idnits 2.17.1
draft-ietf-webdav-acl-12.txt:
-(452): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding
-(464): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding
-(1534): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding
-(1601): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** Looks like you're using RFC 2026 boilerplate. This must be updated to
follow RFC 3978/3979, as updated by RFC 4748.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
** The document seems to lack a 1id_guidelines paragraph about
Internet-Drafts being working documents.
** The document seems to lack a 1id_guidelines paragraph about 6 months
document validity.
** The document seems to lack a 1id_guidelines paragraph about the list of
current Internet-Drafts.
** The document seems to lack a 1id_guidelines paragraph about the list of
Shadow Directories.
== There are 5 instances of lines with non-ascii characters in the document.
== No 'Intended status' indicated for this document; assuming Proposed
Standard
== The page length should not exceed 58 lines per page, but there was 39
longer pages, the longest (page 58) being 72 lines
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an Introduction section.
(A line matching the expected section header was found, but with an
unexpected indentation:
' introduction of this access control protocol, if a single' )
** The document seems to lack a Security Considerations section.
(A line matching the expected section header was found, but with an
unexpected indentation:
' 12 SECURITY CONSIDERATIONS' )
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
(A line matching the expected section header was found, but with an
unexpected indentation:
' other IANA considerations mentioned in [RFC2518] are also' )
** The document seems to lack an Authors' Addresses Section.
** There are 501 instances of too long lines in the document, the longest
one being 3 characters in excess of 72.
** There are 3 instances of lines with control characters in the document.
** The abstract seems to contain references ([NFSV4], [RFC2518], [RFC2616],
[RFC2617], [RFC2026], [REC-XML-NAMES], [RFC3253], [RFC2119], [RFC3023],
[UTF-8], [RFC2251], [RFC2368], [REC-XML-INFOSET], [WEBDAV], [RFC3010],
[RFC2589], [REC-XML], [CaseMap], [RFC2255]), which it shouldn't. Please
replace those with straight textual mentions of the documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== Line 2259 has weird spacing: '...contain a DAV...'
== Line 2436 has weird spacing: '...MUST be a DAV...'
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (October 10, 2003) is 7496 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
-- Missing reference section? 'RFC2617' on line 2709 looks like a reference
-- Missing reference section? 'RFC2616' on line 2706 looks like a reference
-- Missing reference section? 'RFC2518' on line 2769 looks like a reference
-- Missing reference section? 'RFC2119' on line 2692 looks like a reference
-- Missing reference section? 'REC-XML' on line 2694 looks like a reference
-- Missing reference section? 'WEBDAV' on line 434 looks like a reference
-- Missing reference section? 'RFC2255' on line 2729 looks like a reference
-- Missing reference section? 'RFC2589' on line 585 looks like a reference
-- Missing reference section? 'NFSV4' on line 1517 looks like a reference
-- Missing reference section? 'RFC3253' on line 2701 looks like a reference
-- Missing reference section? 'CaseMap' on line 2734 looks like a reference
-- Missing reference section? 'REC-XML-INFOSET' on line 2703 looks like a
reference
-- Missing reference section? 'REC-XML-NAMES' on line 2698 looks like a
reference
-- Missing reference section? 'UTF-8' on line 2722 looks like a reference
-- Missing reference section? 'RFC3023' on line 2717 looks like a reference
-- Missing reference section? 'RFC2368' on line 2715 looks like a reference
-- Missing reference section? 'RFC3010' on line 2719 looks like a reference
-- Missing reference section? 'RFC2026' on line 2727 looks like a reference
-- Missing reference section? 'RFC2251' on line 2731 looks like a reference
Summary: 12 errors (**), 0 flaws (~~), 5 warnings (==), 21 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 INTERNET-DRAFT Geoffrey Clemm, IBM
3 draft-ietf-webdav-acl-12 Anne Hopkins, Microsoft Corporation
4 Eric Sedlar, Oracle Corporation
5 Jim Whitehead, U.C. Santa Cruz
7 Expires April 10, 2004 October 10, 2003
9 WebDAV Access Control Protocol
11 Status of this Memo
12 This document is an Internet-Draft and is subject to all provisions of
13 Section 10 of RFC2026.
14 Internet-Drafts are working documents of the Internet Engineering Task
15 Force (IETF), its areas, and its working groups. Note that other groups
16 may also distribute working documents as Internet-Drafts.
17 Internet-Drafts are draft documents valid for a maximum of six months
18 and may be updated, replaced, or obsoleted by other documents at any
19 time. It is inappropriate to use Internet-Drafts as reference material
20 or to cite them other than as "work in progress."
21 The list of current Internet-Drafts can be accessed at
22 http://www.ietf.org/ietf/1id-abstracts.txt
23 The list of Internet-Draft Shadow Directories can be accessed at
24 http://www.ietf.org/shadow.html.
26 Abstract
27 This document specifies a set of methods, headers, message bodies,
28 properties, and reports that define Access Control extensions to the
29 WebDAV Distributed Authoring Protocol. This protocol permits a client
30 to read and modify access control lists that instruct a server whether
31 to allow or deny operations upon a resource (such as HyperText Transfer
32 Protocol (HTTP) method invocations) by a given principal. A lightweight
33 representation of principals as Web resources supports integration of a
34 wide range of user management repositories. Search operations allow
35 discovery and manipulation of principals using human names.
36 This document is a product of the Web Distributed Authoring and
37 Versioning (WebDAV) working group of the Internet Engineering Task
38 Force. Comments on this draft are welcomed, and should be addressed to
39 the acl@webdav.org mailing list. Other related documents can be found
40 at http://www.example.com/acl/, and
41 http://www.ics.uci.edu/pub/ietf/webdav/.
43 Clemm, Hopkins, Sedlar, Whitehead
44 Table of Contents
46 1 INTRODUCTION.................................................4
47 1.1 Terms......................................................6
48 1.2 Notational Conventions.....................................7
50 2 PRINCIPALS...................................................7
52 3 PRIVILEGES...................................................8
53 3.1 DAV:read Privilege.........................................9
54 3.2 DAV:write Privilege........................................9
55 3.3 DAV:write-properties.......................................9
56 3.4 DAV:write-content.........................................10
57 3.5 DAV:unlock................................................10
58 3.6 DAV:read-acl Privilege....................................10
59 3.7 DAV:read-current-user-privilege-set Privilege.............10
60 3.8 DAV:write-acl Privilege...................................11
61 3.9 DAV:bind Privilege........................................11
62 3.10 DAV:unbind Privilege.....................................11
63 3.11 DAV:all Privilege........................................11
64 3.12 Aggregation of Predefined Privileges.....................11
66 4 PRINCIPAL PROPERTIES........................................12
67 4.1 DAV:alternate-URI-set.....................................12
68 4.2 DAV:principal-URL.........................................12
69 4.3 DAV:group-member-set......................................12
70 4.4 DAV:group-membership......................................13
72 5 ACCESS CONTROL PROPERTIES...................................13
73 5.1 DAV:owner.................................................13
74 5.1.1 Example: Retrieving DAV:owner..........................13
75 5.1.2 Example: An Attempt to Set DAV:owner...................14
76 5.2 DAV:supported-privilege-set...............................15
77 5.2.1 Example: Retrieving a List of Privileges Supported on
78 a Resource.............................................16
79 5.3 DAV:current-user-privilege-set............................18
80 5.3.1 Example: Retrieving the User's Current Set of Assigned
81 Privileges...................................................19
82 5.4 DAV:acl...................................................20
83 5.4.1 ACE Principal..........................................20
84 5.4.2 ACE Grant and Deny.....................................21
85 5.4.3 ACE Protection.........................................21
86 5.4.4 ACE Inheritance........................................21
87 5.4.5 Example: Retrieving a Resource's Access Control List ..22
88 5.5 DAV: acl-restrictions.....................................23
89 5.5.1 DAV:grant-only.........................................23
90 5.5.2 DAV:no-invert ACE Constraint...........................24
91 5.5.3 DAV:deny-before-grant..................................24
92 5.5.4 Required Principals....................................24
93 Example: Retrieving DAV:acl-restrictions............. ...24
94 5.6 DAV:inherited-acl-set.....................................25
95 5.7 DAV:principal-collection-set..............................25
96 5.7.1 Example: Retrieving DAV:principal-collection-set.......26
97 5.8 Example: PROPFIND to retrieve access control properties...27
98 6 ACL EVALUATION..............................................30
100 7 ACCESS CONTROL AND EXISTING METHODS.........................31
101 7.1 ANY HTTP METHOD...........................................32
102 7.1.1 Error Handling.........................................32
103 7.2 OPTIONS...................................................32
104 7.2.1 Example - OPTIONS......................................33
105 7.3 MOVE......................................................33
106 7.4 COPY......................................................33
107 7.5 LOCK......................................................33
109 8 ACCESS CONTROL METHODS......................................33
110 8.1 ACL.......................................................33
111 8.1.1 ACL Preconditions......................................34
112 8.1.2 Example: the ACL method................................35
113 8.1.3 Example: ACL method failure due to protected ACE
114 conflict...............................................36
115 8.1.4 Example: ACL method failure due to an inherited ACE
116 conflict...............................................37
117 8.1.5 Example: ACL method failure due to an attempt to set
118 grant and deny in a single ACE.........................38
120 9 ACCESS CONTROL REPORTS......................................39
121 9.1 REPORT Method.............................................39
122 9.2 DAV:acl-principal-prop-set Report.........................39
123 9.2.1 Example: DAV:acl-principal-prop-set Report.............40
124 9.3 DAV:principal-match REPORT................................42
125 9.3.1 Example: DAV:principal-match REPORT....................43
126 9.4 DAV:principal-property-search REPORT......................43
127 9.4.1 Matching...............................................45
128 9.4.2 Example: successful DAV:principal-property-search
129 REPORT.................................................46
130 9.5 DAV:principal-search-property-set REPORT..................48
131 9.5.1 Example: DAV:principal-search-property-set REPORT......49
133 10 XML PROCESSING............................................50
135 11 INTERNATIONALIZATION CONSIDERATIONS.......................50
137 12 SECURITY CONSIDERATIONS...................................51
138 12.1 Increased Risk of Compromised Users......................51
139 12.2 Risks of the DAV:read-acl and
140 DAV:current-user-privilege-set Privileges................51
141 12.3 No Foreknowledge of Initial ACL..........................52
143 13 AUTHENTICATION............................................52
145 14 IANA CONSIDERATIONS.......................................52
147 15 INTELLECTUAL PROPERTY.....................................53
149 16 ACKNOWLEDGEMENTS..........................................53
151 17 REFERENCES................................................53
152 17.1 Normative References.....................................53
153 17.2 Informational References.................................54
155 18 AUTHORS' ADDRESSES........................................55
157 19 APPENDICES................................................56
158 19.1 WebDAV XML Document Type Definition Addendum.............56
159 19.2 WebDAV Method Privilege Table (Normative)................58
161 1 INTRODUCTION
163 The goal of the WebDAV access control extensions is to provide an
164 interoperable mechanism for handling discretionary access control
165 for content and metadata managed by WebDAV servers. WebDAV access
166 control can be implemented on content repositories with security
167 as simple as that of a UNIX file system, as well as more
168 sophisticated models. The underlying principle of access control
169 is that who you are determines what operations you can perform on
170 a resource. The "who you are" is defined by a "principal"
171 identifier; users, client software, servers, and groups of the
172 previous have principal identifiers. The "operations you can
173 perform" are determined by a single "access control list" (ACL)
174 associated with a resource. An ACL contains a set of "access
175 control entries" (ACEs), where each ACE specifies a principal and
176 a set of privileges that are either granted or denied to that
177 principal. When a principal submits an operation (such as an HTTP
178 or WebDAV method) to a resource for execution, the server
179 evaluates the ACEs in the ACL to determine if the principal has
180 permission for that operation.
181 Since every ACE contains the identifier of a principal, client
182 software operated by a human must provide a mechanism for
183 selecting this principal. This specification uses http(s) scheme
184 URLs to identify principals, which are represented as WebDAV-
185 capable resources. There is no guarantee that the URLs identifying
186 principals will be meaningful to a human. For example,
187 http://www.example.com/u/256432 and
188 http://www.example.com/people/Greg.Stein are both valid URLs that
189 could be used to identify the same principal. To remedy this,
190 every principal resource has the DAV:displayname property
191 containing a human-readable name for the principal.
192 Since a principal can be identified by multiple URLs, it raises
193 the problem of determining exactly which principal is being
194 referenced in a given ACE. It is impossible for a client to
195 determine that an ACE granting the read privilege to
196 http://www.example.com/people/Greg.Stein also affects the
197 principal at http://www.example.com/u/256432. That is, a client
198 has no mechanism for determining that two URLs identify the same
199 principal resource. As a result, this specification requires
200 clients to use just one of the many possible URLs for a principal
201 when creating ACEs. A client can discover which URL to use by
202 retrieving the DAV:principal-URL property (Section 4.2) from a
203 principal resource. No matter which of the principal's URLs is
204 used with PROPFIND, the property always returns the same URL.
206 With a system having hundreds to thousands of principals, the
207 problem arises of how to allow a human operator of client software
208 to select just one of these principals. One approach is to use
209 broad collection hierarchies to spread the principals over a large
210 number of collections, yielding few principals per collection. An
211 example of this is a two level hierarchy with the first level
212 containing 36 collections (a-z, 0-9), and the second level being
213 another 36, creating collections /a/a/, /a/b/, ..., /a/z/, such
214 that a principal with last name "Stein" would appear at
215 /s/t/Stein. In effect, this pre-computes a common query, search on
216 last name, and encodes it into a hierarchy. The drawback with this
217 scheme is that it handles only a small set of predefined queries,
218 and drilling down through the collection hierarchy adds
219 unnecessary steps (navigate down/up) when the user already knows
220 the principal's name. While organizing principal URLs into a
221 hierarchy is a valid namespace organization, users should not be
222 forced to navigate this hierarchy to select a principal.
223 This specification provides the capability to perform substring
224 searches over a small set of properties on the resources
225 representing principals. This permits searches based on last name,
226 first name, user name, job title, etc. Two separate searches are
227 supported, both via the REPORT method, one to search principal
228 resources (DAV:principal-property-search, Section 9.4), the other
229 to determine which properties may be searched at all
230 (DAV:principal-search-property-set, Section 9.5).
231 Once a principal has been identified in an ACE, a server
232 evaluating that ACE must know the identity of the principal making
233 a protocol request, and must validate that that principal is who
234 they claim to be, a process known as authentication. This
235 specification intentionally omits discussion of authentication, as
236 the HTTP protocol already has a number of authentication
237 mechanisms [RFC2617]. Some authentication mechanism (such as HTTP
238 Digest Authentication, which all WebDAV compliant implementations
239 are required to support) must be available to validate the
240 identity of a principal.
241 The following issues are out of scope for this document:
242 . Access control that applies only to a particular property on
243 a resource (excepting the access control properties DAV:acl
244 and DAV:current-user-privilege-set), rather than the entire
245 resource,
246 . Role-based security (where a role can be seen as a
247 dynamically defined group of principals),
248 . Specification of the ways an ACL on a resource is
249 initialized,
250 . Specification of an ACL that applies globally to all
251 resources, rather than to a particular resource.
252 . Creation and maintenance of resources representing people or
253 computational agents (principals), and groups of these.
255 This specification is organized as follows. Section 1.1 defines
256 key concepts used throughout the specification, and is followed by
257 a more in-depth discussion of principals (Section 2), and
258 privileges (Section 3). Properties defined on principals are
259 specified in Section 4, and access control properties for content
260 resources are specified in Section 5. The ways ACLs are to be
261 evaluated is described in section 6. Client discovery of access
262 control capability using OPTIONS is described in Section 7.1.
263 Interactions between access control functionality and existing
264 HTTP and WebDAV methods are described in the remainder of Section
265 7. The access control setting method, ACL, is specified in Section
266 8. Four reports that provide limited server-side searching
267 capabilities are described in Section 9. Sections on XML
268 processing (Section 10), Internationalization considerations
269 (Section 11), security considerations (Section 12), and
270 authentication (Section 13) round out the specification. An
271 appendix (Section 19.1) provides an XML Document Type Definition
272 (DTD) for the XML elements defined in the specification.
274 1.1 Terms
276 This draft uses the terms defined in HTTP [RFC2616] and WebDAV
277 [RFC2518]. In addition, the following terms are defined:
278 principal
279 A "principal" is a distinct human or computational actor that
280 initiates access to network resources. In this protocol, a
281 principal is an HTTP resource that represents such an actor.
282 group
283 A "group" is a principal that represents a set of other
284 principals.
285 privilege
286 A "privilege" controls access to a particular set of HTTP
287 operations on a resource.
288 aggregate privilege
289 An "aggregate privilege" is a privilege that contains a set of
290 other privileges.
291 abstract privilege
292 The modifier "abstract", when applied to a privilege on a
293 resource, means the privilege cannot be set in an access control
294 element (ACE) on that resource .
295 access control list (ACL)
296 An "ACL" is a list of access control elements that define access
297 control to a particular resource.
298 access control element (ACE)
299 An "ACE" either grants or denies a particular set of (non-
300 abstract) privileges for a particular principal.
302 inherited ACE
303 An "inherited ACE" is an ACE that is dynamically shared from the
304 ACL of another resource. When a shared ACE changes on the primary
305 resource, it is also changed on inheriting resources.
306 protected property
307 A "protected property" is one whose value cannot be updated except
308 by a method explicitly defined as updating that specific property.
309 In particular, a protected property cannot be updated with a
310 PROPPATCH request.
312 1.2 Notational Conventions
314 The augmented BNF used by this document to describe protocol
315 elements is described in Section 2.1 of [RFC2616]. Because this
316 augmented BNF uses the basic production rules provided in Section
317 2.2 of [RFC2616], those rules apply to this document as well.
318 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
319 NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
320 in this document are to be interpreted as described in [RFC2119].
321 Definitions of XML elements in this document use XML element type
322 declarations (as found in XML Document Type Declarations),
323 described in Section 3.2 of [REC-XML]. When an XML element type in
324 the "DAV:" namespace is referenced in this document outside of the
325 context of an XML fragment, the string "DAV:" will be prefixed to
326 the element name.
328 2 PRINCIPALS
330 A principal is a network resource that represents a distinct human
331 or computational actor that initiates access to network resources.
332 Users and groups are represented as principals in many
333 implementations; other types of principals are also possible. A
334 URI of any scheme MAY be used to identify a principal resource.
335 However, servers implementing this specification MUST expose
336 principal resources at an http(s) URL, which is a privileged
337 scheme that points to resources that have additional properties,
338 as described in Section 4. So, a principal resource can have
339 multiple URIs, one of which has to be an http(s) scheme URL.
340 Although an implementation SHOULD support PROPFIND and MAY support
341 PROPPATCH to access and modify information about a principal, it
342 is not required to do so.
343 A principal resource may be a group, where a group is a principal
344 that represents a set of other principals, called the members of
345 the group. If a person or computational agent matches a principal
346 resource that is a member of a group, they also match the group.
347 Membership in a group is recursive, so if a principal is a member
348 of group GRPA, and GRPA is a member of group GRPB, then the
349 principal is also a member of GRPB.
351 3 PRIVILEGES
353 Ability to perform a given method on a resource MUST be controlled
354 by one or more privileges. Authors of protocol extensions that
355 define new HTTP methods SHOULD specify which privileges (by
356 defining new privileges, or mapping to ones below) are required to
357 perform the method. A principal with no privileges to a resource
358 MUST be denied any HTTP access to that resource, unless the
359 principal matches an ACE constructed using the DAV:all,
360 DAV:authenticated, or DAV:unauthenticated pseudo-principals (see
361 Section 5.4.1). Servers MUST report a 403 "Forbidden" error if
362 access is denied, except in the case where the privilege restricts
363 the ability to know the resource exists, in which case 404 "Not
364 Found" may be returned.
365 Privileges may be containers of other privileges, in which case
366 they are termed "aggregate privileges". If a principal is granted
367 or denied an aggregate privilege, it is semantically equivalent to
368 granting or denying each of the aggregated privileges
369 individually. For example, an implementation may define add-
370 member and remove-member privileges that control the ability to
371 add and remove a member of a group. Since these privileges
372 control the ability to update the state of a group, these
373 privileges would be aggregated by the DAV:write privilege on a
374 group, and granting the DAV:write privilege on a group would also
375 grant the add-member and remove-member privileges.
376 Privileges may be declared to be "abstract" for a given resource,
377 in which case they cannot be set in an ACE on that resource.
378 Aggregate and non-aggregate privileges are both capable of being
379 abstract. Abstract privileges are useful for modeling privileges
380 that otherwise would not be exposed via the protocol. Abstract
381 privileges also provide server implementations with flexibility in
382 implementing the privileges defined in this specification. For
383 example, if a server is incapable of separating the read resource
384 capability from the read ACL capability, it can still model the
385 DAV:read and DAV:read-acl privileges defined in this specification
386 by declaring them abstract, and containing them within a non-
387 abstract aggregate privilege (say, read-all) that holds DAV:read,
388 and DAV:read-acl. In this way, it is possible to set the aggregate
389 privilege, read-all, thus coupling the setting of DAV:read and
390 DAV:read-acl, but it is not possible to set DAV:read, or DAV:read-
391 acl individually. Since aggregate privileges can be abstract, it
392 is also possible to use abstract privileges to group or organize
393 non-abstract privileges. Privilege containment loops are not
394 allowed; therefore, a privilege MUST NOT contain itself. For
395 example, DAV:read cannot contain DAV:read.
396 The set of privileges that apply to a particular resource may vary
397 with the DAV:resourcetype of the resource, as well as between
398 different server implementations. To promote interoperability,
399 however, this specification defines a set of well-known privileges
400 (e.g. DAV:read, DAV:write, DAV:read-acl, DAV:write-acl, DAV:read-
401 current-user-privilege-set, and DAV:all), which can at least be
402 used to classify the other privileges defined on a particular
403 resource. The access permissions on null resources (defined in
404 [RFC2518], Section 3) are solely those they inherit (if any), and
405 they are not discoverable (i.e., the access control properties
406 specified in Section 5 are not defined on null resources). On the
407 transition from null to stateful resource, the initial access
408 control list is set by the server's default ACL value policy (if
409 any).
410 Server implementations MAY define new privileges beyond those
411 defined in this specification. Privileges defined by individual
412 implementations MUST NOT use the DAV: namespace, and instead
413 should use a namespace that they control, such as an http scheme
414 URL.
416 3.1 DAV:read Privilege
418 The read privilege controls methods that return information about
419 the state of the resource, including the resource's properties.
420 Affected methods include GET and PROPFIND. Any implementation-
421 defined privilege that also controls access to GET and PROPFIND
422 must be aggregated under DAV:read�if an ACL grants access to
423 DAV:read, the client may expect that no other privilege needs to
424 be granted to have access to GET and PROPFIND. Additionally, the
425 read privilege MUST control the OPTIONS method.
426
428 3.2 DAV:write Privilege
430 The write privilege controls methods that lock a resource or
431 modify the content, dead properties, or (in the case of a
432 collection) membership of the resource, such as PUT and PROPPATCH.
433 Note that state modification is also controlled via locking (see
434 section 5.3 of [WEBDAV]), so effective write access requires that
435 both write privileges and write locking requirements are
436 satisfied. Any implementation-defined privilege that also
437 controls access to methods modifying content, dead properties or
438 collection membership must be aggregated under DAV:write, e.g. if
439 an ACL grants access to DAV:write, the client may expect that no
440 other privilege needs to be granted to have access to PUT and
441 PROPPATCH.
442
444 3.3 DAV:write-properties
446 The DAV:write-properties privilege controls methods that modify
447 the dead properties of the resource, such as PROPPATCH. Whether
448 this privilege may be used to control access to any live
449 properties is determined by the implementation. Any
450 implementation-defined privilege that also controls access to
451 methods modifying dead properties must be aggregated under
452 DAV:write-properties�e.g. if an ACL grants access to DAV:write-
453 properties, the client can safely expect that no other privilege
454 needs to be granted to have access to PROPPATCH.
456
458 3.4 DAV:write-content
460 The DAV:write-content privilege controls methods that modify the
461 content or (in the case of a collection) membership of the
462 resource, such as PUT and DELETE. Any implementation-defined
463 privilege that also controls access to content or alteration of
464 collection membership must be aggregated under DAV:write-content�
465 e.g. if an ACL grants access to DAV:write-content, the client can
466 safely expect that no other privilege needs to be granted to have
467 access to PUT or DELETE.
468
470 3.5 DAV:unlock
472 The DAV:unlock privilege controls the use of the UNLOCK method by
473 a principal other than the lock owner (the principal that created
474 a lock can always perform an UNLOCK). While the set of users who
475 may lock a resource is most commonly the same set of users who may
476 modify a resource, servers may allow various kinds of
477 administrators to unlock resources locked by others. Any privilege
478 controlling access by non-lock owners to UNLOCK MUST be aggregated
479 under DAV:unlock.
480 A lock owner can always remove a lock by issuing an UNLOCK with
481 the correct lock token and authentication credentials. That is,
482 even if a principal does not have DAV:unlock privilege, they can
483 still remove locks they own. Principals other than the lock owner
484 can remove a lock only if they have DAV:unlock privilege and they
485 issue an UNLOCK with the correct lock token. Lock timeout is not
486 affected by the DAV:unlock privilege.
487
489 3.6 DAV:read-acl Privilege
491 The DAV:read-acl privilege controls the use of PROPFIND to
492 retrieve the DAV:acl property of the resource.
493
495 3.7 DAV:read-current-user-privilege-set Privilege
497 The DAV:read-current-user-privilege-set privilege controls the use
498 of PROPFIND to retrieve the DAV:current-user-privilege-set
499 property of the resource.
500 Clients are intended to use this property to visually indicate in
501 their UI items that are dependent on the permissions of a
502 resource, for example, by graying out resources that are not
503 writeable.
504 This privilege is separate from DAV:read-acl because there is a
505 need to allow most users access to the privileges permitted the
506 current user (due to its use in creating the UI), while the full
507 ACL contains information that may not be appropriate for the
508 current authenticated user. As a result, the set of users who can
509 view the full ACL is expected to be much smaller than those who
510 can read the current user privilege set, and hence distinct
511 privileges are needed for each.
512
514 3.8 DAV:write-acl Privilege
516 The DAV:write-acl privilege controls use of the ACL method to
517 modify the DAV:acl property of the resource.
518
520 3.9 DAV:bind Privilege
522 The DAV:bind privilege allows a method to add a new member URL to
523 the specified collection (for example via PUT or MKCOL). It is
524 ignored for resources that are not collections.
525
527 3.10DAV:unbind Privilege
529 The DAV:unbind privilege allows a method to remove a member URL
530 from the specified collection (for example via DELETE or MOVE).
531 It is ignored for resources that are not collections.
532
534 3.11 DAV:all Privilege
536 DAV:all is an aggregate privilege that contains the entire set of
537 privileges that can be applied to the resource.
538
540 3.12 Aggregation of Predefined Privileges
542 Server implementations are free to aggregate the predefined
543 privileges (defined above in Sections 3.1-3.9) subject to the
544 following limitations:
545 DAV:read-acl MUST NOT contain DAV:read, DAV:write, DAV:write-acl,
546 DAV:write-properties, DAV:write-content, or DAV:read-current-user-
547 privilege-set.
548 DAV:write-acl MUST NOT contain DAV:write, DAV:read, DAV:read-acl,
549 or DAV:read-current-user-privilege-set.
550 DAV:read-current-user-privilege-set MUST NOT contain DAV:write,
551 DAV:read, DAV:read-acl, or DAV:write-acl.
552 DAV:write MUST NOT contain DAV:read, DAV:read-acl, or DAV:read-
553 current-user-privilege-set.
554 DAV:read MUST NOT contain DAV:write, DAV:write-acl, DAV:write-
555 properties, or DAV:write-content.
557 DAV:write MUST contain DAV:write-properties and DAV:write-content.
559 4 PRINCIPAL PROPERTIES
561 Principals are manifested to clients as a WebDAV resource,
562 identified by a URL. A principal MUST have a non-empty
563 DAV:displayname property (defined in Section 13.2 of [RFC2518]),
564 and a DAV:resourcetype property (defined in Section 13.9 of
565 [RFC2518]). Additionally, a principal MUST report the
566 DAV:principal XML element in the value of the DAV:resourcetype
567 property. The element type declaration for DAV:principal is:
568
570 This protocol defines the following additional properties for a
571 principal. Since it can be expensive for a server to retrieve
572 access control information, the name and value of these properties
573 SHOULD NOT be returned by a PROPFIND allprop request (as defined
574 in Section 12.14.1 of [RFC2518]).
576 4.1 DAV:alternate-URI-set
578 This protected property, if non-empty, contains the URIs of
579 network resources with additional descriptive information about
580 the principal. This property identifies additional network
581 resources (i.e., it contains one or more URIs) that may be
582 consulted by a client to gain additional knowledge concerning a
583 principal. One expected use for this property is the storage of an
584 LDAP [RFC2255] scheme URL. A user-agent encountering an LDAP URL
585 could use LDAP [RFC2589] to retrieve additional machine-readable
586 directory information about the principal, and display that
587 information in its user interface. Support for this property is
588 REQUIRED, and the value is empty if no alternate URI exists for
589 the principal.
590
592 4.2 DAV:principal-URL
594 A principal may have many URLs, but there must be one "principal
595 URL" that clients can use to uniquely identify a principal. This
596 protected property contains the URL that MUST be used to identify
597 this principal in an ACL request. Support for this property is
598 REQUIRED.
599
601 4.3 DAV:group-member-set
603 This property of a group principal identifies the principals that
604 are direct members of this group. Since a group may be a member of
605 another group, a group may also have indirect members (i.e. the
606 members of its direct members). A URL in the DAV:group-member-set
607 for a principal MUST be the DAV:principal-URL of that principal.
608
609 4.4 DAV:group-membership
611 This protected property identifies the groups in which the
612 principal is directly a member. Note that a server may allow a
613 group to be a member of another group, in which case the
614 DAV:group-membership of those other groups would need to be
615 queried in order to determine the groups in which the principal is
616 indirectly a member. Support for this property is REQUIRED.
617
619 5 ACCESS CONTROL PROPERTIES
621 This specification defines a number of new properties for WebDAV
622 resources. Access control properties may be retrieved just like
623 other WebDAV properties, using the PROPFIND method. Since it is
624 expensive, for many servers, to retrieve access control
625 information, a PROPFIND allprop request (as defined in Section
626 12.14.1 of [RFC2518]) SHOULD NOT return the names and values of
627 the properties defined in this section.
628 Access control properties (especially DAV:acl and DAV:inherited-
629 acl-set) are defined on the resource identified by the Request-URI
630 of a PROPFIND request. A direct consequence is that if the
631 resource is accessible via multiple URI, the value of access
632 control properties is the same across these URI.
633 HTTP resources that support the WebDAV Access Control Protocol
634 MUST contain the following properties. Null resources (described
635 in Section 3 of [RFC2518]) MUST NOT contain the following
636 properties.
638 5.1 DAV:owner
640 This protected property identifies a particular principal as being
641 the "owner" of the resource. Since the owner of a resource often
642 has special access control capabilities (e.g., the owner
643 frequently has permanent DAV:write-acl privilege), clients might
644 display the resource owner in their user interface.
646
648 5.1.1 Example: Retrieving DAV:owner
650 This example shows a client request for the value of the DAV:owner
651 property from a collection resource with URL
652 http://www.example.com/papers/. The principal making the request
653 is authenticated using Digest authentication. The value of
654 DAV:owner is the URL http://www.example.com/acl/users/gstein,
655 wrapped in the DAV:href XML element.
656 >> Request <<
657 PROPFIND /papers/ HTTP/1.1
658 Host: www.example.com
659 Content-type: text/xml; charset="utf-8"
660 Content-Length: xxx
661 Depth: 0
662 Authorization: Digest username="jim",
663 realm="jim@webdav.org", nonce="...",
664 uri="/papers/", response="...", opaque="..."
666
667
668
669
670
671
673 >> Response <<
675 HTTP/1.1 207 Multi-Status
676 Content-Type: text/xml; charset="utf-8"
677 Content-Length: xxx
679
680
681
682 http://www.example.com/papers/
683
684
685
687 http://www.example.com/acl/users/gstein
688
689
690 HTTP/1.1 200 OK
691
692
693
695 5.1.2 Example: An Attempt to Set DAV:owner
697 The following example shows a client request to modify the value
698 of the DAV:owner property on the resource with URL
699 . Since DAV:owner is a protected
700 property, the server responds with a 207 (Multi-Status) response
701 that contains a 403 (Forbidden) status code for the act of setting
702 DAV:owner. Section 8.2.1 of [RFC2518] describes PROPPATCH status
703 code information, and Section 11 of [RFC2518] describes the Multi-
704 Status response.
705 >> Request <<
707 PROPPATCH /papers/ HTTP/1.1
708 Host: www.example.com
709 Content-type: text/xml; charset="utf-8"
710 Content-Length: xxx
711 Depth: 0
712 Authorization: Digest username="jim",
713 realm="jim@webdav.org", nonce="...",
714 uri="/papers/", response="...", opaque="..."
716
717
718
719
720
721 http://www.example.com/acl/users/jim
722
723
724
725
727 >> Response <<
729 HTTP/1.1 207 Multi-Status
730 Content-Type: text/xml; charset="utf-8"
731 Content-Length: xxx
733
734
735
736 http://www.example.com/papers/
737
738
739 HTTP/1.1 403 Forbidden
740
741 Failure to set protected property (DAV:owner)
742
743
744
745
747 5.2 DAV:supported-privilege-set
749 This is a protected property that identifies the privileges
750 defined for the resource.
751
753 Each privilege appears as an XML element, where aggregate
754 privileges list as sub-elements all of the privileges that they
755 aggregate.
756
758
759 An abstract privilege MUST NOT be used in an ACE for that
760 resource. Servers MUST fail an attempt to set an abstract
761 privilege.
763
765 A description is a human-readable description of what this
766 privilege controls access to. Servers MUST indicate the human
767 language of the description using the xml:lang attribute and
768 SHOULD consider the HTTP Accept-Language request header when
769 selecting one of multiple available languages.
771
773 It is envisioned that a WebDAV ACL-aware administrative client
774 would list the supported privileges in a dialog box, and allow the
775 user to choose non-abstract privileges to apply in an ACE. The
776 privileges tree is useful programmatically to map well-known
777 privileges (defined by WebDAV or other standards groups) into
778 privileges that are supported by any particular server
779 implementation. The privilege tree also serves to hide complexity
780 in implementations allowing large number of privileges to be
781 defined by displaying aggregates to the user.
783 5.2.1 Example: Retrieving a List of Privileges Supported on a Resource
785 This example shows a client request for the DAV:supported-
786 privilege-set property on the resource
787 http://www.example.com/papers/. The value of the DAV:supported-
788 privilege-set property is a tree of supported privileges (using
789 "[XML Namespace , localname]" to identify each privilege):
790 [DAV:, all] (aggregate, abstract)
791 |
792 +-- [DAV:, read] (aggregate)
793 |
794 +-- [DAV:, read-acl] (abstract)
795 +-- [DAV:, read-current-user-privilege-set]
796 (abstract)
797 |
798 +-- [DAV:, write] (aggregate)
799 |
800 +-- [DAV:, write-acl] (abstract)
801 +-- [DAV:, write-properties]
802 +-- [DAV:, write-content]
803 |
804 +-- [DAV:, unlock]
806 This privilege tree is not normative (except that it reflects the
807 normative aggregation rules given in Section 3.12), and many
808 possible privilege trees are possible.
810 >> Request <<
811 PROPFIND /papers/ HTTP/1.1
812 Host: www.example.com
813 Content-type: text/xml; charset="utf-8"
814 Content-Length: xxx
815 Depth: 0
816 Authorization: Digest username="gclemm",
817 realm="gclemm@webdav.org", nonce="...",
818 uri="/papers/", response="...", opaque="..."
820
821
822
823
824
825
827 >> Response <<
829 HTTP/1.1 207 Multi-Status
830 Content-Type: text/xml; charset="utf-8"
831 Content-Length: xxx
833
834
835
836 http://www.example.com/papers/
837
838
839
840
841
842
843
844 Any operation
845
846
847
848 Read any object
849
850
851
852
853 Read ACL
854
855
856
857
858
859
860
861 Read current user privilege set property
862
863
864
865
866
867
868 Write any object
869
870
871
872 Write ACL
873
874
875
876
877
878 Write properties
879
880
881
882
883 Write resource content
884
885
886
887
888
889 Unlock resource
890
891
892
893
894 HTTP/1.1 200 OK
895
896
897
899 5.3 DAV:current-user-privilege-set
901 DAV:current-user-privilege-set is a protected property containing
902 the exact set of privileges (as computed by the server) granted to
903 the currently authenticated HTTP user. Aggregate privileges and
904 their contained privileges are listed. A user-agent can use the
905 value of this property to adjust its user interface to make
906 actions inaccessible (e.g., by graying out a menu item or button)
907 for which the current principal does not have permission. This
908 property is also useful for determining what operations the
909 current principal can perform, without having to actually execute
910 an operation.
912
913
915 If the current user is granted a specific privilege, that
916 privilege must belong to the set of privileges that may be set on
917 this resource. Therefore, each element in the DAV:current-user-
918 privilege-set property MUST identify a non-abstract privilege from
919 the DAV:supported-privilege-set property.
921 5.3.1 Example: Retrieving the User's Current Set of Assigned Privileges
923 Continuing the example from Section 5.2.1, this example shows a
924 client requesting the DAV:current-user-privilege-set property from
925 the resource with URL http://www.example.com/papers/. The username
926 of the principal making the request is "khare", and Digest
927 authentication is used in the request. The principal with username
928 "khare" has been granted the DAV:read privilege. Since the
929 DAV:read privilege contains the DAV:read-acl and DAV:read-current-
930 user-privilege-set privileges (see Section 5.2.1), the principal
931 with username "khare" can read the ACL property, and the
932 DAV:current-user-privilege-set property. However, the DAV:all,
933 DAV:read-acl, DAV:write-acl and DAV:read-current-user-privilege-
934 set privileges are not listed in the value of DAV:current-user-
935 privilege-set, since (for this example) they are abstract
936 privileges. DAV:write is not listed since the principal with
937 username "khare" is not listed in an ACE granting that principal
938 write permission.
939 >> Request <<
941 PROPFIND /papers/ HTTP/1.1
942 Host: www.example.com
943 Content-type: text/xml; charset="utf-8"
944 Content-Length: xxx
945 Depth: 0
946 Authorization: Digest username="khare",
947 realm="khare@webdav.org", nonce="...",
948 uri="/papers/", response="...", opaque="..."
950
951
952
953
954
955
957 >> Response <<
959 HTTP/1.1 207 Multi-Status
960 Content-Type: text/xml; charset="utf-8"
961 Content-Length: xxx
963
964
965
966 http://www.example.com/papers/
967
968
969
970
971
972
973 HTTP/1.1 200 OK
974
975
976
978 5.4 DAV:acl
980 This is a protected property that specifies the list of access
981 control entries (ACEs), which define what principals are to get
982 what privileges for this resource.
984
986 Each DAV:ace element specifies the set of privileges to be either
987 granted or denied to a single principal. If the DAV:acl property
988 is empty, no principal is granted any privilege.
990
993 5.4.1 ACE Principal
995 The DAV:principal element identifies the principal to which this
996 ACE applies.
998
1002 The current user matches DAV:href only if that user is
1003 authenticated as being (or being a member of) the principal
1004 identified by the URL contained by that DAV:href.
1005 The current user always matches DAV:all.
1006
1008 The current user matches DAV:authenticated only if authenticated.
1009
1011 The current user matches DAV:unauthenticated only if not
1012 authenticated.
1013
1015 DAV:all is the union of DAV:authenticated, and
1016 DAV:unauthenticated. For a given request, the user matches either
1017 DAV:authenticated, or DAV:unauthenticated, but not both (that is,
1018 DAV:authenticated and DAV:unauthenticated are disjoint sets).
1019 The current user matches a DAV:property principal in a DAV:acl
1020 property of a resource only if the value of the identified
1021 property of that resource contains at most one DAV:href XML
1022 element, the URI value of DAV:href identifies a principal, and the
1023 current user is authenticated as being (or being a member of) that
1024 principal. For example, if the DAV:property element contained
1025 , the current user would match the DAV:property
1026 principal only if the current user is authenticated as matching
1027 the principal identified by the DAV:owner property of the
1028 resource.
1029
1031 The current user matches DAV:self in a DAV:acl property of the
1032 resource only if that resource is a principal and that principal
1033 matches the current user or, if the principal is a group, a member
1034 of that group matches the current user.
1035
1037 Some servers may support ACEs applying to those users
1038 NOT matching the current principal, e.g. all users not in a
1039 particular group. This can be done by wrapping the DAV:principal
1040 element with DAV:invert.
1041
1043 5.4.2 ACE Grant and Deny
1045 Each DAV:grant or DAV:deny element specifies the set of privileges
1046 to be either granted or denied to the specified principal. A
1047 DAV:grant or DAV:deny element of the DAV:acl of a resource MUST
1048 only contain non-abstract elements specified in the DAV:supported-
1049 privilege-set of that resource.
1051
1052
1053
1055 5.4.3 ACE Protection
1057 A server indicates an ACE is protected by including the
1058 DAV:protected element in the ACE. If the ACL of a resource
1059 contains an ACE with a DAV:protected element, an attempt to remove
1060 that ACE from the ACL MUST fail.
1062
1064 5.4.4 ACE Inheritance
1066 The presence of a DAV:inherited element indicates that this ACE is
1067 inherited from another resource that is identified by the URL
1068 contained in a DAV:href element. An inherited ACE cannot be
1069 modified directly, but instead the ACL on the resource from which
1070 it is inherited must be modified.
1072 Note that ACE inheritance is not the same as ACL initialization.
1073 ACL initialization defines the ACL that a newly created resource
1074 will use (if not specified). ACE inheritance refers to an ACE
1075 that is logically shared - where an update to the resource
1076 containing an ACE will affect the ACE of each resource that
1077 inherits that ACE. The method by which ACLs are initialized or by
1078 which ACEs are inherited is not defined by this document.
1079
1081 5.4.5 Example: Retrieving a Resource's Access Control List
1083 Continuing the example from Sections 5.2.1 and 5.3.1, this example
1084 shows a client requesting the DAV:acl property from the resource
1085 with URL http://www.example.com/papers/. There are two ACEs
1086 defined in this ACL:
1087 ACE #1: The group identified by URL
1088 http://www.example.com/acl/groups/maintainers (the group of site
1089 maintainers) is granted DAV:write privilege. Since (for this
1090 example) DAV:write contains the DAV:write-acl privilege (see
1091 Section 5.2.1), this means the "maintainers" group can also modify
1092 the access control list.
1093 ACE #2: All principals (DAV:all) are granted the DAV:read
1094 privilege. Since (for this example) DAV:read contains DAV:read-acl
1095 and DAV:read-current-user-privilege-set, this means all users
1096 (including all members of the "maintainers" group) can read the
1097 DAV:acl property and the DAV:current-user-privilege-set property.
1099 >> Request <<
1101 PROPFIND /papers/ HTTP/1.1
1102 Host: www.example.com
1103 Content-type: text/xml; charset="utf-8"
1104 Content-Length: xxx
1105 Depth: 0
1106 Authorization: Digest username="masinter",
1107 realm="webdav.org", nonce="...",
1108 uri="/papers/", response="...", opaque="..."
1110
1111
1112
1113
1114
1116 >> Response <<
1118 HTTP/1.1 207 Multi-Status
1119 Content-Type: text/xml; charset="utf-8"
1120 Content-Length: xxx
1122
1123
1124 http://www.example.com/papers/
1125
1126
1127
1128
1129
1130 http://www.example.com/acl/groups/maintainers
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146 HTTP/1.1 200 OK
1147
1148
1149
1151 5.5 DAV: acl-restrictions
1153 This protected property defines the types of ACLs supported by
1154 this server, to avoid clients needlessly getting errors. When a
1155 client tries to set an ACL via the ACL method, the server may
1156 reject the attempt to set the ACL as specified. The following
1157 properties indicate the restrictions the client must observe
1158 before setting an ACL:
1159 Deny ACEs are not supported
1160 Inverted ACEs are not supported
1161 All deny ACEs must occur before any grant
1162 ACEs
1163 Indicates which principals are
1164 required to be present
1166
1169 5.5.1 DAV:grant-only
1171 This element indicates that ACEs with deny clauses are not
1172 allowed.
1174
1176 5.5.2 DAV:no-invert ACE Constraint
1178 This element indicates that ACEs with the element are not
1179 allowed.
1180
1182 5.5.3 DAV:deny-before-grant
1184 This element indicates that all deny ACEs must precede all grant
1185 ACEs.
1186
1188 5.5.4 Required Principals
1190 The required principal elements identify which principals must
1191 have an ACE defined in the ACL.
1192
1196 For example, the following element requires that the ACL contain a
1197 DAV:owner property ACE:
1198
1199
1200
1202 Example: Retrieving DAV:acl-restrictions
1204 In this example, the client requests the value of the DAV:acl-
1205 restrictions property. Digest authentication provides credentials
1206 for the principal operating the client.
1208 >> Request <<
1210 PROPFIND /papers/ HTTP/1.1
1211 Host: www.example.com
1212 Content-type: text/xml; charset="utf-8"
1213 Content-Length: xxx
1214 Depth: 0
1215 Authorization: Digest username="srcarter",
1216 realm="srcarter@webdav.org", nonce="...",
1217 uri="/papers/", response="...", opaque="..."
1219
1220
1221
1222
1223
1224
1226 >> Response <<
1228 HTTP/1.1 207 Multi-Status
1229 Content-Type: text/xml; charset="utf-8"
1230 Content-Length: xxx
1232
1233
1234
1235 http://www.example.com/papers/
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245 HTTP/1.1 200 OK
1246
1247
1248
1250 5.6 DAV:inherited-acl-set
1252 This protected property contains a set of URLs that identify other
1253 resources that also control the access to this resource. To have
1254 a privilege on a resource, not only must the ACL on that resource
1255 (specified in the DAV:acl property of that resource) grant the
1256 privilege, but so must the ACL of each resource identified in the
1257 DAV:inherited-acl-set property of that resource. Effectively, the
1258 privileges granted by the current ACL are ANDed with the
1259 privileges granted by each inherited ACL.
1260
1262 5.7 DAV:principal-collection-set
1264 This protected property of a resource contains a set of URLs that
1265 identify the root collections that contain the principals that are
1266 available on the server that implements this resource. A WebDAV
1267 Access Control Protocol user agent could use the contents of
1268 DAV:principal-collection-set to retrieve the DAV:displayname
1269 property (specified in Section 13.2 of [RFC2518]) of all
1270 principals on that server, thereby yielding human-readable names
1271 for each principal that could be displayed in a user interface.
1272
1273 Since different servers can control different parts of the URL
1274 namespace, different resources on the same host MAY have different
1275 DAV:principal-collection-set values. The collections specified in
1276 the DAV:principal-collection-set MAY be located on different hosts
1277 from the resource. The URLs in DAV:principal-collection-set SHOULD
1278 be http or https scheme URLs. For security and scalability
1279 reasons, a server MAY report only a subset of the entire set of
1280 known principal collections, and therefore clients should not
1281 assume they have retrieved an exhaustive listing. Additionally, a
1282 server MAY elect to report none of the principal collections it
1283 knows about, in which case the property value would be empty.
1284 The value of DAV:principal-collection-set gives the scope of the
1285 DAV:principal-property-search REPORT (defined in Section 9.4).
1286 Clients use the DAV:principal-property-search REPORT to populate
1287 their user interface with a list of principals. Therefore, servers
1288 that limit a client's ability to obtain principal information will
1289 interfere with the client's ability to manipulate access control
1290 lists, due to the difficulty of getting the URL of a principal for
1291 use in an ACE.
1293 5.7.1 Example: Retrieving DAV:principal-collection-set
1295 In this example, the client requests the value of the
1296 DAV:principal-collection-set property on the collection resource
1297 identified by URL http://www.example.com/papers/. The property
1298 contains the two URLs, http://www.example.com/acl/users/ and
1299 http://www.example.com/acl/groups/, both wrapped in DAV:href XML
1300 elements. Digest authentication provides credentials for the
1301 principal operating the client.
1302 The client might reasonably follow this request with two separate
1303 PROPFIND requests to retrieve the DAV:displayname property of the
1304 members of the two collections (/acl/users and /acl/groups). This
1305 information could be used when displaying a user interface for
1306 creating access control entries.
1308 >> Request <<
1310 PROPFIND /papers/ HTTP/1.1
1311 Host: www.example.com
1312 Content-type: text/xml; charset="utf-8"
1313 Content-Length: xxx
1314 Depth: 0
1315 Authorization: Digest username="yarong",
1316 realm="yarong@webdav.org", nonce="...",
1317 uri="/papers/", response="...", opaque="..."
1319
1320
1321
1322
1323
1324
1325 >> Response <<
1327 HTTP/1.1 207 Multi-Status
1328 Content-Type: text/xml; charset="utf-8"
1329 Content-Length: xxx
1331
1332
1333
1334 http://www.example.com/papers/
1335
1336
1337
1338 http://www.example.com/acl/users/
1339 http://www.example.com/acl/groups/
1340
1341
1342 HTTP/1.1 200 OK
1343
1344
1345
1347 5.8 Example: PROPFIND to retrieve access control properties
1349 The following example shows how access control information can be
1350 retrieved by using the PROPFIND method to fetch the values of the
1351 DAV:owner, DAV:supported-privilege-set, DAV:current-user-
1352 privilege-set, and DAV:acl properties.
1353 >> Request <<
1355 PROPFIND /top/container/ HTTP/1.1
1356 Host: www.example.com
1357 Content-type: text/xml; charset="utf-8"
1358 Content-Length: xxx
1359 Depth: 0
1360 Authorization: Digest username="ejw",
1361 realm="users@foo.org", nonce="...",
1362 uri="/top/container/", response="...", opaque="..."
1364
1365
1366
1367
1368
1369
1370
1371
1372
1374 >> Response <<
1376 HTTP/1.1 207 Multi-Status
1377 Content-Type: text/xml; charset="utf-8"
1378 Content-Length: xxx
1380
1381
1384 http://www.example.com/top/container/
1385
1386
1387
1388 http://www.example.com/users/gclemm
1389
1390
1391
1392
1393
1394 Any operation
1395
1396
1397 Read any
1398 object
1399
1400
1401
1402
1403 Write any
1404 object
1405
1406
1407 Create an
1408 object
1409
1410
1411
1412 Update an
1413 object
1414
1415
1416
1417 Remove binding to an
1418 object
1419
1420
1421
1422
1423 Read the
1424 ACL
1425
1426
1427
1428 Write the
1429 ACL
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440 http://www.example.com/users/esedlar
1441
1442
1443
1444
1445
1446
1447
1448
1449 http://www.example.com/groups/marketing
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466 http://www.example.com/top
1467
1468
1469
1470 HTTP/1.1 200 OK
1471
1473 The value of the DAV:owner property is a single DAV:href XML
1474 element containing the URL of the principal that owns this
1475 resource.
1476 The value of the DAV:supported-privilege-set property is a tree of
1477 supported privileges (using "[XML Namespace , localname]" to
1478 identify each privilege):
1480 [DAV:, all] (aggregate, abstract)
1481 |
1482 +-- [DAV:, read]
1483 +-- [DAV:, write] (aggregate, abstract)
1484 |
1485 +-- [http://www.example.com/acl, create]
1486 +-- [http://www.example.com/acl, update]
1487 +-- [http://www.example.com/acl, delete]
1488 +-- [DAV:, read-acl]
1489 +-- [DAV:, write-acl]
1491 The DAV:current-user-privilege-set property contains two
1492 privileges, DAV:read, and DAV:read-acl. This indicates that the
1493 current authenticated user only has the ability to read the
1494 resource, and read the DAV:acl property on the resource.
1495 The DAV:acl property contains a set of four ACEs:
1496 ACE #1: The principal identified by the URL
1497 http://www.example.com/users/esedlar is granted the DAV:read,
1498 DAV:write, and DAV:read-acl privileges.
1499 ACE #2: The principals identified by the URL
1500 http://www.example.com/groups/marketing are denied the DAV:read
1501 privilege. In this example, the principal URL identifies a group.
1502 ACE #3: In this ACE, the principal is a property principal,
1503 specifically the DAV:owner property. When evaluating this ACE, the
1504 value of the DAV:owner property is retrieved, and is examined to
1505 see if it contains a DAV:href XML element. If so, the URL within
1506 the DAV:href element is read, and identifies a principal. In this
1507 ACE, the owner is granted DAV:read-acl, and DAV:write-acl
1508 privileges.
1509 ACE #4: This ACE grants the DAV:all principal (all users) the
1510 DAV:read privilege. This ACE is inherited from the resource
1511 http://www.example.com/top, the parent collection of this
1512 resource.
1514 6 ACL EVALUATION
1516 WebDAV ACLs are evaluated in similar manner as ACLs on Windows NT
1517 and in NFSv4 [NFSV4]). An ACL is evaluated to determine whether
1518 or not access will be granted for a WebDAV request. ACEs are
1519 maintained in a particular order, and are evaluated until all of
1520 the permissions required by the current request have been granted,
1521 at which point the ACL evaluation is terminated and access is
1522 granted. If, during ACL evaluation, a ACE (matching the
1523 current user) is encountered for a privilege which has not yet
1524 been granted, the ACL evaluation is terminated and access is
1525 denied. Failure to have all required privileges granted results
1526 in access being denied.
1528 Note that the semantics of many other existing ACL systems may be
1529 represented via this mechanism, by mixing deny and grant ACEs.
1530 For example, consider the standard "rwx" privilege scheme used by
1531 UNIX. In this scheme, if the current user is the owner of the
1532 file, access is granted if the corresponding privilege bit is set
1533 and denied if not set, regardless of the permissions set on the
1534 file�s group and for the world. An ACL for UNIX permissions of
1535 "r--rw-r--"might be constructed like:
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563 and the would be defined as:
1564
1565
1566
1567
1568
1569
1570 Note that the client can still get errors from a UNIX server in
1571 spite of obeying the , including (adding an ACE specifying a principal other than the
1573 ones in the ACL above) or (by trying to reorder
1574 the ACEs in the example above), as these particular implementation
1575 semantics are too complex to be captured with the simple (but
1576 general) declarative restrictions.
1578 7 ACCESS CONTROL AND EXISTING METHODS
1580 This section defines the impact of access control functionality on
1581 existing methods.
1583 7.1 ANY HTTP METHOD
1585 7.1.1 Error Handling
1587 The WebDAV ACL mechanism requires the usage of HTTP method
1588 "preconditions" as described in section 1.6 of RFC3253 for ALL
1589 HTTP methods. All HTTP methods have an additional precondition
1590 called DAV:need-privileges. If an HTTP method fails due to
1591 insufficient privileges, the response body to the "403 Forbidden"
1592 error MUST contain the element, which in turn contains
1593 the element, which contains one or more
1594 elements indicating which resource had insufficient
1595 privileges, and what the lacking privileges were:
1596
1597
1599 Since some methods require multiple permissions on multiple
1600 resources, this information is needed to resolve any ambiguity.
1601 There is no requirement that all privilege violations be reported�
1602 for implementation reasons, some servers may only report the first
1603 privilege violation. For example:
1605 >> Request <<
1607 MOVE /a/b/ HTTP/1.1
1608 Host: www.example.com
1609 Destination: http://www.example.com/c/d
1611 >> Response <<
1613 HTTP/1.1 403 Forbidden
1614 Content-Type: text/xml; charset="utf-8"
1615 Content-Length: xxx
1617
1618
1619
1620 /a
1621
1622
1623
1624 /c
1625
1626
1627
1628
1630 7.2 OPTIONS
1632 If the server supports access control, it MUST return "access-
1633 control" as a field in the DAV response header from an OPTIONS
1634 request on any resource implemented by that server. A value of
1635 "access-control" in the DAV header MUST indicate that the server
1636 supports all MUST level requirements and REQUIRED features
1637 specified in this document.
1639 7.2.1 Example - OPTIONS
1641 >> Request <<
1643 OPTIONS /foo.html HTTP/1.1
1644 Host: www.example.com
1645 Content-Length: 0
1647 >> Response <<
1649 HTTP/1.1 200 OK
1650 DAV: 1, 2, access-control
1651 Allow: OPTIONS, GET, PUT, PROPFIND, PROPPATCH, ACL
1653 In this example, the OPTIONS response indicates that the server
1654 supports access control and that /foo.html can have its access
1655 control list modified by the ACL method.
1657 7.3 MOVE
1659 When a resource is moved from one location to another due to a
1660 MOVE request, the non-inherited and non-protected ACEs in the
1661 DAV:acl property of the resource MUST NOT be modified, or the MOVE
1662 request fails. Handling of inherited and protected ACEs is
1663 intentionally undefined to give server implementations flexibility
1664 in how they implement ACE inheritance and protection.
1666 7.4 COPY
1668 The DAV:acl property on the resource at the destination of a COPY
1669 MUST be the same as if the resource was created by an individual
1670 resource creation request (e.g. MKCOL, PUT). Clients wishing to
1671 preserve the DAV:acl property across a copy need to read the
1672 DAV:acl property prior to the COPY, then perform an ACL operation
1673 on the new resource at the destination to restore, insofar as this
1674 is possible, the original access control list.
1676 7.5 LOCK
1678 A lock on a resource ensures that only the lock owner can modify
1679 ACEs that are not inherited and not protected (these are the only
1680 ACEs that a client can modify with an ACL request). A lock does
1681 not protect inherited or protected ACEs, since a client cannot
1682 modify them with an ACL request on that resource.
1684 8 ACCESS CONTROL METHODS
1686 8.1 ACL
1688 The ACL method modifies the access control list (which can be read
1689 via the DAV:acl property) of a resource. Specifically, the ACL
1690 method only permits modification to ACEs that are not inherited,
1691 and are not protected. An ACL method invocation modifies all non-
1692 inherited and non-protected ACEs in a resource's access control
1693 list to exactly match the ACEs contained within in the DAV:acl XML
1694 element (specified in Section 5.4) of the request body. An ACL
1695 request body MUST contain only one DAV:acl XML element. Unless the
1696 non-inherited and non-protected ACEs of the DAV:acl property of
1697 the resource can be updated to be exactly the value specified in
1698 the ACL request, the ACL request MUST fail.
1699 It is possible that the ACEs visible to the current user in the
1700 DAV:acl property may only be a portion of the complete set of ACEs
1701 on that resource. If this is the case, an ACL request only
1702 modifies the set of ACEs visible to the current user, and does not
1703 affect any non-visible ACE.
1704 In order to avoid overwriting DAV:acl changes by another client, a
1705 client SHOULD acquire a WebDAV lock on the resource before
1706 retrieving the DAV:acl property of a resource that it intends on
1707 updating.
1708 Implementation Note: Two common operations are to add or remove
1709 an ACE from an existing access control list. To accomplish
1710 this, a client uses the PROPFIND method to retrieve the value
1711 of the DAV:acl property, then parses the returned access
1712 control list to remove all inherited and protected ACEs (these
1713 ACEs are tagged with the DAV:inherited and DAV:protected XML
1714 elements). In the remaining set of non-inherited, non-protected
1715 ACEs, the client can add or remove one or more ACEs before
1716 submitting the final ACE set in the request body of the ACL
1717 method.
1719 8.1.1 ACL Preconditions
1721 An implementation MUST enforce the following constraints on an ACL
1722 request. If the constraint is violated, a 403 (Forbidden) or 409
1723 (Conflict) response MUST be returned and the indicated XML element
1724 MUST be returned as a child of a top level DAV:error element in an
1725 XML response body.
1726 Though these status elements are generally expressed as empty XML
1727 elements (and are defined as EMPTY in the DTD), implementations
1728 MAY return additional descriptive XML elements as children of the
1729 status element. Clients MUST be able to accept children of these
1730 status elements. Clients that do not understand the additional XML
1731 elements should ignore them.
1732 (DAV:no-ace-conflict): The ACEs submitted in the ACL request MUST
1733 NOT conflict with each other. This is a catchall error code
1734 indicating that an implementation-specific ACL restriction has
1735 been violated.
1736 (DAV:no-protected-ace-conflict): The ACEs submitted in the ACL
1737 request MUST NOT conflict with the protected ACEs on the resource.
1738 For example, if the resource has a protected ACE granting
1739 DAV:write to a given principal, then it would not be consistent if
1740 the ACL request submitted an ACE denying DAV:write to the same
1741 principal.
1742 (DAV:no-inherited-ace-conflict): The ACEs submitted in the ACL
1743 request MUST NOT conflict with the inherited ACEs on the resource.
1744 For example, if the resource inherits an ACE from its parent
1745 collection granting DAV:write to a given principal, then it would
1746 not be consistent if the ACL request submitted an ACE denying
1747 DAV:write to the same principal. Note that reporting of this error
1748 will be implementation-dependent. Implementations MUST either
1749 report this error or allow the ACE to be set, and then let normal
1750 ACE evaluation rules determine whether the new ACE has any impact
1751 on the privileges available to a specific principal.
1752 (DAV:limited-number-of-aces): The number of ACEs submitted in the
1753 ACL request MUST NOT exceed the number of ACEs allowed on that
1754 resource. However, ACL-compliant servers MUST support at least
1755 one ACE granting privileges to a single principal, and one ACE
1756 granting privileges to a group.
1757 (DAV:deny-before-grant): All non-inherited deny ACEs MUST precede
1758 all non-inherited grant ACEs.
1759 (DAV:grant-only): The ACEs submitted in the ACL request MUST NOT
1760 include a deny ACE. This precondition applies only when the ACL
1761 restrictions of the resource include the DAV:grant-only constraint
1762 (defined in Section 5.5.1).
1763 (DAV:no-invert): The ACL request MUST NOT include a DAV:invert
1764 element. This precondition applies only when the ACL semantics
1765 of the resource includes the DAV:no-invert constraint (defined in
1766 Section 6.3.4).
1767 (DAV:no-abstract): The ACL request MUST NOT attempt to grant or
1768 deny an abstract privilege (see Section 5.2).
1769 (DAV:not-supported-privilege): The ACEs submitted in the ACL
1770 request MUST be supported by the resource.
1771 (DAV:missing-required-principal): The result of the ACL request
1772 MUST have at least one ACE for each principal identified in a
1773 DAV:required-principal XML element in the ACL semantics of that
1774 resource (see Section 5.5.4).
1775 (DAV:recognized-principal): Every principal URL in the ACL request
1776 MUST identify a principal resource.
1777 (DAV:allowed-principal): The principals specified in the ACEs
1778 submitted in the ACL request MUST be allowed as principals for the
1779 resource. For example, a server where only authenticated
1780 principals can access resources would not allow the DAV:all or
1781 DAV:unauthenticated principals to be used in an ACE, since these
1782 would allow unauthenticated access to resources.
1784 8.1.2 Example: the ACL method
1786 In the following example, user "fielding", authenticated by
1787 information in the Authorization header, grants the principal
1788 identified by the URL http://www.example.com/users/esedlar (i.e.,
1789 the user "esedlar") read and write privileges, grants the owner of
1790 the resource read-acl and write-acl privileges, and grants
1791 everyone read privileges.
1792 >> Request <<
1794 ACL /top/container/ HTTP/1.1
1795 Host: www.example.com
1796 Content-Type: text/xml; charset="utf-8"
1797 Content-Length: xxxx
1798 Authorization: Digest username="fielding",
1799 realm="users@foo.org", nonce="...",
1800 uri="/top/container/", response="...", opaque="..."
1802
1803
1804
1805
1806 http://www.example.com/users/esedlar
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1829 >> Response <<
1831 HTTP/1.1 200 OK
1833 8.1.3 Example: ACL method failure due to protected ACE conflict
1835 In the following request, user "fielding", authenticated by
1836 information in the Authorization header, attempts to deny the
1837 principal identified by the URL
1838 http://www.example.com/users/esedlar (i.e., the user "esedlar")
1839 write privileges. Prior to the request, the DAV:acl property on
1840 the resource contained a protected ACE (see Section 5.4.3)
1841 granting DAV:owner the DAV:read and DAV:write privileges. The
1842 principal identified by URL http://www.example.com/users/esedlar
1843 is the owner of the resource. The ACL method invocation fails
1844 because the submitted ACE conflicts with the protected ACE, thus
1845 violating the semantics of ACE protection.
1846 >> Request <<
1848 ACL /top/container/ HTTP/1.1
1849 Host: www.example.com
1850 Content-Type: text/xml; charset="utf-8"
1851 Content-Length: xxxx
1852 Authorization: Digest username="fielding",
1853 realm="users@foo.org", nonce="...",
1854 uri="/top/container/", response="...", opaque="..."
1856
1857
1858
1859
1860 http://www.example.com/users/esedlar
1861
1862
1863
1864
1865
1866
1868 >> Response <<
1870 HTTP/1.1 403 Forbidden
1871 Content-Type: text/xml; charset="utf-8"
1872 Content-Length: xxx
1874
1875
1876
1877
1879 8.1.4 Example: ACL method failure due to an inherited ACE conflict
1881 In the following request, user "ejw", authenticated by information
1882 in the Authorization header, tries to change the access control
1883 list on the resource http://www.example.com/top/index.html. This
1884 resource has two inherited ACEs.
1885 Inherited ACE #1 grants the principal identified by URL
1886 http://www.example.com/users/ejw (i.e., the user "ejw")
1887 http://www.example.com/privs/write-all and DAV:read-acl
1888 privileges. On this server, http://www.example.com/privs/write-all
1889 is an aggregate privilege containing DAV:write, and DAV:write-acl.
1890 Inherited ACE #2 grants principal DAV:all the DAV:read privilege.
1891 The request attempts to set a (non-inherited) ACE, denying the
1892 principal identified by the URL http://www.example.com/users/ejw
1893 (i.e., the user "ejw") DAV:write permission. This conflicts with
1894 inherited ACE #1. Note that the decision to report an inherited
1895 ACE conflict is specific to this server implementation. Another
1896 server implementation could have allowed the new ACE to be set,
1897 and then used normal ACE evaluation rules to determine whether the
1898 new ACE has any impact on the privileges available to a principal.
1899 >> Request <<
1901 ACL /top/index.html HTTP/1.1
1902 Host: www.example.com
1903 Content-Type: text/xml; charset="utf-8"
1904 Content-Length: xxxx
1905 Authorization: Digest username="ejw",
1906 realm="users@foo.org", nonce="...",
1907 uri="/top/index.html", response="...", opaque="..."
1909
1910
1911
1912
1913 http://www.example.com/users/ejw
1914
1915
1916
1917
1919 >> Response <<
1921 HTTP/1.1 403 Forbidden
1922 Content-Type: text/xml; charset="utf-8"
1923 Content-Length: xxx
1925
1926
1927
1928
1930 8.1.5 Example: ACL method failure due to an attempt to set grant and
1931 deny in a single ACE.
1933 In this example, user "ygoland", authenticated by information in
1934 the Authorization header, tries to change the access control list
1935 on the resource http://www.example.com/diamond/engagement-
1936 ring.gif. The ACL request includes a single, syntactically and
1937 semantically incorrect ACE, which attempts to grant the group
1938 identified by the URL http://www.example.com/users/friends
1939 DAV:read privilege and deny the principal identified by URL
1940 http://www.example.com/users/ygoland-so (i.e., the user "ygoland-
1941 so") DAV:read privilege. However, it is illegal to have multiple
1942 principal elements, as well as both a grant and deny element in
1943 the same ACE, so the request fails due to poor syntax.
1944 >> Request <<
1946 ACL /diamond/engagement-ring.gif HTTP/1.1
1947 Host: www.example.com
1948 Content-Type: text/xml; charset="utf-8"
1949 Content-Length: xxxx
1950 Authorization: Digest username="ygoland",
1951 realm="users@foo.org", nonce="...",
1952 uri="/diamond/engagement-ring.gif", response="...",
1953 opaque="..."
1955
1956
1957
1958
1959 http://www.example.com/users/friends
1960
1961
1962
1963 http://www.example.com/users/ygoland-so
1964
1965
1966
1967
1969 >> Response <<
1971 HTTP/1.1 400 Bad Request
1972 Content-Length: 0
1974 Note that if the request had been divided into two ACEs, one to
1975 grant, and one to deny, the request would have been syntactically
1976 well formed.
1978 9 ACCESS CONTROL REPORTS
1980 9.1 REPORT Method
1982 The REPORT method (defined in Section 3.6 of [RFC3253]) provides
1983 an extensible mechanism for obtaining information about a
1984 resource. Unlike the PROPFIND method, which returns the value of
1985 one or more named properties, the REPORT method can involve more
1986 complex processing. REPORT is valuable in cases where the server
1987 has access to all of the information needed to perform the complex
1988 request (such as a query), and where it would require multiple
1989 requests for the client to retrieve the information needed to
1990 perform the same request.
1991 A server that supports the WebDAV Access Control Protocol MUST
1992 support the DAV:expand-property report (defined in Section 3.8 of
1993 [RFC3253]).
1995 9.2 DAV:acl-principal-prop-set Report
1997 The DAV:acl-principal-prop-set report returns, for all principals
1998 in the DAV:acl property (of the Request-URI) that are identified
1999 by http(s) URLs or by a DAV:property principal, the value of the
2000 properties specified in the REPORT request body. In the case where
2001 a principal URL appears multiple times, the DAV:acl-principal-
2002 prop-set report MUST return the properties for that principal only
2003 once. Support for this report is REQUIRED.
2004 One expected use of this report is to retrieve the human readable
2005 name (found in the DAV:displayname property) of each principal
2006 found in an ACL. This is useful for constructing user interfaces
2007 that show each ACE in a human readable form.
2008 Marshalling
2009 The request body MUST be a DAV:acl-principal-prop-set XML element.
2010
2011 ANY value: a sequence of one or more elements, with at most one
2012 DAV:prop element.
2013 prop: see RFC 2518, Section 12.11
2015 This report is only defined when the Depth header has value "0";
2016 other values result in a 400 (Bad Request) error response. Note
2017 that [RFC3253], Section 3.6, states that if the Depth header is
2018 not present, it defaults to a value of "0".
2019 The response body for a successful request MUST be a
2020 DAV:multistatus XML element (i.e., the response uses the same
2021 format as the response for PROPFIND). In the case where there are
2022 no response elements, the returned multistatus XML element is
2023 empty.
2024 multistatus: see RFC 2518, Section 12.9
2026 The response body for a successful DAV:acl-principal-prop-set
2027 REPORT request MUST contain a DAV:response element for each
2028 principal identified by an http(s) URL listed in a DAV:principal
2029 XML element of an ACE within the DAV:acl property of the resource
2030 identified by the Request-URI.
2031 Postconditions:
2032 (DAV:number-of-matches-within-limits): The number of matching
2033 principals must fall within server-specific, predefined limits.
2034 For example, this condition might be triggered if a search
2035 specification would cause the return of an extremely large number
2036 of responses.
2038 9.2.1 Example: DAV:acl-principal-prop-set Report
2040 Resource http://www.example.com/index.html has an ACL with three
2041 ACEs:
2042 ACE #1: All principals (DAV:all) have DAV:read and DAV:read-
2043 current-user-privilege-set access.
2044 ACE #2: The principal identified by
2045 http://www.example.com/people/gstein (the user "gstein") is
2046 granted DAV:write, DAV:write-acl, DAV:read-acl privileges.
2048 ACE #3: The group identified by
2049 http://www.example.com/groups/authors (the "authors" group) is
2050 granted DAV:write and DAV:read-acl privileges.
2051 The following example shows a DAV:acl-principal-prop-set report
2052 requesting the DAV:displayname property. It returns the value of
2053 DAV:displayname for resources http://www.example.com/people/gstein
2054 and http://www.example.com/groups/authors , but not for DAV:all,
2055 since this is not an http(s) URL.
2057 >> Request <<
2059 REPORT /index.html HTTP/1.1
2060 Host: www.example.com
2061 Content-Type: text/xml; charset="utf-8"
2062 Content-Length: xxxx
2063 Depth: 0
2065
2066
2067
2068
2069
2070
2072 >> Response <<
2073 HTTP/1.1 207 Multi-Status
2074 Content-Type: text/xml; charset="utf-8"
2075 Content-Length: xxxx
2077
2078
2079
2080 http://www.example.com/people/gstein
2081
2082
2083 Greg Stein
2084
2085 HTTP/1.1 200 OK
2086
2087
2088
2089 http://www.example.com/groups/authors
2090
2091
2092 Site authors
2093
2094 HTTP/1.1 200 OK
2095
2096
2097
2098 9.3 DAV:principal-match REPORT
2100 The DAV:principal-match REPORT is used to identify all members (at
2101 any depth) of the collection identified by the Request-URI that
2102 are principals and that match the current user. In particular, if
2103 the collection contains principals, the report can be used to
2104 identify all members of the collection that match the current
2105 user. Alternatively, if the collection contains resources that
2106 have a property that identifies a principal (e.g. DAV:owner), the
2107 report can be used to identify all members of the collection whose
2108 property identifies a principal that matches the current user. For
2109 example, this report can return all of the resources in a
2110 collection hierarchy that are owned by the current user. Support
2111 for this report is REQUIRED.
2112 Marshalling:
2113 The request body MUST be a DAV:principal-match XML element.
2114
2115
2116 ANY value: an element whose value identifies a property. The
2117 expectation is the value of the named property typically contains
2118 an href element that contains the URI of a principal
2119
2120 prop: see RFC 2518, Section 12.11
2122 This report is only defined when the Depth header has value "0";
2123 other values result in a 400 (Bad Request) error response. Note
2124 that [RFC3253], Section 3.6, states that if the Depth header is
2125 not present, it defaults to a value of "0".
2126 The response body for a successful request MUST be a
2127 DAV:multistatus XML element. In the case where there are no
2128 response elements, the returned multistatus XML element is empty.
2129 multistatus: see RFC 2518, Section 12.9
2131 The response body for a successful DAV:principal-match REPORT
2132 request MUST contain a DAV:response element for each member of the
2133 collection that matches the current user. When the DAV:principal-
2134 property element is used, a match occurs if the current user is
2135 matched by the principal identified by the URI found in the
2136 DAV:href element of the property identified by the DAV:principal-
2137 property element. When the DAV:self element is used in a
2138 DAV:principal-match report issued against a group, it matches the
2139 group if a member identifies the same principal as the current
2140 user.
2141 If DAV:prop is specified in the request body, the properties
2142 specified in the DAV:prop element MUST be reported in the
2143 DAV:response elements.
2145 9.3.1 Example: DAV:principal-match REPORT
2147 The following example identifies the members of the collection
2148 identified by the URL http://www.example.com/doc that are owned by
2149 the current user. The current user ("gclemm") is authenticated
2150 using Digest authentication.
2151 >> Request <<
2152 REPORT /doc/ HTTP/1.1
2153 Host: www.example.com
2154 Authorization: Digest username="gclemm",
2155 realm="gclemm@webdav.org", nonce="...",
2156 uri="/papers/", response="...", opaque="..."
2157 Content-Type: text/xml; charset="utf-8"
2158 Content-Length: xxxx
2159 Depth: 0
2161
2162
2163
2164
2165
2166
2168 >> Response <<
2170 HTTP/1.1 207 Multi-Status
2171 Content-Type: text/xml; charset="utf-8"
2172 Content-Length: xxxx
2174
2175
2176
2177 http://www.example.com/doc/foo.html
2178 HTTP/1.1 200 OK
2179
2180
2181 http://www.example.com/doc/img/bar.gif
2182 HTTP/1.1 200 OK
2183
2184
2186 9.4 DAV:principal-property-search REPORT
2188 The DAV:principal-property-search REPORT performs a search for all
2189 principals whose properties contain character data that matches
2190 the search criteria specified in the request. One expected use of
2191 this report is to discover the URL of a principal associated with
2192 a given person or group by searching for them by name. This is
2193 done by searching over DAV:displayname, which is defined on all
2194 principals.
2195 The actual search method (exact matching vs. substring matching
2196 vs, prefix-matching, case-sensitivity) deliberately is left to the
2197 server implementation to allow implementation on a wide set of
2198 possible user management systems. In cases where the
2199 implementation of DAV:principal-property-search is not constrained
2200 by the semantics of an underlying user management repository,
2201 preferred default semantics are caseless substring matches.
2202 For implementation efficiency, servers do not typically support
2203 searching on all properties. A search requesting properties that
2204 are not searchable for a particular principal will not match that
2205 principal.
2206 Support for the DAV:principal-property-search report is REQUIRED.
2207 Implementation Note: The value of a WebDAV property is a
2208 sequence of well-formed XML, and hence can include any
2209 character in the Unicode/ISO-10646 standard, that is, most
2210 known characters in human languages. Due to the idiosyncrasies
2211 of case mapping across human languages, implementation of case-
2212 insensitive matching is non-trivial. Implementors of servers
2213 that do perform substring matching are strongly encouraged to
2214 consult [CaseMap], especially Section 2.3 ("Caseless
2215 Matching"), for guidance when implementing their case-
2216 insensitive matching algorithms.
2217 Implementation Note: Some implementations of this protocol will
2218 use an LDAP repository for storage of principal metadata. The
2219 schema describing each attribute (akin to a WebDAV property) in
2220 an LDAP repository specifies whether it supports case-sensitive
2221 or caseless searching. One of the benefits of leaving the
2222 search method to the discretion of the server implementation is
2223 the default LDAP attribute search behavior can be used when
2224 implementing the DAV:principal-property-search report.
2225 Marshalling:
2226 The request body MUST be a DAV:principal-property-search XML
2227 element containing a search specification and an optional list of
2228 properties. For every principal that matches the search
2229 specification, the response will contain the value of the
2230 requested properties on that principal.
2231
2234 By default, the report searches all members (at any depth) of the
2235 collection identified by the Request-URI. If DAV:apply-to-
2236 principal-collection-set is specified in the request body, the
2237 request is applied instead to each collection identified by the
2238 DAV:prinicipal-collection-set property of the resource identified
2239 by the Request-URI.
2240 The DAV:property-search element contains a prop element
2241 enumerating the properties to be searched and a match element,
2242 containing the search string.
2243
2244 prop: see RFC 2518, Section 12.11
2245
2247 Multiple property-search elements or multiple elements within a
2248 DAV:prop element will be interpreted with a logical AND.
2249 This report is only defined when the Depth header has value "0";
2250 other values result in a 400 (Bad Request) error response. Note
2251 that [RFC3253], Section 3.6, states that if the Depth header is
2252 not present, it defaults to a value of "0".
2253 The response body for a successful request MUST be a
2254 DAV:multistatus XML element. In the case where there are no
2255 response elements, the returned multistatus XML element is empty.
2256 multistatus: see RFC 2518, Section 12.9
2258 The response body for a successful DAV:principal-property-search
2259 REPORT request MUST contain a DAV:response element for each
2260 principal whose property values satisfy the search specification
2261 given in DAV:principal-property-search.
2262 The response body for an unsuccessful DAV:principal-property-
2263 search REPORT request MUST contain, after the XML element
2264 indicating the failed precondition or postcondition, a DAV:prop
2265 element containing the property that caused the pre/postcondition
2266 to fail.
2267 If DAV:prop is specified in the request body, the properties
2268 specified in the DAV:prop element MUST be reported in the
2269 DAV:response elements.
2270 Preconditions:
2271 None
2272 Postconditions:
2273 (DAV:number-of-matches-within-limits): The number of matching
2274 principals must fall within server-specific, predefined limits.
2275 For example, this condition might be triggered if a search
2276 specification would cause the return of an extremely large number
2277 of responses.
2279 9.4.1 Matching
2281 There are several cases to consider when matching strings. The
2282 easiest case is when a property value is "simple" and has only
2283 character information item content (see [REC-XML-INFOSET]). For
2284 example, the search string "julian" would match the
2285 DAV:displayname property with value "Julian Reschke". Note that
2286 the on-the-wire marshalling of DAV:displayname in this case is:
2287 Julian Reschke
2289 The name of the property is encoded into the XML element
2290 information item, and the character information item content of
2291 the property is "Julian Reschke".
2293 A more complicated case occurs when properties have mixed content
2294 (that is, compound values consisting of multiple child element
2295 items, other types of information items, and character information
2296 item content). Consider the property "aprop" in the namespace
2297 "http://www.example.com/props/", marshalled as:
2298
2299 {cdata 0}{cdata 1}
2300 {cdata 2}{cdata 3}
2301
2303 In this case, matching is performed on each individual contiguous
2304 sequence of character information items. In the example above, a
2305 search string would be compared to the four following strings:
2306 {cdata 0}
2307 {cdata 1}
2308 {cdata 2}
2309 {cdata 3}
2311 That is, four individual matches would be performed, one each for
2312 {cdata 0}, {cdata 1}, {cdata 2}, and {cdata 3}.
2314 9.4.2 Example: successful DAV:principal-property-search REPORT
2316 In this example, the client requests the principal URLs of all
2317 users whose DAV:displayname property contains the substring "doE"
2318 and whose "title" property in the namespace
2319 "http://BigCorp.com/ns/" (that is, their professional title)
2320 contains "Sales". In addition, the client requests five
2321 properties to be returned with the matching principals:
2322 In the DAV: namespace: displayname
2323 In the http://www.example.com/ns/ namespace: department, phone,
2324 office, salary
2325 The response shows that two principal resources meet the search
2326 specification, "John Doe" and "Zygdoebert Smith". The property
2327 "salary" in namespace "http://www.example.com/ns/" is not
2328 returned, since the principal making the request does not have
2329 sufficient access permissions to read this property.
2330 >> Request <<
2331 REPORT /users/ HTTP/1.1
2332 Host: www.example.com
2333 Content-Type: text/xml; charset=utf-8
2334 Content-Length: xxxx
2335 Depth: 0
2337
2338
2339
2340
2341
2342
2343 doE
2344
2345
2346
2347
2348
2349 Sales
2350
2351
2352
2353
2354
2355
2356
2357
2358
2360 >> Response <<
2362 HTTP/1.1 207 Multi-Status
2363 Content-Type: text/xml; charset=utf-8
2364 Content-Length: xxxx
2366
2367
2368
2369 http://www.example.com/users/jdoe
2370
2371
2372 John Doe
2373 Widget Sales
2374 234-4567
2375 209
2376
2377 HTTP/1.1 200 OK
2378
2379
2380
2381
2382
2383 HTTP/1.1 403 Forbidden
2384
2385
2386
2387 http://www.example.com/users/zsmith
2388
2389
2390 Zygdoebert Smith
2391 Gadget Sales
2392 234-7654
2393 114
2394
2395 HTTP/1.1 200 OK
2396
2397
2398
2399
2400
2401 HTTP/1.1 403 Forbidden
2402
2403
2404
2406 9.5 DAV:principal-search-property-set REPORT
2408 The DAV:principal-search-property-set REPORT identifies those
2409 properties that may be searched using the DAV:principal-property-
2410 search REPORT (defined in Section 9.4).
2411 Servers MUST support the DAV:principal-search-property-set REPORT
2412 on all collections identified in the value of a DAV:principal-
2413 collection-set property.
2414 An access control protocol user agent could use the results of the
2415 DAV:principal-search-property-set REPORT to present a query
2416 interface to the user for retrieving principals.
2417 Support for this report is REQUIRED.
2418 Implementation Note: Some clients will have only limited screen
2419 real estate for the display of lists of searchable properties.
2420 In this case, a user might appreciate having the most
2421 frequently searched properties be displayed on-screen, rather
2422 than having to scroll through a long list of searchable
2423 properties. One mechanism for signaling the most frequently
2424 searched properties is to return them towards the start of a
2425 list of properties. A client can then preferentially display
2426 the list of properties in order, increasing the likelihood that
2427 the most frequently searched properties will appear on-screen,
2428 and will not require scrolling for their selection.
2429 Marshalling:
2430 The request body MUST be an empty DAV:principal-search-property-
2431 set XML element.
2432 This report is only defined when the Depth header has value "0";
2433 other values result in a 400 (Bad Request) error response. Note
2434 that [RFC3253], Section 3.6, states that if the Depth header is
2435 not present, it defaults to a value of "0".
2436 The response body MUST be a DAV:principal-search-property-set XML
2437 element, containing a DAV:principal-search-property XML element
2438 for each property that may be searched with the DAV:principal-
2439 property-search REPORT. A server MAY limit its response to just a
2440 subset of the searchable properties, such as those likely to be
2441 useful to an interactive access control client.
2443
2446 Each DAV:principal-search-property XML element contains exactly
2447 one searchable property, and a description of the property.
2448
2450 The DAV:prop element contains one principal property on which the
2451 server is able to perform a DAV:principal-property-search REPORT.
2452 prop: see RFC 2518, Section 12.11
2454 The description element is a human-readable description of what
2455 information this property represents. Servers MUST indicate the
2456 human language of the description using the xml:lang attribute and
2457 SHOULD consider the HTTP Accept-Language request header when
2458 selecting one of multiple available languages.
2459
2461 9.5.1 Example: DAV:principal-search-property-set REPORT
2463 In this example, the client determines the set of searchable
2464 principal properties by requesting the DAV:principal-search-
2465 property-set REPORT on the root of the server's principal URL
2466 collection set, identified by http://www.example.com/users/.
2467 >> Request <<
2468 REPORT /users/ HTTP/1.1
2469 Host: www.example.com
2470 Content-Type: text/xml; charset="utf-8"
2471 Content-Length: xxx
2472 Accept-Language: en, de
2473 Authorization: BASIC d2FubmFtYWs6cGFzc3dvcmQ=
2474 Depth: 0
2476
2477
2479 >> Response <<
2480 HTTP/1.1 200 OK
2481 Content-Type: text/xml; charset="utf-8"
2482 Content-Length: xxx
2484
2485
2486
2487
2488
2489
2490 Full name
2491
2492
2493
2494
2495
2496 Job title
2497
2498
2500 10 XML PROCESSING
2502 Implementations of this specification MUST support the XML element
2503 ignore rule, as specified in Section 23.3.2 of [RFC2518], and the
2504 XML Namespace recommendation [REC-XML-NAMES].
2505 Note that use of the DAV namespace is reserved for XML elements
2506 and property names defined in a standards-track or Experimental
2507 IETF RFC.
2509 11 INTERNATIONALIZATION CONSIDERATIONS
2511 In this specification, the only human-readable content can be
2512 found in the description XML element, found within the
2513 DAV:supported-privilege-set property. This element contains a
2514 human-readable description of the capabilities controlled by a
2515 privilege. As a result, the description element must be capable
2516 of representing descriptions in multiple character sets. Since
2517 the description element is found within a WebDAV property, it is
2518 represented on the wire as XML [REC-XML], and hence can leverage
2519 XML's language tagging and character set encoding capabilities.
2520 Specifically, XML processors at minimum must be able to read XML
2521 elements encoded using the UTF-8 [UTF-8] encoding of the ISO 10646
2522 multilingual plane. XML examples in this specification demonstrate
2523 use of the charset parameter of the Content-Type header, as
2524 defined in [RFC3023], as well as the XML "encoding" attribute,
2525 which together provide charset identification information for MIME
2526 and XML processors. Futhermore, this specification requires server
2527 implementations to tag description fields with the xml:lang
2528 attribute (see Section 2.12 of [REC-XML]), which specifies the
2529 human language of the description. Additionally, server
2530 implementations should take into account the value of the Accept-
2531 Language HTTP header to determine which description string to
2532 return.
2533 For XML elements other than the description element, it is
2534 expected that implementations will treat the property names,
2535 privilege names, and values as tokens, and convert these tokens
2536 into human-readable text in the user's language and character set
2537 when displayed to a person. Only a generic WebDAV property
2538 display utility would display these values in their raw form to a
2539 human user.
2540 For error reporting, we follow the convention of HTTP/1.1 status
2541 codes, including with each status code a short, English
2542 description of the code (e.g., 200 (OK)). While the possibility
2543 exists that a poorly crafted user agent would display this message
2544 to a user, internationalized applications will ignore this
2545 message, and display an appropriate message in the user's language
2546 and character set.
2547 Further internationalization considerations for this protocol are
2548 described in the WebDAV Distributed Authoring protocol
2549 specification [RFC2518].
2551 12 SECURITY CONSIDERATIONS
2553 Applications and users of this access control protocol should be
2554 aware of several security considerations, detailed below. In
2555 addition to the discussion in this document, the security
2556 considerations detailed in the HTTP/1.1 specification [RFC2616],
2557 the WebDAV Distributed Authoring Protocol specification [RFC2518],
2558 and the XML Media Types specification [RFC3023] should be
2559 considered in a security analysis of this protocol.
2561 12.1 Increased Risk of Compromised Users
2563 In the absence of a mechanism for remotely manipulating access
2564 control lists, if a single user's authentication credentials are
2565 compromised, only those resources for which the user has access
2566 permission can be read, modified, moved, or deleted. With the
2567 introduction of this access control protocol, if a single
2568 compromised user has the ability to change ACLs for a broad range
2569 of other users (e.g., a super-user), the number of resources that
2570 could be altered by a single compromised user increases. This risk
2571 can be mitigated by limiting the number of people who have write-
2572 acl privileges across a broad range of resources.
2574 12.2 Risks of the DAV:read-acl and DAV:current-user-privilege-set
2575 Privileges
2577 The ability to read the access privileges (stored in the DAV:acl
2578 property), or the privileges permitted the currently authenticated
2579 user (stored in the DAV:current-user-privilege-set property) on a
2580 resource may seem innocuous, since reading an ACL cannot possibly
2581 affect the resource's state. However, if all resources have world-
2582 readable ACLs, it is possible to perform an exhaustive search for
2583 those resources that have inadvertently left themselves in a
2584 vulnerable state, such as being world-writeable. In particular,
2585 the property retrieval method PROPFIND, executed with Depth
2586 infinity on an entire hierarchy, is a very efficient way to
2587 retrieve the DAV:acl or DAV:current-user-privilege-set properties.
2588 Once found, this vulnerability can be exploited by a denial of
2589 service attack in which the open resource is repeatedly
2590 overwritten. Alternately, writeable resources can be modified in
2591 undesirable ways.
2592 To reduce this risk, read-acl privileges should not be granted to
2593 unauthenticated principals, and restrictions on read-acl and read-
2594 current-user-privilege-set privileges for authenticated principals
2595 should be carefully analyzed when deploying this protocol. Access
2596 to the current-user-privilege-set property will involve a tradeoff
2597 of usability versus security. When the current-user-privilege-set
2598 is visible, user interfaces are expected to provide enhanced
2599 information concerning permitted and restricted operations, yet
2600 this information may also indicate a vulnerability that could be
2601 exploited. Deployment of this protocol will need to evaluate this
2602 tradeoff in light of the requirements of the deployment
2603 environment.
2605 12.3 No Foreknowledge of Initial ACL
2607 In an effort to reduce protocol complexity, this protocol
2608 specification intentionally does not address the issue of how to
2609 manage or discover the initial ACL that is placed upon a resource
2610 when it is created. The only way to discover the initial ACL is to
2611 create a new resource, then retrieve the value of the DAV:acl
2612 property. This assumes the principal creating the resource also
2613 has been granted the DAV:read-acl privilege.
2614 As a result, it is possible that a principal could create a
2615 resource, and then discover that its ACL grants privileges that
2616 are undesirable. Furthermore, this protocol makes it possible
2617 (though unlikely) that the creating principal could be unable to
2618 modify the ACL, or even delete the resource. Even when the ACL can
2619 be modified, there will be a short period of time when the
2620 resource exists with the initial ACL before its new ACL can be
2621 set.
2622 Several factors mitigate this risk. Human principals are often
2623 aware of the default access permissions in their editing
2624 environments and take this into account when writing information.
2625 Furthermore, default privilege policies are usually very
2626 conservative, limiting the privileges granted by the initial ACL.
2628 13 AUTHENTICATION
2630 Authentication mechanisms defined for use with HTTP and WebDAV
2631 also apply to this WebDAV Access Control Protocol, in particular
2632 the Basic and Digest authentication mechanisms defined in
2633 [RFC2617]. Implementation of the ACL spec requires that Basic
2634 authentication, if used, MUST only be supported over secure
2635 transport such as TLS.
2637 14 IANA CONSIDERATIONS
2639 This document uses the namespace defined by [RFC2518] for XML
2640 elements. That is, this specification uses the "DAV:" URI
2641 namespace, previously registered in the URI schemes registry. All
2642 other IANA considerations mentioned in [RFC2518] are also
2643 applicable to this specification.
2645 15 INTELLECTUAL PROPERTY
2647 The following notice is copied from RFC 2026, section 10.4, and
2648 describes the position of the IETF concerning intellectual
2649 property claims made against this document.
2650 The IETF takes no position regarding the validity or scope of any
2651 intellectual property or other rights that might be claimed to
2652 pertain to the implementation or use other technology described in
2653 this document or the extent to which any license under such rights
2654 might or might not be available; neither does it represent that it
2655 has made any effort to identify any such rights. Information on
2656 the IETF's procedures with respect to rights in standards-track
2657 and standards-related documentation can be found in BCP-11. Copies
2658 of claims of rights made available for publication and any
2659 assurances of licenses to be made available, or the result of an
2660 attempt made to obtain a general license or permission for the use
2661 of such proprietary rights by implementers or users of this
2662 specification can be obtained from the IETF Secretariat.
2663 The IETF invites any interested party to bring to its attention
2664 any copyrights, patents or patent applications, or other
2665 proprietary rights that may cover technology that may be required
2666 to practice this standard. Please address the information to the
2667 IETF Executive Director.
2669 16 ACKNOWLEDGEMENTS
2671 This protocol is the collaborative product of the WebDAV ACL
2672 design team: Bernard Chester, Geoff Clemm, Anne Hopkins, Barry
2673 Lind, Sean Lyndersay, Eric Sedlar, Greg Stein, and Jim Whitehead.
2674 The authors are grateful for the detailed review and comments
2675 provided by Jim Amsden, Dylan Barrell, Gino Basso, Murthy
2676 Chintalapati, Lisa Dusseault, Stefan Eissing, Tim Ellison, Yaron
2677 Goland, Dennis Hamilton, Laurie Harper, Eckehard Hermann, Ron
2678 Jacobs, Chris Knight, Remy Maucherat, Larry Masinter, Joe Orton,
2679 Peter Raymond, Julian Reschke, and Keith Wannamaker. We thank
2680 Keith Wannamaker for the initial text of the principal property
2681 search sections. Prior work on WebDAV access control protocols has
2682 been performed by Yaron Goland, Paul Leach, Lisa Dusseault, Howard
2683 Palmer, and Jon Radoff. We would like to acknowledge the
2684 foundation laid for us by the authors of the DeltaV, WebDAV and
2685 HTTP protocols upon which this protocol is layered, and the
2686 invaluable feedback from the WebDAV working group.
2688 17 REFERENCES
2690 17.1 Normative References
2692 [RFC2119] S.Bradner, "Key words for use in RFCs to Indicate
2693 Requirement Levels." RFC 2119, BCP 14, March, 1997.
2694 [REC-XML] T. Bray, J. Paoli, C.M. Sperberg-McQueen, "Extensible
2695 Markup Language (XML)." World Wide Web Consortium Recommendation
2696 REC-xml.http://www.w3.org/TR/REC-xml
2698 [REC-XML-NAMES] T. Bray, D. Hollander, A. Layman, "Name Spaces in
2699 XML" World Wide Web Consortium Recommendation REC-xml-names.
2700 http://www.w3.org/TR/REC-xml-names/
2701 [RFC3253] G. Clemm, J. Amsden, T. Ellison, C. Kaler, J. Whitehead,
2702 "Versioning Extensions to WebDAV." RFC 3253, March 2002.
2703 [REC-XML-INFOSET] J. Cowan, R. Tobin, "XML Information Set." World
2704 Wide Web Consortium Recommendation REC-xml-infoset.
2705 http://www.w3.org/TR/xml-infoset/
2706 [RFC2616] R. Fielding, J. Gettys, J. C. Mogul, H. Frystyk, L.
2707 Masinter, P. Leach, and T. Berners-Lee, "Hypertext Transfer
2708 Protocol -- HTTP/1.1." RFC 2616, June, 1999.
2709 [RFC2617] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence,
2710 P. Leach, A. Luotonen, L. Stewart, "HTTP Authentication: Basic and
2711 Digest Access Authentication." RFC 2617, June, 1999.
2712 [RFC2518] Y. Goland, E. Whitehead, A. Faizi, S. R. Carter, D.
2713 Jensen, "HTTP Extensions for Distributed Authoring -- WEBDAV." RFC
2714 2518, February, 1999.
2715 [RFC2368] P. Hoffman, L. Masinter, J. Zawinski, "The mailto URL
2716 scheme." RFC 2368, July, 1998.
2717 [RFC3023] M. Murata, S. St.Laurent, D. Kohn, "XML Media Types."
2718 RFC 3023, January, 2001.
2719 [RFC3010] S. Shepler, B. Callaghan, D. Robinson, R. Thurlow, C.
2720 Beame, M. Eisler, D.Noveck "NFS version 4 Protocol." RFC 3010,
2721 December 2000.
2722 [UTF-8] F. Yergeau, "UTF-8, a transformation format of Unicode
2723 and ISO 10646." RFC 2279, January, 1998.
2725 17.2 Informational References
2727 [RFC2026] S.Bradner, "The Internet Standards Process - Revision
2728 3." RFC 2026, BCP 9. Harvard, October, 1996.
2729 [RFC2255] T. Howes, M. Smith, "The LDAP URL Format." RFC 2255.
2730 Netscape, December, 1997.
2731 [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory
2732 Access Protocol (v3)." RFC 2251. Critical Angle, Netscape, Isode,
2733 December, 1997.
2734 [CaseMap] M. Davis, "Case Mappings", Unicode Standard Annex #21,
2735 March 26, 2001. http://www.unicode.org/unicode/reports/tr21
2736 18 AUTHORS' ADDRESSES
2738 Geoffrey Clemm
2739 IBM
2740 20 Maguire Road
2741 Lexington, MA 02421
2742 Email: geoffrey.clemm@us.ibm.com
2744 Anne Hopkins
2745 Microsoft Corporation
2746 One Microsoft Way
2747 Redmond, WA 98052
2748 Email: annehop@microsoft.com
2750 Eric Sedlar
2751 Oracle Corporation
2752 500 Oracle Parkway
2753 Redwood Shores, CA 94065
2754 Email: eric.sedlar@oracle.com
2756 Jim Whitehead
2757 U.C. Santa Cruz
2758 Dept. of Computer Science
2759 Baskin Engineering
2760 1156 High Street
2761 Santa Cruz, CA 95064
2762 Email: ejw@cse.ucsc.edu
2763 19 APPENDICES
2765 19.1 WebDAV XML Document Type Definition Addendum
2767 All XML elements defined in this Document Type Definition (DTD)
2768 belong to the DAV namespace. This DTD should be viewed as an
2769 addendum to the DTD provided in [RFC2518], section 23.1.
2770
2786
2788
2789
2790
2791
2793
2795
2797
2799
2801
2802
2805
2806
2807
2809
2811
2812
2814
2815
2818
2822
2823
2824
2825
2826
2828
2830
2831
2832
2834
2836
2838
2840
2843
2844
2845
2847
2850
2852
2854
2856
2858
2860
2861
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2878
2880
2881 ANY value: a sequence of one or more elements, with at most one
2882 DAV:prop element.
2884
2885
2886 ANY value: an element whose value identifies a property. The
2887 expectation is the value of the named property typically contains
2888 an href element that contains the URI of a principal
2889
2891
2892
2893
2895
2897
2898
2900 19.2 WebDAV Method Privilege Table (Normative)
2902 The following table of WebDAV methods (as defined in RFC 2518, 2616,
2903 and 3253) clarifies which privileges are required for access for each
2904 method. Note that the privileges listed, if denied, MUST cause access
2905 to be denied. However, given that a specific implementation MAY define
2906 an additional custom privilege to control access to existing methods,
2907 having all of the indicated privileges does not mean that access will
2908 be granted. Note that lack of the indicated privileges does not imply
2909 that access will be denied, since a particular implementation may use a
2910 sub-privilege aggregated under the indicated privilege to control
2911 access. Privileges required refer to the current resource being
2912 processed unless otherwise specified.
2914 METHOD PRIVILEGES
2915 GET
2916 HEAD
2917 OPTIONS
2918 PUT (target exists) on target resource
2919 PUT (no target exists) on parent collection of target
2920 PROPPATCH
2921 ACL
2922 PROPFIND (plus and
2923 as needed)
2924 COPY (target exists) , and on target resource
2926 COPY (no target exists) , on target collection
2927 MOVE (no target exists) on source collection and
2928 on target collection
2929 MOVE (target exists) As above, plus on the target
2930 collection
2931 DELETE on parent collection
2932 LOCK (target exists)
2933 LOCK (no target exists) on parent collection
2934 MKCOL on parent collection
2935 UNLOCK
2936 CHECKOUT
2937 CHECKIN
2938 REPORT (on all referenced resources)
2939 VERSION-CONTROL
2940 MERGE
2941 MKWORKSPACE on parent collection
2942 BASELINE-CONTROL and
2943 MKACTIVITY on parent collection