José A Lozada IS373. Introduction Governing Standards Body History Specifications Advantages / Drawbacks Application Conclusion Question.
Post on 19-Dec-2015
218 Views
Preview:
Transcript
Introduction Governing Standards Body History Specifications Advantages / Drawbacks Application Conclusion Question & Answer Session
Overview
HTTP lacking functionality for adequate remote document authoring
Set of extension for the HTTP protocol◦ Properties – Access read and manipulate document metadata
such as author, creation date, etc.◦ Collections – Ability to create a set of documents and retrieve a
hierarchical listing◦ Locking – Prevents the “lost update problem”, that occurred when
two users update the same document◦ Namespace Operations – Ability to copy and move documents◦ Searching and Locating – Ability request queries and receive result
sets for making use of the server-side search capabilities ◦ Versioning – Ability for a document to automatically create
versions of itself as it is updated that can be retrieved later◦ Access Control – Allows access to and manipulation of document
permissions
Introduction
Internet Engineering Task Force (IETF)◦ Cost: None◦ Paid By: Volunteers◦ Timeliness: 1 year (Base-Level Functionality)◦ Legitimacy: WebDAV Working Group Charter◦ Structure: Formal Documentation (RFC)◦ Process: Democratic◦ Participation: Open
Governing Standards Body
WebDAV Request for Comments◦ Requirements Document
Released: RFC2291 – February 1998◦ Base Level Functionality
Released: RFC2518 – February 1999 Properties, Collections, Locking, Namespace Operations
Revision: RFC4918 - June 2007◦ Versioning
Released: RFC3253 – March 2002◦ Access Control
Released: RFC3744 – May 2004◦ SEARCH (DSL)
Released: RFC5323 – November 2008
History
PROPFIND◦ Retrieves properties defined on the resource
PROPPATCH◦ Sets or removes properties defined on the resource
MKCOL◦ Creates a collection resource
DELETE (Collections)◦ Deletes a collection and all its members
PUT (Non-Collections)◦ Creates a non-collection resources
COPY (Non-Collections, Properties, Collections)◦ Copies a resource to a specified destination
Specifications
MOVE (Non-Collections, Properties, Collections)◦ Copies a resource to a specified destination and
deletes the source LOCK
◦ Locks a resource UNLOCK
◦ Unlocks a resource
Specifications (Cont’d)
Request Example:◦ PROPPATCH /bar.html HTTP/1.1◦ Host: www.example.com◦ Content-Type: application/xml; charset="utf-8"◦ Content-Length: xxxx
◦ <?xml version="1.0" encoding="utf-8" ?>◦ <D:propertyupdate xmlns:D="DAV:"◦ xmlns:Z="http://ns.example.com/standards/z39.50/">◦ <D:set>◦ <D:prop>◦ <Z:Authors>◦ <Z:Author>Jim Whitehead</Z:Author>◦ <Z:Author>Roy Fielding</Z:Author>◦ </Z:Authors>◦ </D:prop>◦ </D:set>◦ <D:remove>◦ <D:prop><Z:Copyright-Owner/></D:prop>◦ </D:remove>◦ </D:propertyupdate>
Specifications (Cont’d)
Request Example:◦ HTTP/1.1 207 Multi-Status◦ Content-Type: application/xml; charset="utf-8"◦ Content-Length: xxxx
◦ <?xml version="1.0" encoding="utf-8" ?>◦ <D:multistatus xmlns:D="DAV:"◦ xmlns:Z="http://ns.example.com/standards/z39.50/">◦ <D:response>◦ <D:href>http://www.example.com/bar.html</D:href>◦ <D:propstat>◦ <D:prop><Z:Authors/></D:prop>◦ <D:status>HTTP/1.1 424 Failed Dependency</D:status>◦ </D:propstat>◦ <D:propstat>◦ <D:prop><Z:Copyright-Owner/></D:prop>◦ <D:status>HTTP/1.1 409 Conflict</D:status>◦ </D:propstat>◦ <D:responsedescription> Copyright Owner cannot be deleted or◦ altered.</D:responsedescription>◦ </D:response>◦ </D:multistatus>
Specifications (Cont’d)
Security Privacy Pervasiveness Reliability Robustness Interoperability Community Support Maintainability Ease of use
Advantages / Drawbacks
Advantages◦ Native Authentication Support
Drawbacks◦ Requests are sent in plain text over the internet. A
third party can intersect them and see the password and data being passed. To prevent this Secure Socket Layer (SSL) should be
used via the https:// protocol.
Other◦ IIS6 WebDAV Authentication Bypass Exploit (Fixed)
Security
Advantages◦ The underlying file system can impose its file
permissions on WebDAV requests to ensure the files are accessed by the intended users.
Drawbacks◦ Cases have been reported where WebDAV clients
have provided a user with access to a document they would not have access to using the file system directly.
Privacy
Advantages◦ The current versions of the major web server
applications support WebDAV. Apache Microsoft’s Internet Information Services (IIS).
◦ Modern operating systems have built-in WebDAV clients.
Drawbacks◦ WebDAV is not considered a priority feature
True support for WebDAV is available in Apache2 but PHP is not fully compatible with Apache2. This results in WebDAV not being supported by many hosting services that depend on Apache and support PHP.
Pervasiveness
Advantage◦ If a connection is lost, WebDAV ensures locks remain intact
until the user reconnects and releases them to or it times out.
◦ A revision addressing major issues has already been released.
◦ Is accessible through port 80, which is not block by ISPs like other ports usually are such as the FTP port.
◦ Is not its own file system, it runs on top of existing file systems that have already been thoroughly tested
Drawbacks◦ Inherits the vulnerabilities of HTTP.
Denial of Service Attacks
Reliability
Advantages◦ Base-level functionality has been in used for over
10 years.◦ Only one revision needed to address problems.◦ Is a set of extensions to HTTP which has been in
use since 1990 and is nowadays used by every device with Internet support.
Drawbacks◦ Some of the advanced features have been
released recently and are not thoroughly tested.
Robustness
Advantages◦ Is a set of extensions to HTTP so it can be
accessed by any device with Internet support.◦ It adheres to XML specifications for data transfers.◦ The above technologies are currently universal
and supported by all major vendors. As a result implementing a WebDav component does not require adding support for new technologies.
Drawbacks◦ No major drawbacks.
Interoperability
Advantages◦ Active Community
IIS 7 - http://forums.iis.net - March 2010 Apache2 -
http://www.howtoforge.com/how-to-set-up-webdav-with-apache2-on-ubuntu-9.10 - February 2010
◦ Additional Released Extensions Ordered Collections Protocol: RFC3648 – December 2003
◦ Proposed Extensions (Drafts) Redirect Reference Resources: RFC4437 – March 2006 Many other enhancements to collections and properties.
◦ Spinoffs CalDAV – Remote access to scheduling information CardDAV – Remote access to an address book
Drawbacks◦ No major Drawbacks.
Community Support
Advantages◦ Is not a separate file system, just a remote entry
point for accessing part of an already existing file system.
Drawbacks◦ Another entry point into the file system hackers
can attempt to breach.
Maintainability
Advantages◦ One of the design requirement was to minimize
complexity to allow for easy or unambiguous implementation.
◦ Works like and has all the same functionality as a regular file system.
◦ Clients are design to mimic familiar file system manipulation tools.
Drawbacks◦ No major drawbacks.
Ease of use
WebDAV Support in 2001
Document AuthoringMicrosoft Word 2000Microsoft Excel 2000Microsoft PowerPoint 2000Microsoft Publisher 2000Adobe Photoshop 6Adobe Acrobat 5Excosoft Documentor (XML Editor)Web Site AuthoringAdobe Go Live 5Macromedia Dreamweaver 4File ManagersApple MacOS X webdavfsRiverFront WebDriveGNOME NautilusGoliathcadaversitecopy
ServersApache mod_davMicrosoft IIS 5Microsoft Exchange 2000Microsoft SharepointAdobe InScopeOracle Internet File SystemXythos Storage ServerNovell Netware 5.1Novell Net PublisherEndeavors MagiExpressW3C JigsawIBM DAV4JCyberTeams WebSite DirectorHyperWave Information Server 5.5Openlink VirtuosoIntraspect Intraspect4DataChannel DataChannelServer (DCS 4.1)
Applications
WebDAV Support in 2010◦ Apache2◦ Microsoft Internet Information Services 7.0◦ Microsoft Exchange Server 2007◦ Microsoft Windows 7◦ Mac OS X◦ Subversion (Version control system)◦ Third party APIs
Websites Providing WebDAV file storage◦ DreamHost.com◦ Venuecom.com (CalDAV)
Applications (Cont’d)
WebDAV in Infancy (Advance Components)◦ Final part completed in November 2008◦ No revision for Versioning which has problems
Good◦ The base-level functionality has been widely adopted by
industry leaders (MS, Mac, Apache)◦ People are interested in improving it and using as evident
by the many draft RFC’s available◦ Many spinoffs the use its model as a base (CalDAV,
CardDAV) Competition
◦ No general support for competitive products Amazon Simple Storage Service uses a proprietary protocol
Users asked on its forum “Why not use WebDAV?”
Conclusion
RFC2291 RFC2518 RFC4918 RFC3253 RFC3744 RFC5323 RFC3648 RFC4437 http://www.ics.uci.edu/~ejw/authoring/ http://www.webdav.org/ http://www.microsoft.com/technet/security/advisory/
971492.mspx http://httpd.apache.org/docs/2.0/developer/thread_s
afety.html
References
top related