Newbie WebDAV security problem.
Adrian Harris
file of an Apache22 server running on FreeBSD.
<Directory "/usr/local/www/mywebsite">
Dav On
Order Allow,Deny
Deny from all
AuthType Digest
AuthName DAV-MyWebSite
# You can use the htdigest program to create the password
database:
# htdigest -c "/usr/local/user.passwd" DAV-upload admin
AuthUserFile "/usr/local/etc/user.passwd"
AuthDigestProvider file
# Allow universal read-access, but writes are restricted
# to the admin user.
<LimitExcept GET OPTIONS>
require user harrisa
</LimitExcept>
</Directory>
But I can still upload files from Expression Web. Is this because
there is another "Directory" definition for the actual Virtual host ?
I can't see why the "Deny from all" doesn't kill any attempt at
uploading.
Adrian.
Simon A Powell
my script below. Obviously you can change the names to groups (ie:
Require group banana etc.) but in doing this for the /webdav alias I get
read access for the guest user and read-write for the test user. Having
just two parameters here obviously makes my life a lot easier I guess
but feel free to use and abuse this. This lives in my
/etc/apache2/sites-available/default file by the way and not in my conf
file.
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/web1/web/
<Directory /var/www/web1/web/>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Alias /webdav /var/www/web1/web
<Location />
DAV On
AuthType Basic
AuthName "webdav"
AuthUserFile /var/www/web1/passwd.dav
<LimitExcept GET>
Require user guest
</LimitExcept>
</Location>
<Location /webdav>
DAV On
AuthType Basic
AuthName "webdav"
AuthUserFile /var/www/web1/passwd.dav
<LimitExcept OPTIONS GET REPORT PROPFIND>
Require user test
</LimitExcept>
</Location>
</VirtualHost>
Simon A Powell
Alias /webdav /var/www/web1/web
Simon A Powell
Alias /webdav /var/www/web1/web