15.3 Security Considerations

Previous page
Table of content
Next page

WebDAV is very likely to meet the security requirements of a custom application, thanks to the security solutions that already exist for HTTP. HTTP/1.1 supports several authentication schemes; these are used in exactly the same way with WebDAV. Encryption is typically provided with SSL or TLS.

Basic Authentication

Basic authentication uses plain-text passwords. These are only sufficient for the most insecure applications, unless the entire connection is protected with transport layer encryption.

Digest Authentication

Digest is not considered to be quite secure, although it's so vastly preferable to basic, there's little reason not to use it. Since Digest authentication requires extra roundtrips, it does slow down a protocol interaction, so implementors frequently choose the option to reuse "nonces" for the duration of a session. As long as an old nonce is used, Digest is subject to replay attacks: Attackers can copy the digest header from somebody else's message to authenticate themselves improperly to the same server.

SSL and TLS

SSL and TLS can easily be used to provide many important security features for WebDAV. In particular, encryption, message integrity, and certificates to verify server credentials are all easily provided. It's a little more complicated to set up SSL to authenticate client requests (e.g., for access control), because the client must have a certificate, and certificate distribution is not yet widespread. Instead, Basic authentication is used once the connection is secure. Most Web servers, as well as most Web browsers support SSL now, although WebDAV applications may not.

Authorization and Access Control

Authorization involves granting to specific users the authority to do specific operations. Even without supporting the Access Control specification, a WebDAV server can provide detailed and fine-tuned access control. The only problem is that administering access control must be done through some out-of-band mechanism. For instance, a Web-based interface could be built to allow management of access control by many users, or administrative tools could allow management of access control only by administrators.


Previous page
Table of content
Next page
WebDAV. Next Generation Collaborative Web Authoring
WebDAV. Next Generation Collaborative Web Authoring
ISBN: 130652083
EAN: N/A
Year: 2003
Pages: 146
BUY ON AMAZON
MySQL Stored Procedure Programming
Strategies for Information Technology Governance
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
802.11 Wireless Networks: The Definitive Guide, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy