Chapter 13. Access Control | WebDAV. Next Generation Collaborative Web Authoring

Just because a document is on a Web server doesn't mean that everybody can read and write it. Web pages on many public sites can be read by everybody but written only by authorized authors. The process of allowing some access to some users and not others is called access control. Administrators can configure Web servers with lists of what requests to allow, from whom, and to what resources. These lists are called access control lists (ACLs); they contain access control entries (ACEs). The WebDAV ACL proposal (in the final stages of standardization as of fall 2003) defines how a WebDAV client can interact with the server and potentially define the instructions in the server's ACLs.

WebDAV was originally standardized without access control because there was enough work to do simply standardizing the material in RFC2518. Access control is very hard to standardize. To start with, existing Web servers had completely incompatible access control models and couldn't make a change that would be incompatible with their deployed base.

In practice, lack of standard access control hasn't harmed the deployment of WebDAV too badly. ACLs are often set out-of-band by administrators rather than by users. When this is the case, administrators don't need WebDAV protocol elements or standards to set access controls. Instead, in most current systems, administrators use some direct interface to server software.

However, standardized access control is quite useful in many WebDAV scenarios. Intranet file sharing is more efficient when users can grant access to their resources without having to bother the administrator. Web site authoring benefits even more from the ability to set access control from remote standardized clients.

This chapter explains the ACL model and all the concepts from the ACL draft, but it doesn't describe all the details of the syntax. The syntax may still change slightly if ACL requires more modification to become a standard, but the model looks pretty firm. Some server and client implementors, including SAP and Xythos, already support the ACL proposal and have achieved mutual interoperability.