Security Tamino WebDAV 3.1

Hi,

I’m back to talk about security on Tamino WebDAV.
Now, I can use Apache webserver to authenticate users. I used to use Slide.
Well, I tried to create my WebDAV’s security environment as an ordinary Tamino database and just define a in httpd.conf file.
1. I created two databases: “mydb” and “webdav”
2. Set three groups and three ACLs(read, full and deny) using Apache’s valid-users.
3. Both of them are set with “allow non-authenticated users=no” on Tamino Manager.
4. “mydb” is working ok but “webdav” do not let me even delete nor insert new objects.
5. I can modify a .doc file using any user.
6. I put the same Element nodes on the three ACL’s and just change the permissions (no, full or read) on “webdav” database:
xdav:metadata (except in ACL with permission=no)
webdav
webdav/coll (except in ACL with permission=no)
taminowebserver/coll

That’s all.

Does anyone have any idea about what’s my mistake?

Thanks in advance,
Ito

Hi Fernando,

I’m not sure that I understand what you try to do, please could you explain how the result should be?

You used the Tamino security in the right way. Tamino authentication is done by the web server and Tamino does authorisation with its ACL/ACE and group concept.

With Tamino WebDav it looks a little bit different. The Tamino WebDav server uses the Tamino security for protecting its metadata and the Tamino collections used via the WebDav server against parallel or not authorised accesses. Authorised is just the WebDav server itself. For this we defined an user, group and ACL especially for the Webdav server and just this user should have write access to the metadata collection and all the collections used via webdav in Tamino. Because of the webdav server has not to be authenticated, the authentication at the web server should not be activated. If you would like to use authentication with Webdav, you have to use the authentication of your servlet engine e.g. Tomcat. The WebDav specification defines authorisation in its sub-specifiaction ‘WebDav access control protocol’, which is in a ‘draft’ status currently and so the Tamino WebDav server does not support it , especially the http ACL method, in the current version.

regards

Eckehard

Hi Eckehard,

Thank you for your reply. You are absolutelly correct about Tamino WebDAV Security’s concept.

My final settings were changed to the following:

1. I changed <Directory …> to <Location http://localhost/taminowebdavserver>. So, Apache will request authentication only from this URL.
2. All users registered in my Apache’s group “webdav” (see my first message) have the same rights even they were specified in different ACLs on Tamino Manager. The “mydb” users can not have access to this URL.
3. I can control read/write access just changing the parameter “allow non-authenticated user” to ‘yes’ or ‘no’.

It is not my ideal way to protect my objects, but I think that it is the right one.

Thanks for your help.

Regards, Ito

Hi Fernando,

I just would like to point out that in the case you protect your webdav requests with webserver authentication at the URL http://localhost/taminowebdavserver you will come in through port 80 (which is the port where your webserver listens). After an default installation the Tamino webdav server does also listen at port 4000. If you access your WebDav server with the URL http://localhost:4000/taminowebdavserver you will come in directly through the servlet engine and not over the web server. In this case your authentication will not work and your webdav server will not be protected. For closing this security hole you have two possibilities. As first you can do the authentication in your Tomcat or IIS and not in the web server or you have to close port 4000 in the Tomcats server.xml file.

regards Eckehard

You are right again, Eckehard.

Apache’s security itself is not secure enough.

I really appreciate your response. Thank you!

Ito