5. Access Control Properties
This specification defines a number of new properties for WebDAV resources. Access control properties may be retrieved just like other WebDAV properties, using the PROPFIND method. Since it is expensive, for many servers, to retrieve access control information, a PROPFIND allprop request (as defined in Section 12.14.1 of [RFC2518]) SHOULD NOT return the names and values of the properties defined in this section. Access control properties (especially DAV:acl and DAV:inherited-acl- set) are defined on the resource identified by the Request-URI of a PROPFIND request. A direct consequence is that if the resource is accessible via multiple URI, the value of access control properties is the same across these URI. HTTP resources that support the WebDAV Access Control Protocol MUST contain the following properties. Null resources (described in Section 3 of [RFC2518]) MUST NOT contain the following properties.5.1. DAV:owner
This property identifies a particular principal as being the "owner" of the resource. Since the owner of a resource often has special access control capabilities (e.g., the owner frequently has permanent DAV:write-acl privilege), clients might display the resource owner in their user interface. Servers MAY implement DAV:owner as protected property and MAY return an empty DAV:owner element as property value in case no owner information is available. <!ELEMENT owner (href?)>5.1.1. Example: Retrieving DAV:owner
This example shows a client request for the value of the DAV:owner property from a collection resource with URL http://www.example.com/ papers/. The principal making the request is authenticated using Digest authentication. The value of DAV:owner is the URL http:// www.example.com/acl/users/gstein, wrapped in the DAV:href XML element.
>> Request << PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="jim", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..." <?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:owner/> </D:prop> </D:propfind> >> Response << HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:owner> <D:href>http://www.example.com/acl/users/gstein</D:href> </D:owner> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>5.1.2. Example: An Attempt to Set DAV:owner
The following example shows a client request to modify the value of the DAV:owner property on the resource with URL <http:// www.example.com/papers>. Since DAV:owner is a protected property on this particular server, it responds with a 207 (Multi-Status) response that contains a 403 (Forbidden) status code for the act of setting DAV:owner. Section 8.2.1 of [RFC2518] describes PROPPATCH status code information, Section 11 of [RFC2518] describes the
Multi-Status response and Sections 1.6 and 3.12 of [RFC3253] describe additional error marshaling for PROPPATCH attempts on protected properties. >> Request << PROPPATCH /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="jim", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..." <?xml version="1.0" encoding="utf-8" ?> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <D:owner> <D:href>http://www.example.com/acl/users/jim</D:href> </D:owner> </D:prop> </D:set> </D:propertyupdate> >> Response << HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop><D:owner/></D:prop> <D:status>HTTP/1.1 403 Forbidden</D:status> <D:responsedescription> <D:error><D:cannot-modify-protected-property/></D:error> Failure to set protected property (DAV:owner) </D:responsedescription> </D:propstat> </D:response> </D:multistatus>
5.2. DAV:group
This property identifies a particular principal as being the "group" of the resource. This property is commonly found on repositories that implement the Unix privileges model. Servers MAY implement DAV:group as protected property and MAY return an empty DAV:group element as property value in case no group information is available. <!ELEMENT group (href?)>5.3. DAV:supported-privilege-set
This is a protected property that identifies the privileges defined for the resource. <!ELEMENT supported-privilege-set (supported-privilege*)> Each privilege appears as an XML element, where aggregate privileges list as sub-elements all of the privileges that they aggregate. <!ELEMENT supported-privilege (privilege, abstract?, description, supported-privilege*)> <!ELEMENT privilege ANY> An abstract privilege MUST NOT be used in an ACE for that resource. Servers MUST fail an attempt to set an abstract privilege. <!ELEMENT abstract EMPTY> A description is a human-readable description of what this privilege controls access to. Servers MUST indicate the human language of the description using the xml:lang attribute and SHOULD consider the HTTP Accept-Language request header when selecting one of multiple available languages. <!ELEMENT description #PCDATA> It is envisioned that a WebDAV ACL-aware administrative client would list the supported privileges in a dialog box, and allow the user to choose non-abstract privileges to apply in an ACE. The privileges tree is useful programmatically to map well-known privileges (defined by WebDAV or other standards groups) into privileges that are supported by any particular server implementation. The privilege tree also serves to hide complexity in implementations allowing large number of privileges to be defined by displaying aggregates to the user.
5.3.1. Example: Retrieving a List of Privileges Supported on a Resource
This example shows a client request for the DAV:supported-privilege- set property on the resource http://www.example.com/papers/. The value of the DAV:supported-privilege-set property is a tree of supported privileges (using "[XML Namespace , localname]" to identify each privilege): [DAV:, all] (aggregate, abstract) | +-- [DAV:, read] (aggregate) | +-- [DAV:, read-acl] (abstract) +-- [DAV:, read-current-user-privilege-set] (abstract) | +-- [DAV:, write] (aggregate) | +-- [DAV:, write-acl] (abstract) +-- [DAV:, write-properties] +-- [DAV:, write-content] | +-- [DAV:, unlock] This privilege tree is not normative (except that it reflects the normative aggregation rules given in Section 3.12), and many possible privilege trees are possible. >> Request << PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="gclemm", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..." <?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:supported-privilege-set/> </D:prop> </D:propfind>
>> Response << HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:supported-privilege-set> <D:supported-privilege> <D:privilege><D:all/></D:privilege> <D:abstract/> <D:description xml:lang="en"> Any operation </D:description> <D:supported-privilege> <D:privilege><D:read/></D:privilege> <D:description xml:lang="en"> Read any object </D:description> <D:supported-privilege> <D:privilege><D:read-acl/></D:privilege> <D:abstract/> <D:description xml:lang="en">Read ACL</D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege> <D:read-current-user-privilege-set/> </D:privilege> <D:abstract/> <D:description xml:lang="en"> Read current user privilege set property </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write/></D:privilege> <D:description xml:lang="en"> Write any object </D:description> <D:supported-privilege> <D:privilege><D:write-acl/></D:privilege> <D:description xml:lang="en">
Write ACL </D:description> <D:abstract/> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-properties/></D:privilege> <D:description xml:lang="en"> Write properties </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-content/></D:privilege> <D:description xml:lang="en"> Write resource content </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:unlock/></D:privilege> <D:description xml:lang="en"> Unlock resource </D:description> </D:supported-privilege> </D:supported-privilege> </D:supported-privilege-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>5.4. DAV:current-user-privilege-set
DAV:current-user-privilege-set is a protected property containing the exact set of privileges (as computed by the server) granted to the currently authenticated HTTP user. Aggregate privileges and their contained privileges are listed. A user-agent can use the value of this property to adjust its user interface to make actions inaccessible (e.g., by graying out a menu item or button) for which the current principal does not have permission. This property is also useful for determining what operations the current principal can perform, without having to actually execute an operation. <!ELEMENT current-user-privilege-set (privilege*)> <!ELEMENT privilege ANY>
If the current user is granted a specific privilege, that privilege must belong to the set of privileges that may be set on this resource. Therefore, each element in the DAV:current-user- privilege-set property MUST identify a non-abstract privilege from the DAV:supported-privilege-set property.5.4.1. Example: Retrieving the User's Current Set of Assigned Privileges
Continuing the example from Section 5.3.1, this example shows a client requesting the DAV:current-user-privilege-set property from the resource with URL http://www.example.com/papers/. The username of the principal making the request is "khare", and Digest authentication is used in the request. The principal with username "khare" has been granted the DAV:read privilege. Since the DAV:read privilege contains the DAV:read-acl and DAV:read-current-user- privilege-set privileges (see Section 5.3.1), the principal with username "khare" can read the ACL property, and the DAV:current- user-privilege-set property. However, the DAV:all, DAV:read-acl, DAV:write-acl and DAV:read-current-user-privilege-set privileges are not listed in the value of DAV:current-user-privilege-set, since (for this example) they are abstract privileges. DAV:write is not listed since the principal with username "khare" is not listed in an ACE granting that principal write permission. >> Request << PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="khare", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..." <?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:current-user-privilege-set/> </D:prop> </D:propfind>
>> Response << HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:current-user-privilege-set> <D:privilege><D:read/></D:privilege> </D:current-user-privilege-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>5.5. DAV:acl
This is a protected property that specifies the list of access control entries (ACEs), which define what principals are to get what privileges for this resource. <!ELEMENT acl (ace*) > Each DAV:ace element specifies the set of privileges to be either granted or denied to a single principal. If the DAV:acl property is empty, no principal is granted any privilege. <!ELEMENT ace ((principal | invert), (grant|deny), protected?, inherited?)>5.5.1. ACE Principal
The DAV:principal element identifies the principal to which this ACE applies. <!ELEMENT principal (href | all | authenticated | unauthenticated | property | self)> The current user matches DAV:href only if that user is authenticated as being (or being a member of) the principal identified by the URL contained by that DAV:href.
The current user always matches DAV:all. <!ELEMENT all EMPTY> The current user matches DAV:authenticated only if authenticated. <!ELEMENT authenticated EMPTY> The current user matches DAV:unauthenticated only if not authenticated. <!ELEMENT unauthenticated EMPTY> DAV:all is the union of DAV:authenticated, and DAV:unauthenticated. For a given request, the user matches either DAV:authenticated, or DAV:unauthenticated, but not both (that is, DAV:authenticated and DAV:unauthenticated are disjoint sets). The current user matches a DAV:property principal in a DAV:acl property of a resource only if the value of the identified property of that resource contains at most one DAV:href XML element, the URI value of DAV:href identifies a principal, and the current user is authenticated as being (or being a member of) that principal. For example, if the DAV:property element contained <DAV:owner/>, the current user would match the DAV:property principal only if the current user is authenticated as matching the principal identified by the DAV:owner property of the resource. <!ELEMENT property ANY> The current user matches DAV:self in a DAV:acl property of the resource only if that resource is a principal and that principal matches the current user or, if the principal is a group, a member of that group matches the current user. <!ELEMENT self EMPTY> Some servers may support ACEs applying to those users NOT matching the current principal, e.g., all users not in a particular group. This can be done by wrapping the DAV:principal element with DAV:invert. <!ELEMENT invert principal>
5.5.2. ACE Grant and Deny
Each DAV:grant or DAV:deny element specifies the set of privileges to be either granted or denied to the specified principal. A DAV:grant or DAV:deny element of the DAV:acl of a resource MUST only contain non-abstract elements specified in the DAV:supported-privilege-set of that resource. <!ELEMENT grant (privilege+)> <!ELEMENT deny (privilege+)> <!ELEMENT privilege ANY>5.5.3. ACE Protection
A server indicates an ACE is protected by including the DAV:protected element in the ACE. If the ACL of a resource contains an ACE with a DAV:protected element, an attempt to remove that ACE from the ACL MUST fail. <!ELEMENT protected EMPTY>5.5.4. ACE Inheritance
The presence of a DAV:inherited element indicates that this ACE is inherited from another resource that is identified by the URL contained in a DAV:href element. An inherited ACE cannot be modified directly, but instead the ACL on the resource from which it is inherited must be modified. Note that ACE inheritance is not the same as ACL initialization. ACL initialization defines the ACL that a newly created resource will use (if not specified). ACE inheritance refers to an ACE that is logically shared - where an update to the resource containing an ACE will affect the ACE of each resource that inherits that ACE. The method by which ACLs are initialized or by which ACEs are inherited is not defined by this document. <!ELEMENT inherited (href)>5.5.5. Example: Retrieving a Resource's Access Control List
Continuing the example from Sections 5.3.1 and 5.4.1, this example shows a client requesting the DAV:acl property from the resource with URL http://www.example.com/papers/. There are two ACEs defined in this ACL:
ACE #1: The group identified by URL http://www.example.com/acl/ groups/maintainers (the group of site maintainers) is granted DAV:write privilege. Since (for this example) DAV:write contains the DAV:write-acl privilege (see Section 5.3.1), this means the "maintainers" group can also modify the access control list. ACE #2: All principals (DAV:all) are granted the DAV:read privilege. Since (for this example) DAV:read contains DAV:read-acl and DAV:read-current-user-privilege-set, this means all users (including all members of the "maintainers" group) can read the DAV:acl property and the DAV:current-user-privilege-set property. >> Request << PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="masinter", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..." <D:propfind xmlns:D="DAV:"> <D:prop> <D:acl/> </D:prop> </D:propfind> >> Response << HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:acl> <D:ace> <D:principal> <D:href >http://www.example.com/acl/groups/maintainers</D:href> </D:principal> <D:grant> <D:privilege><D:write/></D:privilege>
</D:grant> </D:ace> <D:ace> <D:principal> <D:all/> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>5.6. DAV:acl-restrictions
This protected property defines the types of ACLs supported by this server, to avoid clients needlessly getting errors. When a client tries to set an ACL via the ACL method, the server may reject the attempt to set the ACL as specified. The following properties indicate the restrictions the client must observe before setting an ACL: <grant-only> Deny ACEs are not supported <no-invert> Inverted ACEs are not supported <deny-before-grant> All deny ACEs must occur before any grant ACEs <required-principal> Indicates which principals are required to be present <!ELEMENT acl-restrictions (grant-only?, no-invert?, deny-before-grant?, required-principal?)>5.6.1. DAV:grant-only
This element indicates that ACEs with deny clauses are not allowed. <!ELEMENT grant-only EMPTY>
5.6.2. DAV:no-invert ACE Constraint
This element indicates that ACEs with the <invert> element are not allowed. <!ELEMENT no-invert EMPTY>5.6.3. DAV:deny-before-grant
This element indicates that all deny ACEs must precede all grant ACEs. <!ELEMENT deny-before-grant EMPTY>5.6.4. Required Principals
The required principal elements identify which principals must have an ACE defined in the ACL. <!ELEMENT required-principal (all? | authenticated? | unauthenticated? | self? | href* | property*)> For example, the following element requires that the ACL contain a DAV:owner property ACE: <D:required-principal xmlns:D="DAV:"> <D:property><D:owner/></D:property> </D:required-principal>5.6.5. Example: Retrieving DAV:acl-restrictions
In this example, the client requests the value of the DAV:acl- restrictions property. Digest authentication provides credentials for the principal operating the client. >> Request << PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="srcarter", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..."
<?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:acl-restrictions/> </D:prop> </D:propfind> >> Response << HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:acl-restrictions> <D:grant-only/> <D:required-principal> <D:all/> </D:required-principal> </D:acl-restrictions> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>5.7. DAV:inherited-acl-set
This protected property contains a set of URLs that identify other resources that also control the access to this resource. To have a privilege on a resource, not only must the ACL on that resource (specified in the DAV:acl property of that resource) grant the privilege, but so must the ACL of each resource identified in the DAV:inherited-acl-set property of that resource. Effectively, the privileges granted by the current ACL are ANDed with the privileges granted by each inherited ACL. <!ELEMENT inherited-acl-set (href*)>
5.8. DAV:principal-collection-set
This protected property of a resource contains a set of URLs that identify the root collections that contain the principals that are available on the server that implements this resource. A WebDAV Access Control Protocol user agent could use the contents of DAV:principal-collection-set to retrieve the DAV:displayname property (specified in Section 13.2 of [RFC2518]) of all principals on that server, thereby yielding human-readable names for each principal that could be displayed in a user interface. <!ELEMENT principal-collection-set (href*)> Since different servers can control different parts of the URL namespace, different resources on the same host MAY have different DAV:principal-collection-set values. The collections specified in the DAV:principal-collection-set MAY be located on different hosts from the resource. The URLs in DAV:principal-collection-set SHOULD be http or https scheme URLs. For security and scalability reasons, a server MAY report only a subset of the entire set of known principal collections, and therefore clients should not assume they have retrieved an exhaustive listing. Additionally, a server MAY elect to report none of the principal collections it knows about, in which case the property value would be empty. The value of DAV:principal-collection-set gives the scope of the DAV:principal-property-search REPORT (defined in Section 9.4). Clients use the DAV:principal-property-search REPORT to populate their user interface with a list of principals. Therefore, servers that limit a client's ability to obtain principal information will interfere with the client's ability to manipulate access control lists, due to the difficulty of getting the URL of a principal for use in an ACE.5.8.1. Example: Retrieving DAV:principal-collection-set
In this example, the client requests the value of the DAV:principal- collection-set property on the collection resource identified by URL http://www.example.com/papers/. The property contains the two URLs, http://www.example.com/acl/users/ and http:// www.example.com/acl/groups/, both wrapped in DAV:href XML elements. Digest authentication provides credentials for the principal operating the client.
The client might reasonably follow this request with two separate PROPFIND requests to retrieve the DAV:displayname property of the members of the two collections (/acl/users and /acl/groups). This information could be used when displaying a user interface for creating access control entries. >> Request << PROPFIND /papers/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="yarong", realm="users@example.com", nonce="...", uri="/papers/", response="...", opaque="..." <?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:principal-collection-set/> </D:prop> </D:propfind> >> Response << HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.example.com/papers/</D:href> <D:propstat> <D:prop> <D:principal-collection-set> <D:href>http://www.example.com/acl/users/</D:href> <D:href>http://www.example.com/acl/groups/</D:href> </D:principal-collection-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
5.9. Example: PROPFIND to retrieve access control properties
The following example shows how access control information can be retrieved by using the PROPFIND method to fetch the values of the DAV:owner, DAV:supported-privilege-set, DAV:current-user-privilege- set, and DAV:acl properties. >> Request << PROPFIND /top/container/ HTTP/1.1 Host: www.example.com Content-type: text/xml; charset="utf-8" Content-Length: xxx Depth: 0 Authorization: Digest username="ejw", realm="users@example.com", nonce="...", uri="/top/container/", response="...", opaque="..." <?xml version="1.0" encoding="utf-8" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:owner/> <D:supported-privilege-set/> <D:current-user-privilege-set/> <D:acl/> </D:prop> </D:propfind> >> Response << HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:" xmlns:A="http://www.example.com/acl/"> <D:response> <D:href>http://www.example.com/top/container/</D:href> <D:propstat> <D:prop> <D:owner> <D:href>http://www.example.com/users/gclemm</D:href> </D:owner> <D:supported-privilege-set> <D:supported-privilege> <D:privilege><D:all/></D:privilege> <D:abstract/>
<D:description xml:lang="en"> Any operation </D:description> <D:supported-privilege> <D:privilege><D:read/></D:privilege> <D:description xml:lang="en"> Read any object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write/></D:privilege> <D:abstract/> <D:description xml:lang="en"> Write any object </D:description> <D:supported-privilege> <D:privilege><A:create/></D:privilege> <D:description xml:lang="en"> Create an object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><A:update/></D:privilege> <D:description xml:lang="en"> Update an object </D:description> </D:supported-privilege> </D:supported-privilege> <D:supported-privilege> <D:privilege><A:delete/></D:privilege> <D:description xml:lang="en"> Delete an object </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:read-acl/></D:privilege> <D:description xml:lang="en"> Read the ACL </D:description> </D:supported-privilege> <D:supported-privilege> <D:privilege><D:write-acl/></D:privilege> <D:description xml:lang="en"> Write the ACL </D:description> </D:supported-privilege> </D:supported-privilege> </D:supported-privilege-set>
<D:current-user-privilege-set> <D:privilege><D:read/></D:privilege> <D:privilege><D:read-acl/></D:privilege> </D:current-user-privilege-set> <D:acl> <D:ace> <D:principal> <D:href>http://www.example.com/users/esedlar</D:href> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> <D:privilege><D:read-acl/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal> <D:href>http://www.example.com/groups/mrktng</D:href> </D:principal> <D:deny> <D:privilege><D:read/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:read-acl/></D:privilege> <D:privilege><D:write-acl/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal><D:all/></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> <D:inherited> <D:href>http://www.example.com/top</D:href> </D:inherited> </D:ace> </D:acl> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
The value of the DAV:owner property is a single DAV:href XML element containing the URL of the principal that owns this resource. The value of the DAV:supported-privilege-set property is a tree of supported privileges (using "[XML Namespace , localname]" to identify each privilege): [DAV:, all] (aggregate, abstract) | +-- [DAV:, read] +-- [DAV:, write] (aggregate, abstract) | +-- [http://www.example.com/acl, create] +-- [http://www.example.com/acl, update] +-- [http://www.example.com/acl, delete] +-- [DAV:, read-acl] +-- [DAV:, write-acl] The DAV:current-user-privilege-set property contains two privileges, DAV:read, and DAV:read-acl. This indicates that the current authenticated user only has the ability to read the resource, and read the DAV:acl property on the resource. The DAV:acl property contains a set of four ACEs: ACE #1: The principal identified by the URL http://www.example.com/ users/esedlar is granted the DAV:read, DAV:write, and DAV:read-acl privileges. ACE #2: The principals identified by the URL http://www.example.com/ groups/mrktng are denied the DAV:read privilege. In this example, the principal URL identifies a group. ACE #3: In this ACE, the principal is a property principal, specifically the DAV:owner property. When evaluating this ACE, the value of the DAV:owner property is retrieved, and is examined to see if it contains a DAV:href XML element. If so, the URL within the DAV:href element is read, and identifies a principal. In this ACE, the owner is granted DAV:read-acl, and DAV:write-acl privileges. ACE #4: This ACE grants the DAV:all principal (all users) the DAV:read privilege. This ACE is inherited from the resource http:// www.example.com/top, the parent collection of this resource.
6. ACL Evaluation
WebDAV ACLs are evaluated in similar manner as ACLs on Windows NT and in NFSv4 [RFC3530]). An ACL is evaluated to determine whether or not access will be granted for a WebDAV request. ACEs are maintained in a particular order, and are evaluated until all of the permissions required by the current request have been granted, at which point the ACL evaluation is terminated and access is granted. If, during ACL evaluation, a <deny> ACE (matching the current user) is encountered for a privilege which has not yet been granted, the ACL evaluation is terminated and access is denied. Failure to have all required privileges granted results in access being denied. Note that the semantics of many other existing ACL systems may be represented via this mechanism, by mixing deny and grant ACEs. For example, consider the standard "rwx" privilege scheme used by UNIX. In this scheme, if the current user is the owner of the file, access is granted if the corresponding privilege bit is set and denied if not set, regardless of the permissions set on the file's group and for the world. An ACL for UNIX permissions of "r--rw-r--" might be constructed like: <D:acl> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:deny> <D:privilege><D:all/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal> <D:property><D:group/></D:property> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> </D:grant> </D:ace>
<D:ace> <D:principal> <D:property><D:group/></D:property> </D:principal> <D:deny> <D:privilege><D:all/></D:privilege> </D:deny> </D:ace> <D:ace> <D:principal><D:all></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl> and the <acl-restrictions> would be defined as: <D:no-invert/> <D:required-principal> <D:all/> <D:property><D:owner/></D:property> <D:property><D:group/><D:group/> </D:required-principal> Note that the client can still get errors from a UNIX server in spite of obeying the <acl-restrictions>, including <D:allowed-principal> (adding an ACE specifying a principal other than the ones in the ACL above) or <D:ace-conflict> (by trying to reorder the ACEs in the example above), as these particular implementation semantics are too complex to be captured with the simple (but general) declarative restrictions.7. Access Control and existing methods
This section defines the impact of access control functionality on existing methods.7.1. Any HTTP method
7.1.1. Error Handling
The WebDAV ACL mechanism requires the usage of HTTP method "preconditions" as described in section 1.6 of RFC3253 for ALL HTTP methods. All HTTP methods have an additional precondition called DAV:need-privileges. If an HTTP method fails due to insufficient privileges, the response body to the "403 Forbidden" error MUST contain the <DAV:error> element, which in turn contains the
<DAV:need-privileges> element, which contains one or more <DAV:resource> elements indicating which resource had insufficient privileges, and what the lacking privileges were: <!ELEMENT need-privileges (resource)* > <!ELEMENT resource ( href , privilege ) > Since some methods require multiple permissions on multiple resources, this information is needed to resolve any ambiguity. There is no requirement that all privilege violations be reported - for implementation reasons, some servers may only report the first privilege violation. For example: >> Request << MOVE /a/b/ HTTP/1.1 Host: www.example.com Destination: http://www.example.com/c/d >> Response << HTTP/1.1 403 Forbidden Content-Type: text/xml; charset="utf-8" Content-Length: xxx <D:error xmlns:D="DAV:"> <D:need-privileges> <D:resource> <D:href>/a</D:href> <D:privilege><D:unbind/></D:privilege> </D:resource> <D:resource> <D:href>/c</D:href> <D:privilege><D:bind/></D:privilege> </D:resource> </D:need-privileges> </D:error>7.2. OPTIONS
If the server supports access control, it MUST return "access- control" as a field in the DAV response header from an OPTIONS request on any resource implemented by that server. A value of "access-control" in the DAV header MUST indicate that the server supports all MUST level requirements and REQUIRED features specified in this document.
7.2.1. Example - OPTIONS
>> Request << OPTIONS /foo.html HTTP/1.1 Host: www.example.com Content-Length: 0 >> Response << HTTP/1.1 200 OK DAV: 1, 2, access-control Allow: OPTIONS, GET, PUT, PROPFIND, PROPPATCH, ACL In this example, the OPTIONS response indicates that the server supports access control and that /foo.html can have its access control list modified by the ACL method.7.3. MOVE
When a resource is moved from one location to another due to a MOVE request, the non-inherited and non-protected ACEs in the DAV:acl property of the resource MUST NOT be modified, or the MOVE request fails. Handling of inherited and protected ACEs is intentionally undefined to give server implementations flexibility in how they implement ACE inheritance and protection.7.4. COPY
The DAV:acl property on the resource at the destination of a COPY MUST be the same as if the resource was created by an individual resource creation request (e.g., MKCOL, PUT). Clients wishing to preserve the DAV:acl property across a copy need to read the DAV:acl property prior to the COPY, then perform an ACL operation on the new resource at the destination to restore, insofar as this is possible, the original access control list.7.5. LOCK
A lock on a resource ensures that only the lock owner can modify ACEs that are not inherited and not protected (these are the only ACEs that a client can modify with an ACL request). A lock does not protect inherited or protected ACEs, since a client cannot modify them with an ACL request on that resource.