tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search

RFC 3744

 
 
 

Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol

Part 2 of 4, p. 15 to 39
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 15 
5.  Access Control Properties

   This specification defines a number of new properties for WebDAV
   resources.  Access control properties may be retrieved just like
   other WebDAV properties, using the PROPFIND method.  Since it is
   expensive, for many servers, to retrieve access control information,
   a PROPFIND allprop request (as defined in Section 12.14.1 of
   [RFC2518]) SHOULD NOT return the names and values of the properties
   defined in this section.

   Access control properties (especially DAV:acl and DAV:inherited-acl-
   set) are defined on the resource identified by the Request-URI of a
   PROPFIND request.  A direct consequence is that if the resource is
   accessible via multiple URI, the value of access control properties
   is the same across these URI.

   HTTP resources that support the WebDAV Access Control Protocol MUST
   contain the following properties.  Null resources (described in
   Section 3 of [RFC2518]) MUST NOT contain the following properties.

5.1.  DAV:owner

   This  property identifies a particular principal as being the "owner"
   of the resource.  Since the owner of a resource often has special
   access control capabilities (e.g., the owner frequently has permanent
   DAV:write-acl privilege), clients might display the resource owner in
   their user interface.

   Servers MAY implement DAV:owner as protected property and MAY return
   an empty DAV:owner element as property value in case no owner
   information is available.

   <!ELEMENT owner (href?)>

5.1.1.  Example: Retrieving DAV:owner

   This example shows a client request for the value of the DAV:owner
   property from a collection resource with URL http://www.example.com/
   papers/.  The principal making the request is authenticated using
   Digest authentication.  The value of DAV:owner is the URL http://
   www.example.com/acl/users/gstein, wrapped in the DAV:href XML
   element.

Top      Up      ToC       Page 16 
   >> Request <<

   PROPFIND /papers/ HTTP/1.1
   Host: www.example.com
   Content-type: text/xml; charset="utf-8"
   Content-Length: xxx
   Depth: 0
   Authorization: Digest username="jim",
     realm="users@example.com", nonce="...",
     uri="/papers/", response="...", opaque="..."

   <?xml version="1.0" encoding="utf-8" ?>
   <D:propfind xmlns:D="DAV:">
     <D:prop>
       <D:owner/>
     </D:prop>
   </D:propfind>

   >> Response <<

   HTTP/1.1 207 Multi-Status
   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <?xml version="1.0" encoding="utf-8" ?>
   <D:multistatus xmlns:D="DAV:">
     <D:response>
       <D:href>http://www.example.com/papers/</D:href>
       <D:propstat>
         <D:prop>
           <D:owner>
             <D:href>http://www.example.com/acl/users/gstein</D:href>
           </D:owner>
         </D:prop>
         <D:status>HTTP/1.1 200 OK</D:status>
       </D:propstat>
     </D:response>
   </D:multistatus>

5.1.2.  Example: An Attempt to Set DAV:owner

   The following example shows a client request to modify the value of
   the DAV:owner property on the resource with URL <http://
   www.example.com/papers>.  Since DAV:owner is a protected property on
   this particular server, it responds with a 207 (Multi-Status)
   response that contains a 403 (Forbidden) status code for the act of
   setting DAV:owner.  Section 8.2.1 of [RFC2518] describes PROPPATCH
   status code information,  Section 11 of [RFC2518] describes the

Top      Up      ToC       Page 17 
   Multi-Status response and Sections 1.6 and 3.12 of [RFC3253] describe
   additional error marshaling for PROPPATCH attempts on protected
   properties.

   >> Request <<

   PROPPATCH /papers/ HTTP/1.1
   Host: www.example.com
   Content-type: text/xml; charset="utf-8"
   Content-Length: xxx
   Depth: 0
   Authorization: Digest username="jim",
     realm="users@example.com", nonce="...",
     uri="/papers/", response="...", opaque="..."

   <?xml version="1.0" encoding="utf-8" ?>
   <D:propertyupdate xmlns:D="DAV:">
     <D:set>
       <D:prop>
         <D:owner>
           <D:href>http://www.example.com/acl/users/jim</D:href>
         </D:owner>
       </D:prop>
     </D:set>
   </D:propertyupdate>

   >> Response <<

   HTTP/1.1 207 Multi-Status
   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <?xml version="1.0" encoding="utf-8" ?>
   <D:multistatus xmlns:D="DAV:">
     <D:response>
       <D:href>http://www.example.com/papers/</D:href>
       <D:propstat>
         <D:prop><D:owner/></D:prop>
         <D:status>HTTP/1.1 403 Forbidden</D:status>
         <D:responsedescription>
           <D:error><D:cannot-modify-protected-property/></D:error>
           Failure to set protected property (DAV:owner)
         </D:responsedescription>
       </D:propstat>
     </D:response>
   </D:multistatus>

Top      Up      ToC       Page 18 
5.2.  DAV:group

   This property identifies a particular principal as being the "group"
   of the resource.  This property is commonly found on repositories
   that implement the Unix privileges model.

   Servers MAY implement DAV:group as protected property and MAY return
   an empty DAV:group element as property value in case no group
   information is available.

   <!ELEMENT group (href?)>

5.3.  DAV:supported-privilege-set

   This is a protected property that identifies the privileges defined
   for the resource.

   <!ELEMENT supported-privilege-set (supported-privilege*)>

   Each privilege appears as an XML element, where aggregate privileges
   list as sub-elements all of the privileges that they aggregate.

   <!ELEMENT supported-privilege
    (privilege, abstract?, description, supported-privilege*)>
   <!ELEMENT privilege ANY>

   An abstract privilege MUST NOT be used in an ACE for that resource.
   Servers MUST fail an attempt to set an abstract privilege.

   <!ELEMENT abstract EMPTY>

   A description is a human-readable description of what this privilege
   controls access to.  Servers MUST indicate the human language of the
   description using the xml:lang attribute and SHOULD consider the HTTP
   Accept-Language request header when selecting one of multiple
   available languages.

   <!ELEMENT description #PCDATA>

   It is envisioned that a WebDAV ACL-aware administrative client would
   list the supported privileges in a dialog box, and allow the user to
   choose non-abstract privileges to apply in an ACE.  The privileges
   tree is useful programmatically to map well-known privileges (defined
   by WebDAV or other standards groups) into privileges that are
   supported by any particular server implementation.  The privilege
   tree also serves to hide complexity in implementations allowing large
   number of privileges to be defined by displaying aggregates to the
   user.

Top      Up      ToC       Page 19 
5.3.1.  Example: Retrieving a List of Privileges Supported on a Resource

   This example shows a client request for the DAV:supported-privilege-
   set property on the resource http://www.example.com/papers/.  The
   value of the DAV:supported-privilege-set property is a tree of
   supported privileges (using "[XML Namespace , localname]" to identify
   each privilege):

   [DAV:, all] (aggregate, abstract)
      |
      +-- [DAV:, read] (aggregate)
             |
             +-- [DAV:, read-acl] (abstract)
             +-- [DAV:, read-current-user-privilege-set] (abstract)
      |
      +-- [DAV:, write] (aggregate)
             |
             +-- [DAV:, write-acl] (abstract)
             +-- [DAV:, write-properties]
             +-- [DAV:, write-content]
      |
      +-- [DAV:, unlock]

   This privilege tree is not normative (except that it reflects the
   normative aggregation rules given in Section 3.12), and many possible
   privilege trees are possible.

   >> Request <<

   PROPFIND /papers/ HTTP/1.1
   Host: www.example.com
   Content-type: text/xml; charset="utf-8"
   Content-Length: xxx
   Depth: 0
   Authorization: Digest username="gclemm",
     realm="users@example.com", nonce="...",
     uri="/papers/", response="...", opaque="..."

   <?xml version="1.0" encoding="utf-8" ?>
   <D:propfind xmlns:D="DAV:">
     <D:prop>
       <D:supported-privilege-set/>
     </D:prop>
   </D:propfind>

Top      Up      ToC       Page 20 
   >> Response <<

   HTTP/1.1 207 Multi-Status

   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <?xml version="1.0" encoding="utf-8" ?>
   <D:multistatus xmlns:D="DAV:">
     <D:response>
       <D:href>http://www.example.com/papers/</D:href>
       <D:propstat>
         <D:prop>
           <D:supported-privilege-set>
             <D:supported-privilege>
               <D:privilege><D:all/></D:privilege>
              <D:abstract/>
               <D:description xml:lang="en">
                 Any operation
               </D:description>
               <D:supported-privilege>
                 <D:privilege><D:read/></D:privilege>
                 <D:description xml:lang="en">
                   Read any object
                 </D:description>
                 <D:supported-privilege>
                   <D:privilege><D:read-acl/></D:privilege>
                   <D:abstract/>
                   <D:description xml:lang="en">Read ACL</D:description>
                 </D:supported-privilege>
                 <D:supported-privilege>
                   <D:privilege>
                     <D:read-current-user-privilege-set/>
                   </D:privilege>
                   <D:abstract/>
                   <D:description xml:lang="en">
                     Read current user privilege set property
                   </D:description>
                 </D:supported-privilege>
               </D:supported-privilege>
               <D:supported-privilege>
                 <D:privilege><D:write/></D:privilege>
                 <D:description xml:lang="en">
                   Write any object
                 </D:description>
                 <D:supported-privilege>
                   <D:privilege><D:write-acl/></D:privilege>
                   <D:description xml:lang="en">

Top      Up      ToC       Page 21 
                     Write ACL
                   </D:description>
                   <D:abstract/>
                 </D:supported-privilege>
                 <D:supported-privilege>
                   <D:privilege><D:write-properties/></D:privilege>
                   <D:description xml:lang="en">
                     Write properties
                   </D:description>
                 </D:supported-privilege>
                 <D:supported-privilege>
                   <D:privilege><D:write-content/></D:privilege>
                   <D:description xml:lang="en">
                     Write resource content
                   </D:description>
                 </D:supported-privilege>
               </D:supported-privilege>
               <D:supported-privilege>
                 <D:privilege><D:unlock/></D:privilege>
                 <D:description xml:lang="en">
                   Unlock resource
                 </D:description>
               </D:supported-privilege>
             </D:supported-privilege>
           </D:supported-privilege-set>
         </D:prop>
         <D:status>HTTP/1.1 200 OK</D:status>
       </D:propstat>
     </D:response>
   </D:multistatus>

5.4.  DAV:current-user-privilege-set

   DAV:current-user-privilege-set is a protected property containing the
   exact set of privileges (as computed by the server) granted to the
   currently authenticated HTTP user.  Aggregate privileges and their
   contained privileges are listed.  A user-agent can use the value of
   this property to adjust its user interface to make actions
   inaccessible (e.g., by graying out a menu item or button) for which
   the current principal does not have permission.  This property is
   also useful for determining what operations the current principal can
   perform, without having to actually execute an operation.

   <!ELEMENT current-user-privilege-set (privilege*)>
   <!ELEMENT privilege ANY>

Top      Up      ToC       Page 22 
   If the current user is granted a specific privilege, that privilege
   must belong to the set of privileges that may be set on this
   resource.  Therefore, each element in the DAV:current-user-
   privilege-set property MUST identify a non-abstract privilege from
   the DAV:supported-privilege-set property.

5.4.1.  Example: Retrieving the User's Current Set of Assigned
        Privileges

   Continuing the example from Section 5.3.1, this example shows a
   client requesting the DAV:current-user-privilege-set property from
   the resource with URL http://www.example.com/papers/.  The username
   of the principal making the request is "khare", and Digest
   authentication is used in the request.  The principal with username
   "khare" has been granted the DAV:read privilege.  Since the DAV:read
   privilege contains the DAV:read-acl and DAV:read-current-user-
   privilege-set privileges (see Section 5.3.1), the principal with
   username "khare" can read the ACL property, and the DAV:current-
   user-privilege-set property.  However, the DAV:all, DAV:read-acl,
   DAV:write-acl and DAV:read-current-user-privilege-set privileges are
   not listed in the value of DAV:current-user-privilege-set, since (for
   this example) they are abstract privileges.  DAV:write is not listed
   since the principal with username "khare" is not listed in an ACE
   granting that principal write permission.

   >> Request <<

   PROPFIND /papers/ HTTP/1.1
   Host: www.example.com
   Content-type: text/xml; charset="utf-8"
   Content-Length: xxx
   Depth: 0
   Authorization: Digest username="khare",
     realm="users@example.com", nonce="...",
     uri="/papers/", response="...", opaque="..."

   <?xml version="1.0" encoding="utf-8" ?>
   <D:propfind xmlns:D="DAV:">
     <D:prop>
       <D:current-user-privilege-set/>
     </D:prop>
   </D:propfind>

Top      Up      ToC       Page 23 
   >> Response <<

   HTTP/1.1 207 Multi-Status
   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <?xml version="1.0" encoding="utf-8" ?>
   <D:multistatus xmlns:D="DAV:">
     <D:response>
     <D:href>http://www.example.com/papers/</D:href>
     <D:propstat>
       <D:prop>
         <D:current-user-privilege-set>
           <D:privilege><D:read/></D:privilege>
         </D:current-user-privilege-set>
       </D:prop>
       <D:status>HTTP/1.1 200 OK</D:status>
     </D:propstat>
     </D:response>
   </D:multistatus>

5.5.  DAV:acl

   This is a protected property that specifies the list of access
   control entries (ACEs), which define what principals are to get what
   privileges for this resource.

   <!ELEMENT acl (ace*) >

   Each DAV:ace element specifies the set of privileges to be either
   granted or denied to a single principal.  If the DAV:acl property is
   empty, no principal is granted any privilege.

   <!ELEMENT ace ((principal | invert), (grant|deny), protected?,
                  inherited?)>

5.5.1.  ACE Principal

   The DAV:principal element identifies the principal to which this ACE
   applies.

   <!ELEMENT principal (href | all | authenticated | unauthenticated
    | property | self)>

   The current user matches DAV:href only if that user is authenticated
   as being (or being a member of) the principal identified by the URL
   contained by that DAV:href.

Top      Up      ToC       Page 24 
   The current user always matches DAV:all.

   <!ELEMENT all EMPTY>

   The current user matches DAV:authenticated only if authenticated.

   <!ELEMENT authenticated EMPTY>

   The current user matches DAV:unauthenticated only if not
   authenticated.

   <!ELEMENT unauthenticated EMPTY>

   DAV:all is the union of DAV:authenticated, and DAV:unauthenticated.
   For a given request, the user matches either DAV:authenticated, or
   DAV:unauthenticated, but not both (that is, DAV:authenticated and
   DAV:unauthenticated are disjoint sets).

   The current user matches a DAV:property principal in a DAV:acl
   property of a resource only if the value of the identified property
   of that resource contains at most one DAV:href XML element, the URI
   value of DAV:href identifies a principal, and the current user is
   authenticated as being (or being a member of) that principal.  For
   example, if the DAV:property element contained <DAV:owner/>, the
   current user would match the DAV:property principal only if the
   current user is authenticated as matching the principal identified by
   the DAV:owner property of the resource.

   <!ELEMENT property ANY>

   The current user matches DAV:self in a DAV:acl property of the
   resource only if that resource is a principal and that principal
   matches the current user or, if the principal is a group, a member of
   that group matches the current user.

   <!ELEMENT self EMPTY>

   Some servers may support ACEs applying to those users NOT matching
   the current principal, e.g., all users not in a particular group.
   This can be done by wrapping the DAV:principal element with
   DAV:invert.

   <!ELEMENT invert principal>

Top      Up      ToC       Page 25 
5.5.2.  ACE Grant and Deny

   Each DAV:grant or DAV:deny element specifies the set of privileges to
   be either granted or denied to the specified principal.  A DAV:grant
   or DAV:deny element of the DAV:acl of a resource MUST only contain
   non-abstract elements specified in the DAV:supported-privilege-set of
   that resource.

   <!ELEMENT grant (privilege+)>
   <!ELEMENT deny (privilege+)>
   <!ELEMENT privilege ANY>

5.5.3.  ACE Protection

   A server indicates an ACE is protected by including the DAV:protected
   element in the ACE.  If the ACL of a resource contains an ACE with a
   DAV:protected element, an attempt to remove that ACE from the ACL
   MUST fail.

   <!ELEMENT protected EMPTY>

5.5.4.  ACE Inheritance

   The presence of a DAV:inherited element indicates that this ACE is
   inherited from another resource that is identified by the URL
   contained in a DAV:href element.  An inherited ACE cannot be modified
   directly, but instead the ACL on the resource from which it is
   inherited must be modified.

   Note that ACE inheritance is not the same as ACL initialization.  ACL
   initialization defines the ACL that a newly created resource will use
   (if not specified).  ACE inheritance refers to an ACE that is
   logically shared - where an update to the resource containing an ACE
   will affect the ACE of each resource that inherits that ACE.  The
   method by which ACLs are initialized or by which ACEs are inherited
   is not defined by this document.

   <!ELEMENT inherited (href)>

5.5.5.  Example: Retrieving a Resource's Access Control List

   Continuing the example from Sections 5.3.1 and 5.4.1, this example
   shows a client requesting the DAV:acl property from the resource with
   URL http://www.example.com/papers/.  There are two ACEs defined in
   this ACL:

Top      Up      ToC       Page 26 
   ACE #1: The group identified by URL http://www.example.com/acl/
   groups/maintainers (the group of site maintainers) is granted
   DAV:write privilege.  Since (for this example) DAV:write contains the
   DAV:write-acl privilege (see Section 5.3.1), this means the
   "maintainers" group can also modify the access control list.

   ACE #2: All principals (DAV:all) are granted the DAV:read privilege.
   Since (for this example) DAV:read contains DAV:read-acl and
   DAV:read-current-user-privilege-set, this means all users (including
   all members of the "maintainers" group) can read the DAV:acl property
   and the DAV:current-user-privilege-set property.

   >> Request <<

   PROPFIND /papers/ HTTP/1.1
   Host: www.example.com
   Content-type: text/xml; charset="utf-8"
   Content-Length: xxx
   Depth: 0
   Authorization: Digest username="masinter",
     realm="users@example.com", nonce="...",
     uri="/papers/", response="...", opaque="..."

   <D:propfind xmlns:D="DAV:">
     <D:prop>
       <D:acl/>
     </D:prop>
   </D:propfind>

   >> Response <<

   HTTP/1.1 207 Multi-Status
   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <D:multistatus xmlns:D="DAV:">
     <D:response>
       <D:href>http://www.example.com/papers/</D:href>
       <D:propstat>
         <D:prop>
           <D:acl>
           <D:ace>
             <D:principal>
               <D:href
               >http://www.example.com/acl/groups/maintainers</D:href>
             </D:principal>
             <D:grant>
               <D:privilege><D:write/></D:privilege>

Top      Up      ToC       Page 27 
             </D:grant>
           </D:ace>
           <D:ace>
             <D:principal>
               <D:all/>
             </D:principal>
             <D:grant>
               <D:privilege><D:read/></D:privilege>
             </D:grant>
           </D:ace>
         </D:acl>
         </D:prop>
         <D:status>HTTP/1.1 200 OK</D:status>
       </D:propstat>
     </D:response>
   </D:multistatus>

5.6.  DAV:acl-restrictions

   This protected property defines the types of ACLs supported by this
   server, to avoid clients needlessly getting errors.  When a client
   tries to set an ACL via the ACL method, the server may reject the
   attempt to set the ACL as specified.  The following properties
   indicate the restrictions the client must observe before setting an
   ACL:

   <grant-only> Deny ACEs are not supported

   <no-invert> Inverted ACEs are not supported

   <deny-before-grant> All deny ACEs must occur before any grant ACEs

   <required-principal> Indicates which principals are required to be
      present


   <!ELEMENT acl-restrictions (grant-only?, no-invert?,
                               deny-before-grant?,
                               required-principal?)>

5.6.1.  DAV:grant-only

   This element indicates that ACEs with deny clauses are not allowed.

   <!ELEMENT grant-only EMPTY>

Top      Up      ToC       Page 28 
5.6.2.  DAV:no-invert ACE Constraint

   This element indicates that ACEs with the <invert> element are not
   allowed.

   <!ELEMENT no-invert EMPTY>

5.6.3.  DAV:deny-before-grant

   This element indicates that all deny ACEs must precede all grant
   ACEs.

   <!ELEMENT deny-before-grant EMPTY>

5.6.4.  Required Principals

   The required principal elements identify which principals must have
   an ACE defined in the ACL.

   <!ELEMENT required-principal
     (all? | authenticated? | unauthenticated? | self? | href* |
      property*)>

   For example, the following element requires that the ACL contain a

   DAV:owner property ACE:

   <D:required-principal xmlns:D="DAV:">
     <D:property><D:owner/></D:property>
   </D:required-principal>

5.6.5.  Example: Retrieving DAV:acl-restrictions

   In this example, the client requests the value of the DAV:acl-
   restrictions property.  Digest authentication provides credentials
   for the principal operating the client.

   >> Request <<

   PROPFIND /papers/ HTTP/1.1
   Host: www.example.com
   Content-type: text/xml; charset="utf-8"
   Content-Length: xxx
   Depth: 0
   Authorization: Digest username="srcarter",
     realm="users@example.com", nonce="...",
     uri="/papers/", response="...", opaque="..."

Top      Up      ToC       Page 29 
   <?xml version="1.0" encoding="utf-8" ?>
   <D:propfind xmlns:D="DAV:">
     <D:prop>
       <D:acl-restrictions/>
     </D:prop>
   </D:propfind>

   >> Response <<

   HTTP/1.1 207 Multi-Status
   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <?xml version="1.0" encoding="utf-8" ?>
   <D:multistatus xmlns:D="DAV:">
     <D:response>
       <D:href>http://www.example.com/papers/</D:href>
       <D:propstat>
         <D:prop>
           <D:acl-restrictions>
             <D:grant-only/>
             <D:required-principal>
               <D:all/>
             </D:required-principal>
           </D:acl-restrictions>
         </D:prop>
         <D:status>HTTP/1.1 200 OK</D:status>
       </D:propstat>
     </D:response>
   </D:multistatus>

5.7.  DAV:inherited-acl-set

   This protected property contains a set of URLs that identify other
   resources that also control the access to this resource.  To have a
   privilege on a resource, not only must the ACL on that resource
   (specified in the DAV:acl property of that resource) grant the
   privilege, but so must the ACL of each resource identified in the
   DAV:inherited-acl-set property of that resource.  Effectively, the
   privileges granted by the current ACL are ANDed with the privileges
   granted by each inherited ACL.

   <!ELEMENT inherited-acl-set (href*)>

Top      Up      ToC       Page 30 
5.8.  DAV:principal-collection-set

   This protected property of a resource contains a set of URLs that
   identify the root collections that contain the principals that are
   available on the server that implements this resource.  A WebDAV
   Access Control Protocol user agent could use the contents of
   DAV:principal-collection-set to retrieve the DAV:displayname property
   (specified in Section 13.2 of [RFC2518]) of all principals on that
   server, thereby yielding human-readable names for each principal that
   could be displayed in a user interface.

   <!ELEMENT principal-collection-set (href*)>

   Since different servers can control different parts of the URL
   namespace, different resources on the same host MAY have different
   DAV:principal-collection-set values.  The collections specified in
   the DAV:principal-collection-set MAY be located on different hosts
   from the resource. The URLs in DAV:principal-collection-set SHOULD be
   http or https scheme URLs.  For security and scalability reasons, a
   server MAY report only a subset of the entire set of known principal
   collections, and therefore clients should not assume they have
   retrieved an exhaustive listing.  Additionally, a server MAY elect to
   report none of the principal collections it knows about, in which
   case the property value would be empty.

   The value of DAV:principal-collection-set gives the scope of the
   DAV:principal-property-search REPORT (defined in Section 9.4).
   Clients use the DAV:principal-property-search REPORT to populate
   their user interface with a list of principals.  Therefore, servers
   that limit a client's ability to obtain principal information will
   interfere with the client's ability to manipulate access control
   lists, due to the difficulty of getting the URL of a principal for
   use in an ACE.

5.8.1.  Example: Retrieving DAV:principal-collection-set

   In this example, the client requests the value of the DAV:principal-
   collection-set property on the collection resource identified by URL
   http://www.example.com/papers/.  The property contains the two URLs,
   http://www.example.com/acl/users/ and http://
   www.example.com/acl/groups/, both wrapped in DAV:href XML elements.
   Digest authentication provides credentials for the principal
   operating the client.

Top      Up      ToC       Page 31 
   The client might reasonably follow this request with two separate
   PROPFIND requests to retrieve the DAV:displayname property of the
   members of the two collections (/acl/users and /acl/groups).  This
   information could be used when displaying a user interface for
   creating access control entries.

   >> Request <<

   PROPFIND /papers/ HTTP/1.1
   Host: www.example.com
   Content-type: text/xml; charset="utf-8"
   Content-Length: xxx
   Depth: 0
   Authorization: Digest username="yarong",
     realm="users@example.com", nonce="...",
     uri="/papers/", response="...", opaque="..."

   <?xml version="1.0" encoding="utf-8" ?>
   <D:propfind xmlns:D="DAV:">
     <D:prop>
       <D:principal-collection-set/>
     </D:prop>
   </D:propfind>

   >> Response <<

   HTTP/1.1 207 Multi-Status
   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <?xml version="1.0" encoding="utf-8" ?>
   <D:multistatus xmlns:D="DAV:">
     <D:response>
       <D:href>http://www.example.com/papers/</D:href>
       <D:propstat>
         <D:prop>
           <D:principal-collection-set>
             <D:href>http://www.example.com/acl/users/</D:href>
             <D:href>http://www.example.com/acl/groups/</D:href>
           </D:principal-collection-set>
         </D:prop>
       <D:status>HTTP/1.1 200 OK</D:status>
       </D:propstat>
     </D:response>
   </D:multistatus>

Top      Up      ToC       Page 32 
5.9.  Example: PROPFIND to retrieve access control properties

   The following example shows how access control information can be
   retrieved by using the PROPFIND method to fetch the values of the
   DAV:owner, DAV:supported-privilege-set, DAV:current-user-privilege-
   set, and DAV:acl properties.

   >> Request <<

   PROPFIND /top/container/ HTTP/1.1
   Host: www.example.com
   Content-type: text/xml; charset="utf-8"
   Content-Length: xxx
   Depth: 0
   Authorization: Digest username="ejw",
     realm="users@example.com", nonce="...",
     uri="/top/container/", response="...", opaque="..."

   <?xml version="1.0" encoding="utf-8" ?>
   <D:propfind xmlns:D="DAV:">
     <D:prop>
       <D:owner/>
       <D:supported-privilege-set/>
       <D:current-user-privilege-set/>
       <D:acl/>
     </D:prop>
   </D:propfind>

   >> Response <<

   HTTP/1.1 207 Multi-Status
   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <?xml version="1.0" encoding="utf-8" ?>
   <D:multistatus xmlns:D="DAV:"
                  xmlns:A="http://www.example.com/acl/">
     <D:response>
       <D:href>http://www.example.com/top/container/</D:href>
       <D:propstat>
         <D:prop>
           <D:owner>
             <D:href>http://www.example.com/users/gclemm</D:href>
           </D:owner>
           <D:supported-privilege-set>
             <D:supported-privilege>
               <D:privilege><D:all/></D:privilege>
               <D:abstract/>

Top      Up      ToC       Page 33 
               <D:description xml:lang="en">
                 Any operation
               </D:description>
               <D:supported-privilege>
                 <D:privilege><D:read/></D:privilege>
                 <D:description xml:lang="en">
                   Read any object
                 </D:description>
               </D:supported-privilege>
               <D:supported-privilege>
                 <D:privilege><D:write/></D:privilege>
                 <D:abstract/>
                 <D:description xml:lang="en">
                   Write any object
                 </D:description>
                 <D:supported-privilege>
                   <D:privilege><A:create/></D:privilege>
                   <D:description xml:lang="en">
                     Create an object
                   </D:description>
                 </D:supported-privilege>
                 <D:supported-privilege>
                   <D:privilege><A:update/></D:privilege>
                   <D:description xml:lang="en">
                     Update an object
                   </D:description>
                 </D:supported-privilege>
               </D:supported-privilege>
               <D:supported-privilege>
                 <D:privilege><A:delete/></D:privilege>
                 <D:description xml:lang="en">
                   Delete an object
                 </D:description>
               </D:supported-privilege>
               <D:supported-privilege>
                 <D:privilege><D:read-acl/></D:privilege>
                 <D:description xml:lang="en">
                   Read the ACL
                 </D:description>
               </D:supported-privilege>
               <D:supported-privilege>
                 <D:privilege><D:write-acl/></D:privilege>
                 <D:description xml:lang="en">
                   Write the ACL
                 </D:description>
               </D:supported-privilege>
             </D:supported-privilege>
           </D:supported-privilege-set>

Top      Up      ToC       Page 34 
           <D:current-user-privilege-set>
             <D:privilege><D:read/></D:privilege>
             <D:privilege><D:read-acl/></D:privilege>
           </D:current-user-privilege-set>
           <D:acl>
             <D:ace>
               <D:principal>
                 <D:href>http://www.example.com/users/esedlar</D:href>
               </D:principal>
               <D:grant>
                 <D:privilege><D:read/></D:privilege>
                 <D:privilege><D:write/></D:privilege>
                 <D:privilege><D:read-acl/></D:privilege>
               </D:grant>
             </D:ace>
             <D:ace>
               <D:principal>
                 <D:href>http://www.example.com/groups/mrktng</D:href>
               </D:principal>
               <D:deny>
                 <D:privilege><D:read/></D:privilege>
               </D:deny>
             </D:ace>
             <D:ace>
               <D:principal>
                 <D:property><D:owner/></D:property>
               </D:principal>
               <D:grant>
                 <D:privilege><D:read-acl/></D:privilege>
                 <D:privilege><D:write-acl/></D:privilege>
               </D:grant>
             </D:ace>
             <D:ace>
               <D:principal><D:all/></D:principal>
               <D:grant>
                 <D:privilege><D:read/></D:privilege>
               </D:grant>
               <D:inherited>
                 <D:href>http://www.example.com/top</D:href>
               </D:inherited>
             </D:ace>
           </D:acl>
         </D:prop>
         <D:status>HTTP/1.1 200 OK</D:status>
       </D:propstat>
     </D:response>
   </D:multistatus>

Top      Up      ToC       Page 35 
   The value of the DAV:owner property is a single DAV:href XML element
   containing the URL of the principal that owns this resource.

   The value of the DAV:supported-privilege-set property is a tree of
   supported privileges (using "[XML Namespace , localname]" to identify
   each privilege):

   [DAV:, all] (aggregate, abstract)
      |
      +-- [DAV:, read]
      +-- [DAV:, write] (aggregate, abstract)
             |
             +-- [http://www.example.com/acl, create]
             +-- [http://www.example.com/acl, update]
             +-- [http://www.example.com/acl, delete]
      +-- [DAV:, read-acl]
      +-- [DAV:, write-acl]

   The DAV:current-user-privilege-set property contains two privileges,
   DAV:read, and DAV:read-acl.  This indicates that the current
   authenticated user only has the ability to read the resource, and
   read the DAV:acl property on the resource.  The DAV:acl property
   contains a set of four ACEs:

   ACE #1: The principal identified by the URL http://www.example.com/
   users/esedlar is granted the DAV:read, DAV:write, and DAV:read-acl
   privileges.

   ACE #2: The principals identified by the URL http://www.example.com/
   groups/mrktng are denied the DAV:read privilege.  In this example,
   the principal URL identifies a group.

   ACE #3: In this ACE, the principal is a property principal,
   specifically the DAV:owner property.  When evaluating this ACE, the
   value of the DAV:owner property is retrieved, and is examined to see
   if it contains a DAV:href XML element.  If so, the URL within the
   DAV:href element is read, and identifies a principal.  In this ACE,
   the owner is granted DAV:read-acl, and DAV:write-acl privileges.

   ACE #4: This ACE grants the DAV:all principal (all users) the
   DAV:read privilege.  This ACE is inherited from the resource http://
   www.example.com/top, the parent collection of this resource.

Top      Up      ToC       Page 36 
6.  ACL Evaluation

   WebDAV ACLs are evaluated in similar manner as ACLs on Windows NT and
   in NFSv4 [RFC3530]).  An ACL is evaluated to determine whether or not
   access will be granted for a WebDAV request.  ACEs are maintained in
   a particular order, and are evaluated until all of the permissions
   required by the current request have been granted, at which point the
   ACL evaluation is terminated and access is granted.  If, during ACL
   evaluation, a <deny> ACE (matching the current user) is encountered
   for a privilege which has not yet been granted, the ACL evaluation is
   terminated and access is denied.  Failure to have all required
   privileges granted results in access being denied.

   Note that the semantics of many other existing ACL systems may be
   represented via this mechanism, by mixing deny and grant ACEs.  For
   example, consider the standard "rwx" privilege scheme used by UNIX.
   In this scheme, if the current user is the owner of the file, access
   is granted if the corresponding privilege bit is set and denied if
   not set, regardless of the permissions set on the file's group and
   for the world.  An ACL for UNIX permissions of "r--rw-r--" might be
   constructed like:

   <D:acl>
     <D:ace>
       <D:principal>
         <D:property><D:owner/></D:property>
       </D:principal>
       <D:grant>
         <D:privilege><D:read/></D:privilege>
       </D:grant>
     </D:ace>
     <D:ace>
       <D:principal>
         <D:property><D:owner/></D:property>
       </D:principal>
       <D:deny>
         <D:privilege><D:all/></D:privilege>
       </D:deny>
     </D:ace>
     <D:ace>
       <D:principal>
         <D:property><D:group/></D:property>
       </D:principal>
       <D:grant>
         <D:privilege><D:read/></D:privilege>
         <D:privilege><D:write/></D:privilege>
       </D:grant>
     </D:ace>

Top      Up      ToC       Page 37 
     <D:ace>
       <D:principal>
         <D:property><D:group/></D:property>
       </D:principal>
       <D:deny>
         <D:privilege><D:all/></D:privilege>
       </D:deny>
     </D:ace>
     <D:ace>
       <D:principal><D:all></D:principal>
       <D:grant>
         <D:privilege><D:read/></D:privilege>
       </D:grant>
     </D:ace>
   </D:acl>

   and the <acl-restrictions> would be defined as:

   <D:no-invert/>
   <D:required-principal>
     <D:all/>
     <D:property><D:owner/></D:property>
     <D:property><D:group/><D:group/>
   </D:required-principal>

   Note that the client can still get errors from a UNIX server in spite
   of obeying the <acl-restrictions>, including <D:allowed-principal>
   (adding an ACE specifying a principal other than the ones in the ACL
   above) or <D:ace-conflict> (by trying to reorder the ACEs in the
   example above), as these particular implementation semantics are too
   complex to be captured with the simple (but general) declarative
   restrictions.

7.  Access Control and existing methods

   This section defines the impact of access control functionality on
   existing methods.

7.1.  Any HTTP method

7.1.1.  Error Handling

   The WebDAV ACL mechanism requires the usage of HTTP method
   "preconditions" as described in section 1.6 of RFC3253 for ALL HTTP
   methods.  All HTTP methods have an additional precondition called
   DAV:need-privileges.  If an HTTP method fails due to insufficient
   privileges, the response body to the "403 Forbidden" error MUST
   contain the <DAV:error> element, which in turn contains the

Top      Up      ToC       Page 38 
   <DAV:need-privileges> element, which contains one or more
   <DAV:resource> elements indicating which resource had insufficient
   privileges, and what the lacking privileges were:

   <!ELEMENT need-privileges (resource)* >
   <!ELEMENT resource ( href , privilege ) >

   Since some methods require multiple permissions on multiple
   resources, this information is needed to resolve any ambiguity.
   There is no requirement that all privilege violations be reported -
   for implementation reasons, some servers may only report the first
   privilege violation.  For example:

   >> Request <<

   MOVE /a/b/ HTTP/1.1
   Host: www.example.com
   Destination: http://www.example.com/c/d

   >> Response <<

   HTTP/1.1 403 Forbidden
   Content-Type: text/xml; charset="utf-8"
   Content-Length: xxx

   <D:error xmlns:D="DAV:">
     <D:need-privileges>
       <D:resource>
         <D:href>/a</D:href>
         <D:privilege><D:unbind/></D:privilege>
       </D:resource>
       <D:resource>
         <D:href>/c</D:href>
         <D:privilege><D:bind/></D:privilege>
       </D:resource>
     </D:need-privileges>
   </D:error>

7.2.  OPTIONS

   If the server supports access control, it MUST return "access-
   control" as a field in the DAV response header from an OPTIONS
   request on any resource implemented by that server.  A value of
   "access-control" in the DAV header MUST indicate that the server
   supports all MUST level requirements and REQUIRED features specified
   in this document.

Top      Up      ToC       Page 39 
7.2.1.  Example - OPTIONS

   >> Request <<

   OPTIONS /foo.html HTTP/1.1
   Host: www.example.com
   Content-Length: 0

   >> Response <<

   HTTP/1.1 200 OK
   DAV: 1, 2, access-control
   Allow: OPTIONS, GET, PUT, PROPFIND, PROPPATCH, ACL

   In this example, the OPTIONS response indicates that the server
   supports access control and that /foo.html can have its access
   control list modified by the ACL method.

7.3.  MOVE

   When a resource is moved from one location to another due to a MOVE
   request, the non-inherited and non-protected ACEs in the DAV:acl
   property of the resource MUST NOT be modified, or the MOVE request
   fails.  Handling of inherited and protected ACEs is intentionally
   undefined to give server implementations flexibility in how they
   implement ACE inheritance and protection.

7.4.  COPY

   The DAV:acl property on the resource at the destination of a COPY
   MUST be the same as if the resource was created by an individual
   resource creation request (e.g., MKCOL, PUT).  Clients wishing to
   preserve the DAV:acl property across a copy need to read the DAV:acl
   property prior to the COPY, then perform an ACL operation on the new
   resource at the destination to restore, insofar as this is possible,
   the original access control list.

7.5.  LOCK

   A lock on a resource ensures that only the lock owner can modify ACEs
   that are not inherited and not protected  (these are the only ACEs
   that a client can modify with an ACL request).  A lock does not
   protect inherited or protected ACEs, since a client cannot modify
   them with an ACL request on that resource.


Next RFC Part