Configuring Secure WebDAV

Web Distributed Authoring and Versioning (WebDAV) was originally conceived of as a way to allow Web authors to access website files and make changes to them using HTTP, all on a live website. Since then, it has become a much more widely used method of file sharing because of its ease of use, much of which comes from the fact that it uses HTTP and because it runs over the same ports as the Webso firewalls are seldom a barrier to use.

Since Web serving is typically about read-only access for everyone, configuring WebDAV requires that you:

• Define realms (folders) to restrict access to WebDAV users (via Server Admin > Web > Settings > Realms).

• Define User & Group access to those realms (via Server Admin > Web > Settings > Realms).

• Allow file system-level Read & Write file permissions to the www user and group for each realm folder (via Workgroup Manager).

Creating Realms and Adding Access

The following procedure will add WebDAV to the services you are offering via SSL. This will be an "employees only" area of the website.

1.	Launch /Applications/Server/Server Admin and connect to your server.
2.	Select the Web service in the left frame, open the Settings tab using the button at the bottom of the main window, and click the Sites tab at the top of the frame.
3.	Select the secure site you created in the previous exercise, and click the "Edit selected website" (/) button.
4.	Click the Options tab and select WebDAV, then click the Realms tab.
5.	Click the "Add a new realm" (+) button.
6.	Either type in the path to the folder you want to make accessible, or navigate to it by clicking the path button (...) and selecting the folder you want. Click OK.
7.	Click the "Add a new group to the currently selected realm" button. Note that there is a typo in the pop-up noteit should be user, not group.
8.	Enter the user short name, and select the access privileges you want the user to have. Alternatively, you can click the Users & Groups button, drag in the users, and set their permissions by selecting the appropriate checkboxes.
9.	Add the groups you'd like to have access to realm the same way, either by clicking "Add a new group to the currently selected realm" button or by clicking the Users & Groups button, selecting the Groups tab, and dragging the appropriate Groups to the Groups box. Select the appropriate permissions.
10.	When you are finished adding the users and groups you want and assigning their access privileges, click Save.
11.	As in the previous exercise, add a Redirect to your unencrypted site to redirect users from the unencrypted site to the encrypted site.
12.	If necessary, restart the Web service to make the changes take effect.

Setting File Permissions

The last part of getting WebDAV going is setting the proper file permissions. The default location of the Web directory is /Library/WebServer/Documents; it and its contents owner is root, and its group is admin. For Web folders, the owner and group (root and admin) have read, write, and execute privileges, and others have read and execute privileges (775, in UNIX parlance). For Web documents, the owner and group have read and write privileges, and others have read privileges (664). You simply need to change the both the owner and group of the directories you are making available via WebDAV to www and www, respectively. This may seem like it's setting quite unrestricted privileges, but remember that the users, groups, and permissions you set up in realms are what restrict access via the Web.

1.	Launch /Applications/Server/Workgroup Manager and connect to your server.
2.	Click the Accounts icon in the toolbar at the top of the window, and then click the Groups tab beneath it.
3.	Click the New Group button in the toolbar at the top of the window, and type a name for the group.
4.	Click the "Add group members" (+) button and drag users (and optionally groups) to the Members area of the new group window.
5.	When you are finished populating your members list, click Save.
6.	Click the Sharing icon in the upper left of the toolbar, and then click the All tab underneath.
7.	Select the folder you want to share out via WebDAV. The example folder, employees, is inside /Library/WebServer/Documents.
8.	In the right frame, click the Access tab at the top, and click the Users & Groups button at the bottom to reveal the Users & Groups drawer.
9.	Drag the World Wide Web Server user (whose short name is www) to the Owner field, then click the Groups tab in the Users & Group drawer.
10.	Drag the HTTP Users group to the Group field.
11.	Click the Save button and quit Workgroup Manager.

In this configuration, you used Basic authentication, because you are running WebDAV in an SSL-encrypted site, so all communication between the browser and the Web server is encrypted. You should either encrypt your sessions in SSL or use Kerberos authentication (or both)the other methods alone give a false sense of security to users, and their account passwords can easily be compromised.

So how do you access the site? With a browser, it works the same way getting to WebMail does: type www.example.com/employees into the URL field of Safari, and you will be redirected to https://www.example.com/employees and asked to authenticate. Notice that the lock icon is in the upper-right corner of your browser window, indicating a secure session.

In the Finder's Go menu, select Connect to Server and type in the entire URLthe Finder does not follow Redirects.

A WebDAV authentication dialog will openlog in with your name and password.

A Finder window will appear with your WebDAV share mounted: