Enabling WebDAV in a Tomcat webapp served by Apache

Abstract

Tomcat comes with a page which says WebDAV support is available, and the page is WebDAV enabled. Unfortunately there is no documentation about how to enable WebDAV in other webapps. This page describes how to WebDAV enable any webapp and it then goes into how you can configure Apache to control access to the webapp.

It is assumed that you already have a working Tomcat and Apache, and that they are connected via mod_jk2 or something similar. It is also useful where you are using a standalone Tomcat, however, you will need to get Tomcat to do the authentication.

Modifications to web.xml

The file <CATALINA_HOME>/webapps/<WEBAPP_NAME>/WEB_INF/web.xml needs to be modified in two ways. First, you need to add the webdav servlet and set it to catch all requests:

<!-- WebDAV enable the app -->
  <servlet>
    <servlet-name>webdav</servlet-name>
    <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
    </init-param>
    <init-param>
      <param-name>listings</param-name>
      <param-value>true</param-value>
    </init-param>
<!-- Comment this out to disable read/write access -->
    <init-param>
      <param-name>readonly</param-name>
      <param-value>false</param-value>
    </init-param>
<!--load-on-startup>1</load-on-startup-->
  </servlet>

<!-- The mapping for the WebDAV servlet -->
  <servlet-mapping>
    <servlet-name>webdav</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>

Second, we have to add a security constraint. As I am using Apache I will just force HTTPS here and configure Apache to authenticate the user. Alternatively you could have an <auth-constraint> section and do the authentication with Tomcat. I think that the page should always be password protected, and the <transport-guarantee>CONFIDENTIAL</transport-guarantee> section will ensure that the credentials can't be eavesdropped easily.

<!-- Force the WebDAV methods to go over HTTPS. Apache can take care of authentication -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>The Entire Web Application</web-resource-name>
<!-- Catch requests to all URLs in this webapp using the WebDAV HTTP methods -->
      <url-pattern>/*</url-pattern>
      <http-method>PROPFIND</http-method>
      <http-method>PROPPATCH</http-method>
      <http-method>COPY</http-method>
      <http-method>MOVE</http-method>
      <http-method>LOCK</http-method>
      <http-method>UNLOCK</http-method>
    </web-resource-collection>
<!-- Don't accept unless the channel is secure (HTTPS). If HTTP is used a redirect will be issued but many WebDAV clients ignore it -->
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

Modifications to ssl.conf

We need to configure Apache to authenticate the user when the WebDAV methods are used. The following section needs to be put into the ssl virtual host config. The location of this config varies, sometimes it is in the main httpd.conf file, but often (especially for Apache2) it is in a seperate file called something like "ssl.conf". The location is likely to be /etc/httpd/conf/ or /etc/httpd/conf.d/. You may also have to set up the users and groups files. The users file is created and maintained with htpasswd. The groups file is hand edited, an example follows the config.

  <Location /webapp/*>
    <LimitExcept GET HEAD OPTIONS POST>
      AuthType Basic
      AuthName WebAdmin
      AuthUserFile conf/authUsers/users
      AuthGroupFile conf/authUsers/groups
      require group webadmin
    </LimitExcept>
  </Location>

Adding the users and groups

Add a user by using the htpasswd file as follows:
# htpasswd [ -c ] <PATH_TO_PASSWDFILE> <USERNAME>
The -c option should only be used if PASSWDFILE doesn't already exist.

The groups file should look something like this:

    super: tom dick harriet
    user: sharon hayley
    webadmin: bud ellie
contact us
  • Name
  • Email
  • Message

Note: This information will only be used to reply to your feedback. We respect your privacy and will never abuse your email address or other personal information.

bottom corner