of each resource identified in the
|
||
DAV:inherited-acl-set property of that resource. Effectively, the
|
||
privileges granted by the current ACL are ANDed with the privileges
|
||
granted by each inherited ACL.
|
||
|
||
<!ELEMENT inherited-acl-set (href*)>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 29]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
5.8. DAV:principal-collection-set
|
||
|
||
This protected property of a resource contains a set of URLs that
|
||
identify the root collections that contain the principals that are
|
||
available on the server that implements this resource. A WebDAV
|
||
Access Control Protocol user agent could use the contents of
|
||
DAV:principal-collection-set to retrieve the DAV:displayname property
|
||
(specified in Section 13.2 of [RFC2518]) of all principals on that
|
||
server, thereby yielding human-readable names for each principal that
|
||
could be displayed in a user interface.
|
||
|
||
<!ELEMENT principal-collection-set (href*)>
|
||
|
||
Since different servers can control different parts of the URL
|
||
namespace, different resources on the same host MAY have different
|
||
DAV:principal-collection-set values. The collections specified in
|
||
the DAV:principal-collection-set MAY be located on different hosts
|
||
from the resource. The URLs in DAV:principal-collection-set SHOULD be
|
||
http or https scheme URLs. For security and scalability reasons, a
|
||
server MAY report only a subset of the entire set of known principal
|
||
collections, and therefore clients should not assume they have
|
||
retrieved an exhaustive listing. Additionally, a server MAY elect to
|
||
report none of the principal collections it knows about, in which
|
||
case the property value would be empty.
|
||
|
||
The value of DAV:principal-collection-set gives the scope of the
|
||
DAV:principal-property-search REPORT (defined in Section 9.4).
|
||
Clients use the DAV:principal-property-search REPORT to populate
|
||
their user interface with a list of principals. Therefore, servers
|
||
that limit a client's ability to obtain principal information will
|
||
interfere with the client's ability to manipulate access control
|
||
lists, due to the difficulty of getting the URL of a principal for
|
||
use in an ACE.
|
||
|
||
5.8.1. Example: Retrieving DAV:principal-collection-set
|
||
|
||
In this example, the client requests the value of the DAV:principal-
|
||
collection-set property on the collection resource identified by URL
|
||
http://www.example.com/papers/. The property contains the two URLs,
|
||
http://www.example.com/acl/users/ and http://
|
||
www.example.com/acl/groups/, both wrapped in DAV:href XML elements.
|
||
Digest authentication provides credentials for the principal
|
||
operating the client.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 30]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
The client might reasonably follow this request with two separate
|
||
PROPFIND requests to retrieve the DAV:displayname property of the
|
||
members of the two collections (/acl/users and /acl/groups). This
|
||
information could be used when displaying a user interface for
|
||
creating access control entries.
|
||
|
||
>> Request <<
|
||
|
||
PROPFIND /papers/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Depth: 0
|
||
Authorization: Digest username="yarong",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/papers/", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:propfind xmlns:D="DAV:">
|
||
<D:prop>
|
||
<D:principal-collection-set/>
|
||
</D:prop>
|
||
</D:propfind>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/papers/</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:principal-collection-set>
|
||
<D:href>http://www.example.com/acl/users/</D:href>
|
||
<D:href>http://www.example.com/acl/groups/</D:href>
|
||
</D:principal-collection-set>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 31]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
5.9. Example: PROPFIND to retrieve access control properties
|
||
|
||
The following example shows how access control information can be
|
||
retrieved by using the PROPFIND method to fetch the values of the
|
||
DAV:owner, DAV:supported-privilege-set, DAV:current-user-privilege-
|
||
set, and DAV:acl properties.
|
||
|
||
>> Request <<
|
||
|
||
PROPFIND /top/container/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Depth: 0
|
||
Authorization: Digest username="ejw",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/top/container/", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:propfind xmlns:D="DAV:">
|
||
<D:prop>
|
||
<D:owner/>
|
||
<D:supported-privilege-set/>
|
||
<D:current-user-privilege-set/>
|
||
<D:acl/>
|
||
</D:prop>
|
||
</D:propfind>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:"
|
||
xmlns:A="http://www.example.com/acl/">
|
||
<D:response>
|
||
<D:href>http://www.example.com/top/container/</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:owner>
|
||
<D:href>http://www.example.com/users/gclemm</D:href>
|
||
</D:owner>
|
||
<D:supported-privilege-set>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:all/></D:privilege>
|
||
<D:abstract/>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 32]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<D:description xml:lang="en">
|
||
Any operation
|
||
</D:description>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:read/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Read any object
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:write/></D:privilege>
|
||
<D:abstract/>
|
||
<D:description xml:lang="en">
|
||
Write any object
|
||
</D:description>
|
||
<D:supported-privilege>
|
||
<D:privilege><A:create/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Create an object
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><A:update/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Update an object
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><A:delete/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Delete an object
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:read-acl/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Read the ACL
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
<D:supported-privilege>
|
||
<D:privilege><D:write-acl/></D:privilege>
|
||
<D:description xml:lang="en">
|
||
Write the ACL
|
||
</D:description>
|
||
</D:supported-privilege>
|
||
</D:supported-privilege>
|
||
</D:supported-privilege-set>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 33]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<D:current-user-privilege-set>
|
||
<D:privilege><D:read/></D:privilege>
|
||
<D:privilege><D:read-acl/></D:privilege>
|
||
</D:current-user-privilege-set>
|
||
<D:acl>
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:href>http://www.example.com/users/esedlar</D:href>
|
||
</D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read/></D:privilege>
|
||
<D:privilege><D:write/></D:privilege>
|
||
<D:privilege><D:read-acl/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:href>http://www.example.com/groups/mrktng</D:href>
|
||
</D:principal>
|
||
<D:deny>
|
||
<D:privilege><D:read/></D:privilege>
|
||
</D:deny>
|
||
</D:ace>
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:property><D:owner/></D:property>
|
||
</D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read-acl/></D:privilege>
|
||
<D:privilege><D:write-acl/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
<D:ace>
|
||
<D:principal><D:all/></D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read/></D:privilege>
|
||
</D:grant>
|
||
<D:inherited>
|
||
<D:href>http://www.example.com/top</D:href>
|
||
</D:inherited>
|
||
</D:ace>
|
||
</D:acl>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 34]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
The value of the DAV:owner property is a single DAV:href XML element
|
||
containing the URL of the principal that owns this resource.
|
||
|
||
The value of the DAV:supported-privilege-set property is a tree of
|
||
supported privileges (using "[XML Namespace , localname]" to identify
|
||
each privilege):
|
||
|
||
[DAV:, all] (aggregate, abstract)
|
||
|
|
||
+-- [DAV:, read]
|
||
+-- [DAV:, write] (aggregate, abstract)
|
||
|
|
||
+-- [http://www.example.com/acl, create]
|
||
+-- [http://www.example.com/acl, update]
|
||
+-- [http://www.example.com/acl, delete]
|
||
+-- [DAV:, read-acl]
|
||
+-- [DAV:, write-acl]
|
||
|
||
The DAV:current-user-privilege-set property contains two privileges,
|
||
DAV:read, and DAV:read-acl. This indicates that the current
|
||
authenticated user only has the ability to read the resource, and
|
||
read the DAV:acl property on the resource. The DAV:acl property
|
||
contains a set of four ACEs:
|
||
|
||
ACE #1: The principal identified by the URL http://www.example.com/
|
||
users/esedlar is granted the DAV:read, DAV:write, and DAV:read-acl
|
||
privileges.
|
||
|
||
ACE #2: The principals identified by the URL http://www.example.com/
|
||
groups/mrktng are denied the DAV:read privilege. In this example,
|
||
the principal URL identifies a group.
|
||
|
||
ACE #3: In this ACE, the principal is a property principal,
|
||
specifically the DAV:owner property. When evaluating this ACE, the
|
||
value of the DAV:owner property is retrieved, and is examined to see
|
||
if it contains a DAV:href XML element. If so, the URL within the
|
||
DAV:href element is read, and identifies a principal. In this ACE,
|
||
the owner is granted DAV:read-acl, and DAV:write-acl privileges.
|
||
|
||
ACE #4: This ACE grants the DAV:all principal (all users) the
|
||
DAV:read privilege. This ACE is inherited from the resource http://
|
||
www.example.com/top, the parent collection of this resource.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 35]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
6. ACL Evaluation
|
||
|
||
WebDAV ACLs are evaluated in similar manner as ACLs on Windows NT and
|
||
in NFSv4 [RFC3530]). An ACL is evaluated to determine whether or not
|
||
access will be granted for a WebDAV request. ACEs are maintained in
|
||
a particular order, and are evaluated until all of the permissions
|
||
required by the current request have been granted, at which point the
|
||
ACL evaluation is terminated and access is granted. If, during ACL
|
||
evaluation, a <deny> ACE (matching the current user) is encountered
|
||
for a privilege which has not yet been granted, the ACL evaluation is
|
||
terminated and access is denied. Failure to have all required
|
||
privileges granted results in access being denied.
|
||
|
||
Note that the semantics of many other existing ACL systems may be
|
||
represented via this mechanism, by mixing deny and grant ACEs. For
|
||
example, consider the standard "rwx" privilege scheme used by UNIX.
|
||
In this scheme, if the current user is the owner of the file, access
|
||
is granted if the corresponding privilege bit is set and denied if
|
||
not set, regardless of the permissions set on the file's group and
|
||
for the world. An ACL for UNIX permissions of "r--rw-r--" might be
|
||
constructed like:
|
||
|
||
<D:acl>
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:property><D:owner/></D:property>
|
||
</D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:property><D:owner/></D:property>
|
||
</D:principal>
|
||
<D:deny>
|
||
<D:privilege><D:all/></D:privilege>
|
||
</D:deny>
|
||
</D:ace>
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:property><D:group/></D:property>
|
||
</D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read/></D:privilege>
|
||
<D:privilege><D:write/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 36]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:property><D:group/></D:property>
|
||
</D:principal>
|
||
<D:deny>
|
||
<D:privilege><D:all/></D:privilege>
|
||
</D:deny>
|
||
</D:ace>
|
||
<D:ace>
|
||
<D:principal><D:all></D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
</D:acl>
|
||
|
||
and the <acl-restrictions> would be defined as:
|
||
|
||
<D:no-invert/>
|
||
<D:required-principal>
|
||
<D:all/>
|
||
<D:property><D:owner/></D:property>
|
||
<D:property><D:group/><D:group/>
|
||
</D:required-principal>
|
||
|
||
Note that the client can still get errors from a UNIX server in spite
|
||
of obeying the <acl-restrictions>, including <D:allowed-principal>
|
||
(adding an ACE specifying a principal other than the ones in the ACL
|
||
above) or <D:ace-conflict> (by trying to reorder the ACEs in the
|
||
example above), as these particular implementation semantics are too
|
||
complex to be captured with the simple (but general) declarative
|
||
restrictions.
|
||
|
||
7. Access Control and existing methods
|
||
|
||
This section defines the impact of access control functionality on
|
||
existing methods.
|
||
|
||
7.1. Any HTTP method
|
||
|
||
7.1.1. Error Handling
|
||
|
||
The WebDAV ACL mechanism requires the usage of HTTP method
|
||
"preconditions" as described in section 1.6 of RFC3253 for ALL HTTP
|
||
methods. All HTTP methods have an additional precondition called
|
||
DAV:need-privileges. If an HTTP method fails due to insufficient
|
||
privileges, the response body to the "403 Forbidden" error MUST
|
||
contain the <DAV:error> element, which in turn contains the
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 37]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<DAV:need-privileges> element, which contains one or more
|
||
<DAV:resource> elements indicating which resource had insufficient
|
||
privileges, and what the lacking privileges were:
|
||
|
||
<!ELEMENT need-privileges (resource)* >
|
||
<!ELEMENT resource ( href , privilege ) >
|
||
|
||
Since some methods require multiple permissions on multiple
|
||
resources, this information is needed to resolve any ambiguity.
|
||
There is no requirement that all privilege violations be reported -
|
||
for implementation reasons, some servers may only report the first
|
||
privilege violation. For example:
|
||
|
||
>> Request <<
|
||
|
||
MOVE /a/b/ HTTP/1.1
|
||
Host: www.example.com
|
||
Destination: http://www.example.com/c/d
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 403 Forbidden
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<D:error xmlns:D="DAV:">
|
||
<D:need-privileges>
|
||
<D:resource>
|
||
<D:href>/a</D:href>
|
||
<D:privilege><D:unbind/></D:privilege>
|
||
</D:resource>
|
||
<D:resource>
|
||
<D:href>/c</D:href>
|
||
<D:privilege><D:bind/></D:privilege>
|
||
</D:resource>
|
||
</D:need-privileges>
|
||
</D:error>
|
||
|
||
7.2. OPTIONS
|
||
|
||
If the server supports access control, it MUST return "access-
|
||
control" as a field in the DAV response header from an OPTIONS
|
||
request on any resource implemented by that server. A value of
|
||
"access-control" in the DAV header MUST indicate that the server
|
||
supports all MUST level requirements and REQUIRED features specified
|
||
in this document.
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 38]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
7.2.1. Example - OPTIONS
|
||
|
||
>> Request <<
|
||
|
||
OPTIONS /foo.html HTTP/1.1
|
||
Host: www.example.com
|
||
Content-Length: 0
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 200 OK
|
||
DAV: 1, 2, access-control
|
||
Allow: OPTIONS, GET, PUT, PROPFIND, PROPPATCH, ACL
|
||
|
||
In this example, the OPTIONS response indicates that the server
|
||
supports access control and that /foo.html can have its access
|
||
control list modified by the ACL method.
|
||
|
||
7.3. MOVE
|
||
|
||
When a resource is moved from one location to another due to a MOVE
|
||
request, the non-inherited and non-protected ACEs in the DAV:acl
|
||
property of the resource MUST NOT be modified, or the MOVE request
|
||
fails. Handling of inherited and protected ACEs is intentionally
|
||
undefined to give server implementations flexibility in how they
|
||
implement ACE inheritance and protection.
|
||
|
||
7.4. COPY
|
||
|
||
The DAV:acl property on the resource at the destination of a COPY
|
||
MUST be the same as if the resource was created by an individual
|
||
resource creation request (e.g., MKCOL, PUT). Clients wishing to
|
||
preserve the DAV:acl property across a copy need to read the DAV:acl
|
||
property prior to the COPY, then perform an ACL operation on the new
|
||
resource at the destination to restore, insofar as this is possible,
|
||
the original access control list.
|
||
|
||
7.5. LOCK
|
||
|
||
A lock on a resource ensures that only the lock owner can modify ACEs
|
||
that are not inherited and not protected (these are the only ACEs
|
||
that a client can modify with an ACL request). A lock does not
|
||
protect inherited or protected ACEs, since a client cannot modify
|
||
them with an ACL request on that resource.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 39]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
8. Access Control Methods
|
||
|
||
8.1. ACL
|
||
|
||
The ACL method modifies the access control list (which can be read
|
||
via the DAV:acl property) of a resource. Specifically, the ACL
|
||
method only permits modification to ACEs that are not inherited, and
|
||
are not protected. An ACL method invocation modifies all non-
|
||
inherited and non-protected ACEs in a resource's access control list
|
||
to exactly match the ACEs contained within in the DAV:acl XML element
|
||
(specified in Section 5.5) of the request body. An ACL request body
|
||
MUST contain only one DAV:acl XML element. Unless the non-inherited
|
||
and non-protected ACEs of the DAV:acl property of the resource can be
|
||
updated to be exactly the value specified in the ACL request, the ACL
|
||
request MUST fail.
|
||
|
||
It is possible that the ACEs visible to the current user in the
|
||
DAV:acl property may only be a portion of the complete set of ACEs on
|
||
that resource. If this is the case, an ACL request only modifies the
|
||
set of ACEs visible to the current user, and does not affect any
|
||
non-visible ACE.
|
||
|
||
In order to avoid overwriting DAV:acl changes by another client, a
|
||
client SHOULD acquire a WebDAV lock on the resource before retrieving
|
||
the DAV:acl property of a resource that it intends on updating.
|
||
|
||
Implementation Note: Two common operations are to add or remove an
|
||
ACE from an existing access control list. To accomplish this, a
|
||
client uses the PROPFIND method to retrieve the value of the
|
||
DAV:acl property, then parses the returned access control list to
|
||
remove all inherited and protected ACEs (these ACEs are tagged
|
||
with the DAV:inherited and DAV:protected XML elements). In the
|
||
remaining set of non-inherited, non-protected ACEs, the client can
|
||
add or remove one or more ACEs before submitting the final ACE set
|
||
in the request body of the ACL method.
|
||
|
||
8.1.1. ACL Preconditions
|
||
|
||
An implementation MUST enforce the following constraints on an ACL
|
||
request. If the constraint is violated, a 403 (Forbidden) or 409
|
||
(Conflict) response MUST be returned and the indicated XML element
|
||
MUST be returned as a child of a top level DAV:error element in an
|
||
XML response body.
|
||
|
||
Though these status elements are generally expressed as empty XML
|
||
elements (and are defined as EMPTY in the DTD), implementations MAY
|
||
return additional descriptive XML elements as children of the status
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 40]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
element. Clients MUST be able to accept children of these status
|
||
elements. Clients that do not understand the additional XML elements
|
||
should ignore them.
|
||
|
||
(DAV:no-ace-conflict): The ACEs submitted in the ACL request MUST NOT
|
||
conflict with each other. This is a catchall error code indicating
|
||
that an implementation-specific ACL restriction has been violated.
|
||
|
||
(DAV:no-protected-ace-conflict): The ACEs submitted in the ACL
|
||
request MUST NOT conflict with the protected ACEs on the resource.
|
||
For example, if the resource has a protected ACE granting DAV:write
|
||
to a given principal, then it would not be consistent if the ACL
|
||
request submitted an ACE denying DAV:write to the same principal.
|
||
|
||
(DAV:no-inherited-ace-conflict): The ACEs submitted in the ACL
|
||
request MUST NOT conflict with the inherited ACEs on the resource.
|
||
For example, if the resource inherits an ACE from its parent
|
||
collection granting DAV:write to a given principal, then it would not
|
||
be consistent if the ACL request submitted an ACE denying DAV:write
|
||
to the same principal. Note that reporting of this error will be
|
||
implementation-dependent. Implementations MUST either report this
|
||
error or allow the ACE to be set, and then let normal ACE evaluation
|
||
rules determine whether the new ACE has any impact on the privileges
|
||
available to a specific principal.
|
||
|
||
(DAV:limited-number-of-aces): The number of ACEs submitted in the ACL
|
||
request MUST NOT exceed the number of ACEs allowed on that resource.
|
||
However, ACL-compliant servers MUST support at least one ACE granting
|
||
privileges to a single principal, and one ACE granting privileges to
|
||
a group.
|
||
|
||
(DAV:deny-before-grant): All non-inherited deny ACEs MUST precede all
|
||
non-inherited grant ACEs.
|
||
|
||
(DAV:grant-only): The ACEs submitted in the ACL request MUST NOT
|
||
include a deny ACE. This precondition applies only when the ACL
|
||
restrictions of the resource include the DAV:grant-only constraint
|
||
(defined in Section 5.6.1).
|
||
|
||
(DAV:no-invert): The ACL request MUST NOT include a DAV:invert
|
||
element. This precondition applies only when the ACL semantics of
|
||
the resource includes the DAV:no-invert constraint (defined in
|
||
Section 5.6.2).
|
||
|
||
(DAV:no-abstract): The ACL request MUST NOT attempt to grant or deny
|
||
an abstract privilege (see Section 5.3).
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 41]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
(DAV:not-supported-privilege): The ACEs submitted in the ACL request
|
||
MUST be supported by the resource.
|
||
|
||
(DAV:missing-required-principal): The result of the ACL request MUST
|
||
have at least one ACE for each principal identified in a
|
||
DAV:required-principal XML element in the ACL semantics of that
|
||
resource (see Section 5.5).
|
||
|
||
(DAV:recognized-principal): Every principal URL in the ACL request
|
||
MUST identify a principal resource.
|
||
|
||
(DAV:allowed-principal): The principals specified in the ACEs
|
||
submitted in the ACL request MUST be allowed as principals for the
|
||
resource. For example, a server where only authenticated principals
|
||
can access resources would not allow the DAV:all or
|
||
DAV:unauthenticated principals to be used in an ACE, since these
|
||
would allow unauthenticated access to resources.
|
||
|
||
8.1.2. Example: the ACL method
|
||
|
||
In the following example, user "fielding", authenticated by
|
||
information in the Authorization header, grants the principal
|
||
identified by the URL http://www.example.com/users/esedlar (i.e., the
|
||
user "esedlar") read and write privileges, grants the owner of the
|
||
resource read-acl and write-acl privileges, and grants everyone read
|
||
privileges.
|
||
|
||
>> Request <<
|
||
|
||
ACL /top/container/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxxx
|
||
Authorization: Digest username="fielding",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/top/container/", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:acl xmlns:D="DAV:">
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:href>http://www.example.com/users/esedlar</D:href>
|
||
</D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read/></D:privilege>
|
||
<D:privilege><D:write/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 42]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:property><D:owner/></D:property>
|
||
</D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read-acl/></D:privilege>
|
||
<D:privilege><D:write-acl/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
<D:ace>
|
||
<D:principal><D:all/></D:principal>
|
||
<D:grant>
|
||
<D:privilege><D:read/></D:privilege>
|
||
</D:grant>
|
||
</D:ace>
|
||
</D:acl>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 200 OK
|
||
|
||
8.1.3. Example: ACL method failure due to protected ACE conflict
|
||
|
||
In the following request, user "fielding", authenticated by
|
||
information in the Authorization header, attempts to deny the
|
||
principal identified by the URL http://www.example.com/users/esedlar
|
||
(i.e., the user "esedlar") write privileges. Prior to the request,
|
||
the DAV:acl property on the resource contained a protected ACE (see
|
||
Section 5.5.3) granting DAV:owner the DAV:read and DAV:write
|
||
privileges. The principal identified by URL http://www.example.com/
|
||
users/esedlar is the owner of the resource. The ACL method
|
||
invocation fails because the submitted ACE conflicts with the
|
||
protected ACE, thus violating the semantics of ACE protection.
|
||
|
||
>> Request <<
|
||
|
||
ACL /top/container/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxxx
|
||
Authorization: Digest username="fielding",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/top/container/", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:acl xmlns:D="DAV:">
|
||
<D:ace>
|
||
<D:principal>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 43]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<D:href>http://www.example.com/users/esedlar</D:href>
|
||
</D:principal>
|
||
<D:deny>
|
||
<D:privilege><D:write/></D:privilege>
|
||
</D:deny>
|
||
</D:ace>
|
||
</D:acl>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 403 Forbidden
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:error xmlns:D="DAV:">
|
||
<D:no-protected-ace-conflict/>
|
||
</D:error>
|
||
|
||
8.1.4. Example: ACL method failure due to an inherited ACE conflict
|
||
|
||
In the following request, user "ejw", authenticated by information in
|
||
the Authorization header, tries to change the access control list on
|
||
the resource http://www.example.com/top/index.html. This resource
|
||
has two inherited ACEs.
|
||
|
||
Inherited ACE #1 grants the principal identified by URL http://
|
||
www.example.com/users/ejw (i.e., the user "ejw") http://
|
||
www.example.com/privs/write-all and DAV:read-acl privileges. On this
|
||
server, http://www.example.com/privs/write-all is an aggregate
|
||
privilege containing DAV:write, and DAV:write-acl.
|
||
|
||
Inherited ACE #2 grants principal DAV:all the DAV:read privilege.
|
||
|
||
The request attempts to set a (non-inherited) ACE, denying the
|
||
principal identified by the URL http://www.example.com/users/ejw
|
||
(i.e., the user "ejw") DAV:write permission. This conflicts with
|
||
inherited ACE #1. Note that the decision to report an inherited ACE
|
||
conflict is specific to this server implementation. Another server
|
||
implementation could have allowed the new ACE to be set, and then
|
||
used normal ACE evaluation rules to determine whether the new ACE has
|
||
any impact on the privileges available to a principal.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 44]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
>> Request <<
|
||
|
||
ACL /top/index.html HTTP/1.1
|
||
Host: www.example.com
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxxx
|
||
Authorization: Digest username="ejw",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/top/index.html", response="...", opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:acl xmlns:D="DAV:" xmlns:F="http://www.example.com/privs/">
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:href>http://www.example.com/users/ejw</D:href>
|
||
</D:principal>
|
||
<D:grant><D:write/></D:grant>
|
||
</D:ace>
|
||
</D:acl>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 403 Forbidden
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:error xmlns:D="DAV:">
|
||
<D:no-inherited-ace-conflict/>
|
||
</D:error>
|
||
|
||
8.1.5. Example: ACL method failure due to an attempt to set grant and
|
||
deny in a single ACE
|
||
|
||
In this example, user "ygoland", authenticated by information in the
|
||
Authorization header, tries to change the access control list on the
|
||
resource http://www.example.com/diamond/engagement-ring.gif. The ACL
|
||
request includes a single, syntactically and semantically incorrect
|
||
ACE, which attempts to grant the group identified by the URL http://
|
||
www.example.com/users/friends DAV:read privilege and deny the
|
||
principal identified by URL http://www.example.com/users/ygoland-so
|
||
(i.e., the user "ygoland-so") DAV:read privilege. However, it is
|
||
illegal to have multiple principal elements, as well as both a grant
|
||
and deny element in the same ACE, so the request fails due to poor
|
||
syntax.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 45]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
>> Request <<
|
||
|
||
ACL /diamond/engagement-ring.gif HTTP/1.1
|
||
Host: www.example.com
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxxx
|
||
Authorization: Digest username="ygoland",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/diamond/engagement-ring.gif", response="...",
|
||
opaque="..."
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:acl xmlns:D="DAV:">
|
||
<D:ace>
|
||
<D:principal>
|
||
<D:href>http://www.example.com/users/friends</D:href>
|
||
</D:principal>
|
||
<D:grant><D:read/></D:grant>
|
||
<D:principal>
|
||
<D:href>http://www.example.com/users/ygoland-so</D:href>
|
||
</D:principal>
|
||
<D:deny><D:read/></D:deny>
|
||
</D:ace>
|
||
</D:acl>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 400 Bad Request
|
||
Content-Length: 0
|
||
|
||
Note that if the request had been divided into two ACEs, one to
|
||
grant, and one to deny, the request would have been syntactically
|
||
well formed.
|
||
|
||
9. Access Control Reports
|
||
|
||
9.1. REPORT Method
|
||
|
||
The REPORT method (defined in Section 3.6 of [RFC3253]) provides an
|
||
extensible mechanism for obtaining information about a resource.
|
||
Unlike the PROPFIND method, which returns the value of one or more
|
||
named properties, the REPORT method can involve more complex
|
||
processing. REPORT is valuable in cases where the server has access
|
||
to all of the information needed to perform the complex request (such
|
||
as a query), and where it would require multiple requests for the
|
||
client to retrieve the information needed to perform the same
|
||
request.
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 46]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
A server that supports the WebDAV Access Control Protocol MUST
|
||
support the DAV:expand-property report (defined in Section 3.8 of
|
||
[RFC3253]).
|
||
|
||
9.2. DAV:acl-principal-prop-set Report
|
||
|
||
The DAV:acl-principal-prop-set report returns, for all principals in
|
||
the DAV:acl property (of the Request-URI) that are identified by
|
||
http(s) URLs or by a DAV:property principal, the value of the
|
||
properties specified in the REPORT request body. In the case where a
|
||
principal URL appears multiple times, the DAV:acl-principal-prop-set
|
||
report MUST return the properties for that principal only once.
|
||
Support for this report is REQUIRED.
|
||
|
||
One expected use of this report is to retrieve the human readable
|
||
name (found in the DAV:displayname property) of each principal found
|
||
in an ACL. This is useful for constructing user interfaces that show
|
||
each ACE in a human readable form.
|
||
|
||
Marshalling
|
||
|
||
The request body MUST be a DAV:acl-principal-prop-set XML element.
|
||
|
||
<!ELEMENT acl-principal-prop-set ANY>
|
||
ANY value: a sequence of one or more elements, with at most one
|
||
DAV:prop element.
|
||
prop: see RFC 2518, Section 12.11
|
||
|
||
This report is only defined when the Depth header has value "0";
|
||
other values result in a 400 (Bad Request) error response. Note
|
||
that [RFC3253], Section 3.6, states that if the Depth header is
|
||
not present, it defaults to a value of "0".
|
||
|
||
The response body for a successful request MUST be a
|
||
DAV:multistatus XML element (i.e., the response uses the same
|
||
format as the response for PROPFIND). In the case where there are
|
||
no response elements, the returned multistatus XML element is
|
||
empty.
|
||
|
||
multistatus: see RFC 2518, Section 12.9
|
||
|
||
The response body for a successful DAV:acl-principal-prop-set
|
||
REPORT request MUST contain a DAV:response element for each
|
||
principal identified by an http(s) URL listed in a DAV:principal
|
||
XML element of an ACE within the DAV:acl property of the resource
|
||
identified by the Request-URI.
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 47]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Postconditions:
|
||
|
||
(DAV:number-of-matches-within-limits): The number of matching
|
||
principals must fall within server-specific, predefined limits.
|
||
For example, this condition might be triggered if a search
|
||
specification would cause the return of an extremely large number
|
||
of responses.
|
||
|
||
9.2.1. Example: DAV:acl-principal-prop-set Report
|
||
|
||
Resource http://www.example.com/index.html has an ACL with three
|
||
ACEs:
|
||
|
||
ACE #1: All principals (DAV:all) have DAV:read and DAV:read-current-
|
||
user-privilege-set access.
|
||
|
||
ACE #2: The principal identified by http://www.example.com/people/
|
||
gstein (the user "gstein") is granted DAV:write, DAV:write-acl,
|
||
DAV:read-acl privileges.
|
||
|
||
ACE #3: The group identified by http://www.example.com/groups/authors
|
||
(the "authors" group) is granted DAV:write and DAV:read-acl
|
||
privileges.
|
||
|
||
The following example shows a DAV:acl-principal-prop-set report
|
||
requesting the DAV:displayname property. It returns the value of
|
||
DAV:displayname for resources http://www.example.com/people/gstein
|
||
and http://www.example.com/groups/authors , but not for DAV:all,
|
||
since this is not an http(s) URL.
|
||
|
||
>> Request <<
|
||
|
||
REPORT /index.html HTTP/1.1
|
||
Host: www.example.com
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxxx
|
||
Depth: 0
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:acl-principal-prop-set xmlns:D="DAV:">
|
||
<D:prop>
|
||
<D:displayname/>
|
||
</D:prop>
|
||
</D:acl-principal-prop-set>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 48]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/people/gstein</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:displayname>Greg Stein</D:displayname>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
<D:response>
|
||
<D:href>http://www.example.com/groups/authors</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:displayname>Site authors</D:displayname>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
9.3. DAV:principal-match REPORT
|
||
|
||
The DAV:principal-match REPORT is used to identify all members (at
|
||
any depth) of the collection identified by the Request-URI that are
|
||
principals and that match the current user. In particular, if the
|
||
collection contains principals, the report can be used to identify
|
||
all members of the collection that match the current user.
|
||
Alternatively, if the collection contains resources that have a
|
||
property that identifies a principal (e.g., DAV:owner), the report
|
||
can be used to identify all members of the collection whose property
|
||
identifies a principal that matches the current user. For example,
|
||
this report can return all of the resources in a collection hierarchy
|
||
that are owned by the current user. Support for this report is
|
||
REQUIRED.
|
||
|
||
Marshalling:
|
||
|
||
The request body MUST be a DAV:principal-match XML element.
|
||
<!ELEMENT principal-match ((principal-property | self), prop?)>
|
||
<!ELEMENT principal-property ANY>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 49]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
ANY value: an element whose value identifies a property. The
|
||
expectation is the value of the named property typically contains
|
||
an href element that contains the URI of a principal
|
||
<!ELEMENT self EMPTY>
|
||
prop: see RFC 2518, Section 12.11
|
||
|
||
This report is only defined when the Depth header has value "0";
|
||
other values result in a 400 (Bad Request) error response. Note
|
||
that [RFC3253], Section 3.6, states that if the Depth header is
|
||
not present, it defaults to a value of "0". The response body for
|
||
a successful request MUST be a DAV:multistatus XML element. In
|
||
the case where there are no response elements, the returned
|
||
multistatus XML element is empty.
|
||
|
||
multistatus: see RFC 2518, Section 12.9
|
||
|
||
The response body for a successful DAV:principal-match REPORT
|
||
request MUST contain a DAV:response element for each member of the
|
||
collection that matches the current user. When the
|
||
DAV:principal-property element is used, a match occurs if the
|
||
current user is matched by the principal identified by the URI
|
||
found in the DAV:href element of the property identified by the
|
||
DAV:principal-property element. When the DAV:self element is used
|
||
in a DAV:principal-match report issued against a group, it matches
|
||
the group if a member identifies the same principal as the current
|
||
user.
|
||
|
||
If DAV:prop is specified in the request body, the properties
|
||
specified in the DAV:prop element MUST be reported in the
|
||
DAV:response elements.
|
||
|
||
9.3.1. Example: DAV:principal-match REPORT
|
||
|
||
The following example identifies the members of the collection
|
||
identified by the URL http://www.example.com/doc that are owned by
|
||
the current user. The current user ("gclemm") is authenticated using
|
||
Digest authentication.
|
||
|
||
>> Request <<
|
||
|
||
REPORT /doc/ HTTP/1.1
|
||
Host: www.example.com
|
||
Authorization: Digest username="gclemm",
|
||
realm="users@example.com", nonce="...",
|
||
uri="/papers/", response="...", opaque="..."
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxxx
|
||
Depth: 0
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 50]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:principal-match xmlns:D="DAV:">
|
||
<D:principal-property>
|
||
<D:owner/>
|
||
</D:principal-property>
|
||
</D:principal-match>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:">
|
||
<D:response>
|
||
<D:href>http://www.example.com/doc/foo.html</D:href>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:response>
|
||
<D:response>
|
||
<D:href>http://www.example.com/doc/img/bar.gif</D:href>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
9.4. DAV:principal-property-search REPORT
|
||
|
||
The DAV:principal-property-search REPORT performs a search for all
|
||
principals whose properties contain character data that matches the
|
||
search criteria specified in the request. One expected use of this
|
||
report is to discover the URL of a principal associated with a given
|
||
person or group by searching for them by name. This is done by
|
||
searching over DAV:displayname, which is defined on all principals.
|
||
|
||
The actual search method (exact matching vs. substring matching vs,
|
||
prefix-matching, case-sensitivity) deliberately is left to the server
|
||
implementation to allow implementation on a wide set of possible user
|
||
management systems. In cases where the implementation of
|
||
DAV:principal-property-search is not constrained by the semantics of
|
||
an underlying user management repository, preferred default semantics
|
||
are caseless substring matches.
|
||
|
||
For implementation efficiency, servers do not typically support
|
||
searching on all properties. A search requesting properties that are
|
||
not searchable for a particular principal will not match that
|
||
principal.
|
||
|
||
Support for the DAV:principal-property-search report is REQUIRED.
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 51]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Implementation Note: The value of a WebDAV property is a sequence
|
||
of well-formed XML, and hence can include any character in the
|
||
Unicode/ISO-10646 standard, that is, most known characters in
|
||
human languages. Due to the idiosyncrasies of case mapping across
|
||
human languages, implementation of case-insensitive matching is
|
||
non-trivial. Implementors of servers that do perform substring
|
||
matching are strongly encouraged to consult "The Unicode Standard"
|
||
[UNICODE4], especially Section 5.18, Subsection "Caseless
|
||
Matching", for guidance when implementing their case-insensitive
|
||
matching algorithms.
|
||
|
||
Implementation Note: Some implementations of this protocol will
|
||
use an LDAP repository for storage of principal metadata. The
|
||
schema describing each attribute (akin to a WebDAV property) in an
|
||
LDAP repository specifies whether it supports case-sensitive or
|
||
caseless searching. One of the benefits of leaving the search
|
||
method to the discretion of the server implementation is the
|
||
default LDAP attribute search behavior can be used when
|
||
implementing the DAV:principal-property-search report.
|
||
|
||
Marshalling:
|
||
|
||
The request body MUST be a DAV:principal-property-search XML
|
||
element containing a search specification and an optional list of
|
||
properties. For every principal that matches the search
|
||
specification, the response will contain the value of the
|
||
requested properties on that principal.
|
||
|
||
<!ELEMENT principal-property-search
|
||
((property-search+), prop?, apply-to-principal-collection-set?) >
|
||
|
||
By default, the report searches all members (at any depth) of the
|
||
collection identified by the Request-URI. If DAV:apply-to-
|
||
principal-collection-set is specified in the request body, the
|
||
request is applied instead to each collection identified by the
|
||
DAV:principal-collection-set property of the resource identified
|
||
by the Request-URI.
|
||
|
||
The DAV:property-search element contains a prop element
|
||
enumerating the properties to be searched and a match element,
|
||
containing the search string.
|
||
|
||
<!ELEMENT property-search (prop, match) >
|
||
prop: see RFC 2518, Section 12.11
|
||
|
||
<!ELEMENT match #PCDATA >
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 52]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Multiple property-search elements or multiple elements within a
|
||
DAV:prop element will be interpreted with a logical AND.
|
||
|
||
This report is only defined when the Depth header has value "0";
|
||
other values result in a 400 (Bad Request) error response. Note
|
||
that [RFC3253], Section 3.6, states that if the Depth header is
|
||
not present, it defaults to a value of "0".
|
||
|
||
The response body for a successful request MUST be a
|
||
DAV:multistatus XML element. In the case where there are no
|
||
response elements, the returned multistatus XML element is empty.
|
||
|
||
multistatus: see RFC 2518, Section 12.9
|
||
|
||
The response body for a successful DAV:principal-property-search
|
||
REPORT request MUST contain a DAV:response element for each
|
||
principal whose property values satisfy the search specification
|
||
given in DAV:principal-property-search.
|
||
|
||
If DAV:prop is specified in the request body, the properties
|
||
specified in the DAV:prop element MUST be reported in the
|
||
DAV:response elements.
|
||
|
||
Preconditions:
|
||
|
||
None
|
||
|
||
Postconditions:
|
||
|
||
(DAV:number-of-matches-within-limits): The number of matching
|
||
principals must fall within server-specific, predefined limits.
|
||
For example, this condition might be triggered if a search
|
||
specification would cause the return of an extremely large number
|
||
of responses.
|
||
|
||
9.4.1. Matching
|
||
|
||
There are several cases to consider when matching strings. The
|
||
easiest case is when a property value is "simple" and has only
|
||
character information item content (see [REC-XML-INFOSET]). For
|
||
example, the search string "julian" would match the DAV:displayname
|
||
property with value "Julian Reschke". Note that the on-the-wire
|
||
marshaling of DAV:displayname in this case is:
|
||
|
||
<D:displayname xmlns:D="DAV:">Julian Reschke</D:displayname>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 53]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
The name of the property is encoded into the XML element information
|
||
item, and the character information item content of the property is
|
||
"Julian Reschke".
|
||
|
||
A more complicated case occurs when properties have mixed content
|
||
(that is, compound values consisting of multiple child element items,
|
||
other types of information items, and character information item
|
||
content). Consider the property "aprop" in the namespace "http://
|
||
www.example.com/props/", marshaled as:
|
||
|
||
<W:aprop xmlns:W="http://www.example.com/props/">
|
||
{cdata 0}<W:elem1>{cdata 1}</W:elem1>
|
||
<W:elem2>{cdata 2}</W:elem2>{cdata 3}
|
||
</W:aprop>
|
||
|
||
In this case, matching is performed on each individual contiguous
|
||
sequence of character information items. In the example above, a
|
||
search string would be compared to the four following strings:
|
||
|
||
{cdata 0}
|
||
{cdata 1}
|
||
{cdata 2}
|
||
{cdata 3}
|
||
|
||
That is, four individual matches would be performed, one each for
|
||
{cdata 0}, {cdata 1}, {cdata 2}, and {cdata 3}.
|
||
|
||
9.4.2. Example: successful DAV:principal-property-search REPORT
|
||
|
||
In this example, the client requests the principal URLs of all users
|
||
whose DAV:displayname property contains the substring "doE" and whose
|
||
"title" property in the namespace "http://BigCorp.com/ns/" (that is,
|
||
their professional title) contains "Sales". In addition, the client
|
||
requests five properties to be returned with the matching principals:
|
||
|
||
In the DAV: namespace: displayname
|
||
|
||
In the http://www.example.com/ns/ namespace: department, phone,
|
||
office, salary
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 54]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
The response shows that two principal resources meet the search
|
||
specification, "John Doe" and "Zygdoebert Smith". The property
|
||
"salary" in namespace "http://www.example.com/ns/" is not returned,
|
||
since the principal making the request does not have sufficient
|
||
access permissions to read this property.
|
||
|
||
>> Request <<
|
||
|
||
REPORT /users/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-Type: text/xml; charset=utf-8
|
||
Content-Length: xxxx
|
||
Depth: 0
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:principal-property-search xmlns:D="DAV:">
|
||
<D:property-search>
|
||
<D:prop>
|
||
<D:displayname/>
|
||
</D:prop>
|
||
<D:match>doE</D:match>
|
||
</D:property-search>
|
||
<D:property-search>
|
||
<D:prop xmlns:B="http://www.example.com/ns/">
|
||
<B:title/>
|
||
</D:prop>
|
||
<D:match>Sales</D:match>
|
||
</D:property-search>
|
||
<D:prop xmlns:B="http://www.example.com/ns/">
|
||
<D:displayname/>
|
||
<B:department/>
|
||
<B:phone/>
|
||
<B:office/>
|
||
<B:salary/>
|
||
</D:prop>
|
||
</D:principal-property-search>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 207 Multi-Status
|
||
Content-Type: text/xml; charset=utf-8
|
||
Content-Length: xxxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:multistatus xmlns:D="DAV:" xmlns:B="http://BigCorp.com/ns/">
|
||
<D:response>
|
||
<D:href>http://www.example.com/users/jdoe</D:href>
|
||
<D:propstat>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 55]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<D:prop>
|
||
<D:displayname>John Doe</D:displayname>
|
||
<B:department>Widget Sales</B:department>
|
||
<B:phone>234-4567</B:phone>
|
||
<B:office>209</B:office>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<B:salary/>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 403 Forbidden</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
<D:response>
|
||
<D:href>http://www.example.com/users/zsmith</D:href>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<D:displayname>Zygdoebert Smith</D:displayname>
|
||
<B:department>Gadget Sales</B:department>
|
||
<B:phone>234-7654</B:phone>
|
||
<B:office>114</B:office>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 200 OK</D:status>
|
||
</D:propstat>
|
||
<D:propstat>
|
||
<D:prop>
|
||
<B:salary/>
|
||
</D:prop>
|
||
<D:status>HTTP/1.1 403 Forbidden</D:status>
|
||
</D:propstat>
|
||
</D:response>
|
||
</D:multistatus>
|
||
|
||
9.5. DAV:principal-search-property-set REPORT
|
||
|
||
The DAV:principal-search-property-set REPORT identifies those
|
||
properties that may be searched using the DAV:principal-property-
|
||
search REPORT (defined in Section 9.4).
|
||
|
||
Servers MUST support the DAV:principal-search-property-set REPORT on
|
||
all collections identified in the value of a DAV:principal-
|
||
collection-set property.
|
||
|
||
An access control protocol user agent could use the results of the
|
||
DAV:principal-search-property-set REPORT to present a query interface
|
||
to the user for retrieving principals.
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 56]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Support for this report is REQUIRED.
|
||
|
||
Implementation Note: Some clients will have only limited screen
|
||
real estate for the display of lists of searchable properties. In
|
||
this case, a user might appreciate having the most frequently
|
||
searched properties be displayed on-screen, rather than having to
|
||
scroll through a long list of searchable properties. One
|
||
mechanism for signaling the most frequently searched properties is
|
||
to return them towards the start of a list of properties. A
|
||
client can then preferentially display the list of properties in
|
||
order, increasing the likelihood that the most frequently searched
|
||
properties will appear on-screen, and will not require scrolling
|
||
for their selection.
|
||
|
||
Marshalling:
|
||
|
||
The request body MUST be an empty DAV:principal-search-property-
|
||
set XML element.
|
||
|
||
This report is only defined when the Depth header has value "0";
|
||
other values result in a 400 (Bad Request) error response. Note
|
||
that [RFC3253], Section 3.6, states that if the Depth header is
|
||
not present, it defaults to a value of "0".
|
||
|
||
The response body MUST be a DAV:principal-search-property-set XML
|
||
element, containing a DAV:principal-search-property XML element
|
||
for each property that may be searched with the DAV:principal-
|
||
property-search REPORT. A server MAY limit its response to just a
|
||
subset of the searchable properties, such as those likely to be
|
||
useful to an interactive access control client.
|
||
|
||
<!ELEMENT principal-search-property-set
|
||
(principal-search-property*) >
|
||
|
||
Each DAV:principal-search-property XML element contains exactly
|
||
one searchable property, and a description of the property.
|
||
|
||
<!ELEMENT principal-search-property (prop, description) >
|
||
|
||
The DAV:prop element contains one principal property on which the
|
||
server is able to perform a DAV:principal-property-search REPORT.
|
||
|
||
prop: see RFC 2518, Section 12.11
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 57]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
The description element is a human-readable description of what
|
||
information this property represents. Servers MUST indicate the
|
||
human language of the description using the xml:lang attribute and
|
||
SHOULD consider the HTTP Accept-Language request header when
|
||
selecting one of multiple available languages.
|
||
|
||
<!ELEMENT description #PCDATA >
|
||
|
||
9.5.1. Example: DAV:principal-search-property-set REPORT
|
||
|
||
In this example, the client determines the set of searchable
|
||
principal properties by requesting the DAV:principal-search-
|
||
property-set REPORT on the root of the server's principal URL
|
||
collection set, identified by http://www.example.com/users/.
|
||
|
||
>> Request <<
|
||
|
||
REPORT /users/ HTTP/1.1
|
||
Host: www.example.com
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
Accept-Language: en, de
|
||
Authorization: BASIC d2FubmFtYWs6cGFzc3dvcmQ=
|
||
Depth: 0
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:principal-search-property-set xmlns:D="DAV:"/>
|
||
|
||
>> Response <<
|
||
|
||
HTTP/1.1 200 OK
|
||
Content-Type: text/xml; charset="utf-8"
|
||
Content-Length: xxx
|
||
|
||
<?xml version="1.0" encoding="utf-8" ?>
|
||
<D:principal-search-property-set xmlns:D="DAV:">
|
||
<D:principal-search-property>
|
||
<D:prop>
|
||
<D:displayname/>
|
||
</D:prop>
|
||
<D:description xml:lang="en">Full name</D:description>
|
||
</D:principal-search-property>
|
||
<D:principal-search-property>
|
||
<D:prop xmlns:B="http://BigCorp.com/ns/">
|
||
<B:title/>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 58]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
</D:prop>
|
||
<D:description xml:lang="en">Job title</D:description>
|
||
</D:principal-search-property>
|
||
</D:principal-search-property-set>
|
||
|
||
10. XML Processing
|
||
|
||
Implementations of this specification MUST support the XML element
|
||
ignore rule, as specified in Section 23.3.2 of [RFC2518], and the XML
|
||
Namespace recommendation [REC-XML-NAMES].
|
||
|
||
Note that use of the DAV namespace is reserved for XML elements and
|
||
property names defined in a standards-track or Experimental IETF RFC.
|
||
|
||
11. Internationalization Considerations
|
||
|
||
In this specification, the only human-readable content can be found
|
||
in the description XML element, found within the DAV:supported-
|
||
privilege-set property. This element contains a human-readable
|
||
description of the capabilities controlled by a privilege. As a
|
||
result, the description element must be capable of representing
|
||
descriptions in multiple character sets. Since the description
|
||
element is found within a WebDAV property, it is represented on the
|
||
wire as XML [REC-XML], and hence can leverage XML's language tagging
|
||
and character set encoding capabilities. Specifically, XML
|
||
processors at minimum must be able to read XML elements encoded using
|
||
the UTF-8 [RFC3629] encoding of the ISO 10646 multilingual plane.
|
||
XML examples in this specification demonstrate use of the charset
|
||
parameter of the Content-Type header, as defined in [RFC3023], as
|
||
well as the XML "encoding" attribute, which together provide charset
|
||
identification information for MIME and XML processors. Furthermore,
|
||
this specification requires server implementations to tag description
|
||
fields with the xml:lang attribute (see Section 2.12 of [REC-XML]),
|
||
which specifies the human language of the description. Additionally,
|
||
server implementations should take into account the value of the
|
||
Accept-Language HTTP header to determine which description string to
|
||
return.
|
||
|
||
For XML elements other than the description element, it is expected
|
||
that implementations will treat the property names, privilege names,
|
||
and values as tokens, and convert these tokens into human-readable
|
||
text in the user's language and character set when displayed to a
|
||
person. Only a generic WebDAV property display utility would display
|
||
these values in their raw form to a human user.
|
||
|
||
For error reporting, we follow the convention of HTTP/1.1 status
|
||
codes, including with each status code a short, English description
|
||
of the code (e.g., 200 (OK)). While the possibility exists that a
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 59]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
poorly crafted user agent would display this message to a user,
|
||
internationalized applications will ignore this message, and display
|
||
an appropriate message in the user's language and character set.
|
||
|
||
Further internationalization considerations for this protocol are
|
||
described in the WebDAV Distributed Authoring protocol specification
|
||
[RFC2518].
|
||
|
||
12. Security Considerations
|
||
|
||
Applications and users of this access control protocol should be
|
||
aware of several security considerations, detailed below. In
|
||
addition to the discussion in this document, the security
|
||
considerations detailed in the HTTP/1.1 specification [RFC2616], the
|
||
WebDAV Distributed Authoring Protocol specification [RFC2518], and
|
||
the XML Media Types specification [RFC3023] should be considered in a
|
||
security analysis of this protocol.
|
||
|
||
12.1. Increased Risk of Compromised Users
|
||
|
||
In the absence of a mechanism for remotely manipulating access
|
||
control lists, if a single user's authentication credentials are
|
||
compromised, only those resources for which the user has access
|
||
permission can be read, modified, moved, or deleted. With the
|
||
introduction of this access control protocol, if a single compromised
|
||
user has the ability to change ACLs for a broad range of other users
|
||
(e.g., a super-user), the number of resources that could be altered
|
||
by a single compromised user increases. This risk can be mitigated
|
||
by limiting the number of people who have write-acl privileges across
|
||
a broad range of resources.
|
||
|
||
12.2. Risks of the DAV:read-acl and DAV:current-user-privilege-set
|
||
Privileges
|
||
|
||
The ability to read the access privileges (stored in the DAV:acl
|
||
property), or the privileges permitted the currently authenticated
|
||
user (stored in the DAV:current-user-privilege-set property) on a
|
||
resource may seem innocuous, since reading an ACL cannot possibly
|
||
affect the resource's state. However, if all resources have world-
|
||
readable ACLs, it is possible to perform an exhaustive search for
|
||
those resources that have inadvertently left themselves in a
|
||
vulnerable state, such as being world-writable. In particular, the
|
||
property retrieval method PROPFIND, executed with Depth infinity on
|
||
an entire hierarchy, is a very efficient way to retrieve the DAV:acl
|
||
or DAV:current-user-privilege-set properties. Once found, this
|
||
vulnerability can be exploited by a denial of service attack in which
|
||
the open resource is repeatedly overwritten. Alternately, writable
|
||
resources can be modified in undesirable ways.
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 60]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
To reduce this risk, read-acl privileges should not be granted to
|
||
unauthenticated principals, and restrictions on read-acl and read-
|
||
current-user-privilege-set privileges for authenticated principals
|
||
should be carefully analyzed when deploying this protocol. Access to
|
||
the current-user-privilege-set property will involve a tradeoff of
|
||
usability versus security. When the current-user-privilege-set is
|
||
visible, user interfaces are expected to provide enhanced information
|
||
concerning permitted and restricted operations, yet this information
|
||
may also indicate a vulnerability that could be exploited.
|
||
Deployment of this protocol will need to evaluate this tradeoff in
|
||
light of the requirements of the deployment environment.
|
||
|
||
12.3. No Foreknowledge of Initial ACL
|
||
|
||
In an effort to reduce protocol complexity, this protocol
|
||
specification intentionally does not address the issue of how to
|
||
manage or discover the initial ACL that is placed upon a resource
|
||
when it is created. The only way to discover the initial ACL is to
|
||
create a new resource, then retrieve the value of the DAV:acl
|
||
property. This assumes the principal creating the resource also has
|
||
been granted the DAV:read-acl privilege.
|
||
|
||
As a result, it is possible that a principal could create a resource,
|
||
and then discover that its ACL grants privileges that are
|
||
undesirable. Furthermore, this protocol makes it possible (though
|
||
unlikely) that the creating principal could be unable to modify the
|
||
ACL, or even delete the resource. Even when the ACL can be modified,
|
||
there will be a short period of time when the resource exists with
|
||
the initial ACL before its new ACL can be set.
|
||
|
||
Several factors mitigate this risk. Human principals are often aware
|
||
of the default access permissions in their editing environments and
|
||
take this into account when writing information. Furthermore,
|
||
default privilege policies are usually very conservative, limiting
|
||
the privileges granted by the initial ACL.
|
||
|
||
13. Authentication
|
||
|
||
Authentication mechanisms defined for use with HTTP and WebDAV also
|
||
apply to this WebDAV Access Control Protocol, in particular the Basic
|
||
and Digest authentication mechanisms defined in [RFC2617].
|
||
Implementation of the ACL spec requires that Basic authentication, if
|
||
used, MUST only be supported over secure transport such as TLS.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 61]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
14. IANA Considerations
|
||
|
||
This document uses the namespace defined by [RFC2518] for XML
|
||
elements. That is, this specification uses the "DAV:" URI namespace,
|
||
previously registered in the URI schemes registry. All other IANA
|
||
considerations mentioned in [RFC2518] are also applicable to this
|
||
specification.
|
||
|
||
15. Acknowledgements
|
||
|
||
This protocol is the collaborative product of the WebDAV ACL design
|
||
team: Bernard Chester, Geoff Clemm, Anne Hopkins, Barry Lind, Sean
|
||
Lyndersay, Eric Sedlar, Greg Stein, and Jim Whitehead. The authors
|
||
are grateful for the detailed review and comments provided by Jim
|
||
Amsden, Dylan Barrell, Gino Basso, Murthy Chintalapati, Lisa
|
||
Dusseault, Stefan Eissing, Tim Ellison, Yaron Goland, Dennis
|
||
Hamilton, Laurie Harper, Eckehard Hermann, Ron Jacobs, Chris Knight,
|
||
Remy Maucherat, Larry Masinter, Joe Orton, Peter Raymond, and Keith
|
||
Wannamaker. We thank Keith Wannamaker for the initial text of the
|
||
principal property search sections. Prior work on WebDAV access
|
||
control protocols has been performed by Yaron Goland, Paul Leach,
|
||
Lisa Dusseault, Howard Palmer, and Jon Radoff. We would like to
|
||
acknowledge the foundation laid for us by the authors of the DeltaV,
|
||
WebDAV and HTTP protocols upon which this protocol is layered, and
|
||
the invaluable feedback from the WebDAV working group.
|
||
|
||
16. References
|
||
|
||
16.1. Normative References
|
||
|
||
[REC-XML] Bray, T., Paoli, J., Sperberg-McQueen, C. and E.
|
||
Maler, "Extensible Markup Language (XML) 1.0
|
||
((Third ed)", W3C REC REC-xml-20040204, February
|
||
2004, <http://www.w3.org/TR/2004/REC-xml-20040204>.
|
||
|
||
[REC-XML-INFOSET] Cowan, J. and R. Tobin, "XML Information Set
|
||
(Second Edition)", W3C REC REC-xml-infoset-
|
||
20040204, February 2004,
|
||
<http://www.w3.org/TR/2004/REC-xml-infoset-
|
||
20040204/>.
|
||
|
||
[REC-XML-NAMES] Bray, T., Hollander, D. and A. Layman, "Namespaces
|
||
in XML", W3C REC REC-xml-names-19990114, January
|
||
1999, <http://www.w3.org/TR/1999/REC-xml-names-
|
||
19990114>.
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 62]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
[RFC2518] Goland, Y., Whitehead, E., Faizi, A., Carter, S.
|
||
and D. Jensen, "HTTP Extensions for Distributed
|
||
Authoring -- WEBDAV", RFC 2518, February 1999.
|
||
|
||
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
|
||
Masinter, L., Leach, P. and T. Berners-Lee,
|
||
"Hypertext Transfer Protocol -- HTTP/1.1", RFC
|
||
2616, June 1999.
|
||
|
||
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J.,
|
||
Lawrence, S., Leach, P., Luotonen, A. and L.
|
||
Stewart, "HTTP Authentication: Basic and Digest
|
||
Access Authentication", RFC 2617, June 1999.
|
||
|
||
[RFC3023] Murata, M., St.Laurent, S. and D. Kohn, "XML Media
|
||
Types", RFC 3023, January 2001.
|
||
|
||
[RFC3253] Clemm, G., Amsden, J., Ellison, T., Kaler, C. and
|
||
J. Whitehead, "Versioning Extensions to WebDAV",
|
||
RFC 3253, March 2002.
|
||
|
||
[RFC3530] Shepler, S., Ed., Callaghan, B., Robinson, D.,
|
||
Thurlow, R., Beame, C., Eisler, M. and D. Noveck,
|
||
"Network File System (NFS) version 4 Protocol", RFC
|
||
3530, April 2003.
|
||
|
||
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
|
||
10646", STD 63, RFC 3629 November 2003.
|
||
|
||
16.2. Informative References
|
||
|
||
[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight
|
||
Directory Access Protocol (v3)", RFC 2251, December
|
||
1997.
|
||
|
||
[RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC
|
||
2255, December 1997.
|
||
|
||
[UNICODE4] The Unicode Consortium, "The Unicode Standard -
|
||
Version 4.0", Addison-Wesley , August 2003,
|
||
<http://www.unicode.org/versions/Unicode4.0.0/>.
|
||
ISBN 0321185781.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 63]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Appendix A. WebDAV XML Document Type Definition Addendum
|
||
|
||
All XML elements defined in this Document Type Definition (DTD)
|
||
belong to the DAV namespace. This DTD should be viewed as an addendum
|
||
to the DTD provided in [RFC2518], section 23.1.
|
||
|
||
<!-- Privileges -- (Section 3)>
|
||
|
||
<!ELEMENT read EMPTY>
|
||
<!ELEMENT write EMPTY>
|
||
<!ELEMENT write-properties EMPTY>
|
||
<!ELEMENT write-content EMPTY>
|
||
<!ELEMENT unlock EMPTY>
|
||
<!ELEMENT read-acl EMPTY>
|
||
<!ELEMENT read-current-user-privilege-set EMPTY>
|
||
<!ELEMENT write-acl EMPTY>
|
||
<!ELEMENT bind EMPTY>
|
||
<!ELEMENT unbind EMPTY>
|
||
<!ELEMENT all EMPTY>
|
||
|
||
<!-- Principal Properties (Section 4) -->
|
||
|
||
<!ELEMENT principal EMPTY>
|
||
|
||
<!ELEMENT alternate-URI-set (href*)>
|
||
<!ELEMENT principal-URL (href)>
|
||
<!ELEMENT group-member-set (href*)>
|
||
<!ELEMENT group-membership (href*)>
|
||
|
||
<!-- Access Control Properties (Section 5) -->
|
||
|
||
<!-- DAV:owner Property (Section 5.1) -->
|
||
|
||
<!ELEMENT owner (href?)>
|
||
|
||
<!-- DAV:group Property (Section 5.2) -->
|
||
|
||
<!ELEMENT group (href?)>
|
||
|
||
<!-- DAV:supported-privilege-set Property (Section 5.3) -->
|
||
|
||
<!ELEMENT supported-privilege-set (supported-privilege*)>
|
||
<!ELEMENT supported-privilege
|
||
(privilege, abstract?, description, supported-privilege*)>
|
||
|
||
<!ELEMENT privilege ANY>
|
||
<!ELEMENT abstract EMPTY>
|
||
<!ELEMENT description #PCDATA>
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 64]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<!-- DAV:current-user-privilege-set Property (Section 5.4) -->
|
||
|
||
<!ELEMENT current-user-privilege-set (privilege*)>
|
||
|
||
<!-- DAV:acl Property (Section 5.5) -->
|
||
|
||
<!ELEMENT acl (ace)* >
|
||
<!ELEMENT ace ((principal | invert), (grant|deny), protected?,
|
||
inherited?)>
|
||
|
||
<!ELEMENT principal (href)
|
||
| all | authenticated | unauthenticated
|
||
| property | self)>
|
||
|
||
<!ELEMENT all EMPTY>
|
||
<!ELEMENT authenticated EMPTY>
|
||
<!ELEMENT unauthenticated EMPTY>
|
||
<!ELEMENT property ANY>
|
||
<!ELEMENT self EMPTY>
|
||
|
||
<!ELEMENT invert principal>
|
||
|
||
<!ELEMENT grant (privilege+)>
|
||
<!ELEMENT deny (privilege+)>
|
||
<!ELEMENT privilege ANY>
|
||
|
||
<!ELEMENT protected EMPTY>
|
||
|
||
<!ELEMENT inherited (href)>
|
||
|
||
<!-- DAV:acl-restrictions Property (Section 5.6) -->
|
||
|
||
<!ELEMENT acl-restrictions (grant-only?, no-invert?,
|
||
deny-before-grant?, required-principal?)>
|
||
|
||
<!ELEMENT grant-only EMPTY>
|
||
<!ELEMENT no-invert EMPTY>
|
||
<!ELEMENT deny-before-grant EMPTY>
|
||
|
||
<!ELEMENT required-principal
|
||
(all? | authenticated? | unauthenticated? | self? | href*
|
||
|property*)>
|
||
|
||
<!-- DAV:inherited-acl-set Property (Section 5.7) -->
|
||
|
||
<!ELEMENT inherited-acl-set (href*)>
|
||
|
||
<!-- DAV:principal-collection-set Property (Section 5.8) -->
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 65]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
<!ELEMENT principal-collection-set (href*)>
|
||
|
||
<!-- Access Control and Existing Methods (Section 7) -->
|
||
|
||
<!ELEMENT need-privileges (resource)* >
|
||
<!ELEMENT resource ( href, privilege )
|
||
|
||
<!-- ACL method preconditions (Section 8.1.1) -->
|
||
|
||
<!ELEMENT no-ace-conflict EMPTY>
|
||
<!ELEMENT no-protected-ace-conflict EMPTY>
|
||
<!ELEMENT no-inherited-ace-conflict EMPTY>
|
||
<!ELEMENT limited-number-of-aces EMPTY>
|
||
<!ELEMENT grant-only EMPTY>
|
||
<!ELEMENT no-invert EMPTY>
|
||
<!ELEMENT deny-before-grant EMPTY>
|
||
<!ELEMENT no-abstract EMPTY>
|
||
<!ELEMENT not-supported-privilege EMPTY>
|
||
<!ELEMENT missing-required-principal EMPTY>
|
||
<!ELEMENT recognized-principal EMPTY>
|
||
<!ELEMENT allowed-principal EMPTY>
|
||
|
||
<!-- REPORTs (Section 9) -->
|
||
|
||
<!ELEMENT acl-principal-prop-set ANY>
|
||
ANY value: a sequence of one or more elements, with at most one
|
||
DAV:prop element.
|
||
|
||
<!ELEMENT principal-match ((principal-property | self), prop?)>
|
||
<!ELEMENT principal-property ANY>
|
||
ANY value: an element whose value identifies a property. The
|
||
expectation is the value of the named property typically contains
|
||
an href element that contains the URI of a principal
|
||
<!ELEMENT self EMPTY>
|
||
|
||
<!ELEMENT principal-property-search ((property-search+), prop?) >
|
||
<!ELEMENT property-search (prop, match) >
|
||
<!ELEMENT match #PCDATA >
|
||
|
||
<!ELEMENT principal-search-property-set (
|
||
principal-search-property*) >
|
||
<!ELEMENT principal-search-property (prop, description) >
|
||
<!ELEMENT description #PCDATA >
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 66]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Appendix B. WebDAV Method Privilege Table (Normative)
|
||
|
||
The following table of WebDAV methods (as defined in RFC 2518, 2616,
|
||
and 3253) clarifies which privileges are required for access for each
|
||
method. Note that the privileges listed, if denied, MUST cause
|
||
access to be denied. However, given that a specific implementation
|
||
MAY define an additional custom privilege to control access to
|
||
existing methods, having all of the indicated privileges does not
|
||
mean that access will be granted. Note that lack of the indicated
|
||
privileges does not imply that access will be denied, since a
|
||
particular implementation may use a sub-privilege aggregated under
|
||
the indicated privilege to control access. Privileges required refer
|
||
to the current resource being processed unless otherwise specified.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 67]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
+---------------------------------+---------------------------------+
|
||
| METHOD | PRIVILEGES |
|
||
+---------------------------------+---------------------------------+
|
||
| GET | <D:read> |
|
||
| HEAD | <D:read> |
|
||
| OPTIONS | <D:read> |
|
||
| PUT (target exists) | <D:write-content> on target |
|
||
| | resource |
|
||
| PUT (no target exists) | <D:bind> on parent collection |
|
||
| | of target |
|
||
| PROPPATCH | <D:write-properties> |
|
||
| ACL | <D:write-acl> |
|
||
| PROPFIND | <D:read> (plus <D:read-acl> and |
|
||
| | <D:read-current-user-privilege- |
|
||
| | set> as needed) |
|
||
| COPY (target exists) | <D:read>, <D:write-content> and |
|
||
| | <D:write-properties> on target |
|
||
| | resource |
|
||
| COPY (no target exists) | <D:read>, <D:bind> on target |
|
||
| | collection |
|
||
| MOVE (no target exists) | <D:unbind> on source collection |
|
||
| | and <D:bind> on target |
|
||
| | collection |
|
||
| MOVE (target exists) | As above, plus <D:unbind> on |
|
||
| | the target collection |
|
||
| DELETE | <D:unbind> on parent collection |
|
||
| LOCK (target exists) | <D:write-content> |
|
||
| LOCK (no target exists) | <D:bind> on parent collection |
|
||
| MKCOL | <D:bind> on parent collection |
|
||
| UNLOCK | <D:unlock> |
|
||
| CHECKOUT | <D:write-properties> |
|
||
| CHECKIN | <D:write-properties> |
|
||
| REPORT | <D:read> (on all referenced |
|
||
| | resources) |
|
||
| VERSION-CONTROL | <D:write-properties> |
|
||
| MERGE | <D:write-content> |
|
||
| MKWORKSPACE | <D:write-content> on parent |
|
||
| | collection |
|
||
| BASELINE-CONTROL | <D:write-properties> and |
|
||
| | <D:write-content> |
|
||
| MKACTIVITY | <D:write-content> on parent |
|
||
| | collection |
|
||
+---------------------------------+---------------------------------+
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 68]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Index
|
||
|
||
A
|
||
ACL method 40
|
||
|
||
C
|
||
Condition Names
|
||
DAV:allowed-principal (pre) 42
|
||
DAV:deny-before-grant (pre) 41
|
||
DAV:grant-only (pre) 41
|
||
DAV:limited-number-of-aces (pre) 41
|
||
DAV:missing-required-principal (pre) 42
|
||
DAV:no-abstract (pre) 41
|
||
DAV:no-ace-conflict (pre) 41
|
||
DAV:no-inherited-ace-conflict (pre) 41
|
||
DAV:no-invert (pre) 41
|
||
DAV:no-protected-ace-conflict (pre) 41
|
||
DAV:not-supported-privilege (pre) 42
|
||
DAV:number-of-matches-within-limits (post) 48, 53
|
||
DAV:recognized-principal (pre) 42
|
||
|
||
D
|
||
DAV header
|
||
compliance class 'access-control' 38
|
||
DAV:acl property 23
|
||
DAV:acl-principal-prop-set report 48
|
||
DAV:acl-restrictions property 27
|
||
DAV:all privilege 13
|
||
DAV:allowed-principal precondition 42
|
||
DAV:alternate-URI-set property 14
|
||
DAV:bind privilege 12
|
||
DAV:current-user-privilege-set property 21
|
||
DAV:deny-before-grant precondition 41
|
||
DAV:grant-only precondition 41
|
||
DAV:group property 18
|
||
DAV:group-member-set property 14
|
||
DAV:group-membership property 14
|
||
DAV:inherited-acl-set property 29
|
||
DAV:limited-number-of-aces precondition 41
|
||
DAV:missing-required-principal precondition 42
|
||
DAV:no-abstract precondition 41
|
||
DAV:no-ace-conflict precondition 41
|
||
DAV:no-inherited-ace-conflict precondition 41
|
||
DAV:no-invert precondition 41
|
||
DAV:no-protected-ace-conflict precondition 41
|
||
DAV:not-supported-privilege precondition 42
|
||
DAV:number-of-matches-within-limits postcondition 48, 53
|
||
DAV:owner property 15
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 69]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
DAV:principal resource type 13
|
||
DAV:principal-collection-set property 30
|
||
DAV:principal-match report 50
|
||
DAV:principal-property-search 51
|
||
DAV:principal-search-property-set 56
|
||
DAV:principal-URL property 14
|
||
DAV:read privilege 10
|
||
DAV:read-acl privilege 11
|
||
DAV:read-current-user-privilege-set privilege 12
|
||
DAV:recognized-principal precondition 42
|
||
DAV:supported-privilege-set property 18
|
||
DAV:unbind privilege 12
|
||
DAV:unlock privilege 11
|
||
DAV:write privilege 10
|
||
DAV:write-acl privilege 12
|
||
DAV:write-content privilege 10
|
||
DAV:write-properties privilege 10
|
||
|
||
M
|
||
Methods
|
||
ACL 40
|
||
|
||
P
|
||
Privileges
|
||
DAV:all 13
|
||
DAV:bind 12
|
||
DAV:read 10
|
||
DAV:read-acl 11
|
||
DAV:read-current-user-privilege-set 12
|
||
DAV:unbind 12
|
||
DAV:unlock 11
|
||
DAV:write 10
|
||
DAV:write-acl 12
|
||
DAV:write-content 11
|
||
DAV:write-properties 10
|
||
Properties
|
||
DAV:acl 23
|
||
DAV:acl-restrictions 27
|
||
DAV:alternate-URI-set 14
|
||
DAV:current-user-privilege-set 21
|
||
DAV:group 18
|
||
DAV:group-member-set 14
|
||
DAV:group-membership 14
|
||
DAV:inherited-acl-set 29
|
||
DAV:owner 15
|
||
DAV:principal-collection-set 30
|
||
DAV:principal-URL 14
|
||
DAV:supported-privilege-set 18
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 70]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
R
|
||
Reports
|
||
DAV:acl-principal-prop-set 47
|
||
DAV:principal-match 49
|
||
DAV:principal-property-search 51
|
||
DAV:principal-search-property-set 56
|
||
Resource Types
|
||
DAV:principal 13
|
||
|
||
Authors' Addresses
|
||
|
||
Geoffrey Clemm
|
||
IBM
|
||
20 Maguire Road
|
||
Lexington, MA 02421
|
||
|
||
EMail: geoffrey.clemm@us.ibm.com
|
||
|
||
|
||
Julian F. Reschke
|
||
greenbytes GmbH
|
||
Salzmannstrasse 152
|
||
Muenster, NW 48159
|
||
Germany
|
||
|
||
EMail: julian.reschke@greenbytes.de
|
||
|
||
|
||
Eric Sedlar
|
||
Oracle Corporation
|
||
500 Oracle Parkway
|
||
Redwood Shores, CA 94065
|
||
|
||
EMail: eric.sedlar@oracle.com
|
||
|
||
|
||
Jim Whitehead
|
||
U.C. Santa Cruz, Dept. of Computer Science
|
||
1156 High Street
|
||
Santa Cruz, CA 95064
|
||
|
||
EMail: ejw@cse.ucsc.edu
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 71]
|
||
|
||
RFC 3744 WebDAV Access Control Protocol May 2004
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2004). This document is subject
|
||
to the rights, licenses and restrictions contained in BCP 78, and
|
||
except as set forth therein, the authors retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
|
||
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
|
||
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
|
||
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
|
||
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed
|
||
to pertain to the implementation or use of the technology
|
||
described in this document or the extent to which any license
|
||
under such rights might or might not be available; nor does it
|
||
represent that it has made any independent effort to identify any
|
||
such rights. Information on the procedures with respect to
|
||
rights in RFC documents can be found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use
|
||
of such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository
|
||
at http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention
|
||
any copyrights, patents or patent applications, or other
|
||
proprietary rights that may cover technology that may be required
|
||
to implement this standard. Please address the information to the
|
||
IETF at ietf-ipr@ietf.org.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is currently provided by the
|
||
Internet Society.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Clemm, et al. Standards Track [Page 72]
|
||
|