1. José A Lozada IS373

2.  Introduction  Governing Standards Body  History  Specifications  Advantages / Drawbacks  Application  Conclusion  Question & Answer Session

3.  HTTP lacking functionality for adequate remote document authoring  Set of extension for the HTTP protocol ◦ Properties – Access read and manipulate document metadata such as author, creation date, etc. ◦ Collections – Ability to create a set of documents and retrieve a hierarchical listing ◦ Locking – Prevents the “lost update problem”, that occurred when two users update the same document ◦ Namespace Operations – Ability to copy and move documents ◦ Searching and Locating – Ability request queries and receive result sets for making use of the server-side search capabilities ◦ Versioning – Ability for a document to automatically create versions of itself as it is updated that can be retrieved later ◦ Access Control – Allows access to and manipulation of document permissions

4.  Internet Engineering Task Force (IETF) ◦ Cost: None ◦ Paid By: Volunteers ◦ Timeliness: 1 year (Base-Level Functionality) ◦ Legitimacy: WebDAV Working Group Charter ◦ Structure: Formal Documentation (RFC) ◦ Process: Democratic ◦ Participation: Open

5.  WebDAV Request for Comments ◦ Requirements Document  Released: RFC2291 – February 1998RFC2291 ◦ Base Level Functionality  Released: RFC2518 – February 1999RFC2518  Properties, Collections, Locking, Namespace Operations  Revision: RFC4918 - June 2007RFC4918 ◦ Versioning  Released: RFC3253 – March 2002RFC3253 ◦ Access Control  Released: RFC3744 – May 2004RFC3744 ◦ SEARCH (DSL)  Released: RFC5323 – November 2008RFC5323

6.  PROPFIND ◦ Retrieves properties defined on the resource  PROPPATCH ◦ Sets or removes properties defined on the resource  MKCOL ◦ Creates a collection resource  DELETE (Collections) ◦ Deletes a collection and all its members  PUT (Non-Collections) ◦ Creates a non-collection resources  COPY (Non-Collections, Properties, Collections) ◦ Copies a resource to a specified destination

7.  MOVE (Non-Collections, Properties, Collections) ◦ Copies a resource to a specified destination and deletes the source  LOCK ◦ Locks a resource  UNLOCK ◦ Unlocks a resource

8.  Request Example: ◦ PROPPATCH /bar.html HTTP/1.1 ◦ Host: www.example.com ◦ Content-Type: application/xml; charset="utf-8" ◦ Content-Length: xxxx ◦ ◦ <D:propertyupdate xmlns:D="DAV:" ◦ xmlns:Z="http://ns.example.com/standards/z39.50/"> ◦ ◦ Jim Whitehead ◦ Roy Fielding ◦

9.  Request Example: ◦ HTTP/1.1 207 Multi-Status ◦ Content-Type: application/xml; charset="utf-8" ◦ Content-Length: xxxx ◦ ◦ <D:multistatus xmlns:D="DAV:" ◦ xmlns:Z="http://ns.example.com/standards/z39.50/"> ◦ ◦ http://www.example.com/bar.html ◦ ◦ HTTP/1.1 424 Failed Dependency ◦ ◦ HTTP/1.1 409 Conflict ◦ ◦ Copyright Owner cannot be deleted or ◦ altered. ◦

10.  Security  Privacy  Pervasiveness  Reliability  Robustness  Interoperability  Community Support  Maintainability  Ease of use

11.  Advantages ◦ Native Authentication Support  Drawbacks ◦ Requests are sent in plain text over the internet. A third party can intersect them and see the password and data being passed.  To prevent this Secure Socket Layer (SSL) should be used via the https:// protocol.  Other ◦ IIS6 WebDAV Authentication Bypass Exploit (Fixed)

12.  Advantages ◦ The underlying file system can impose its file permissions on WebDAV requests to ensure the files are accessed by the intended users.  Drawbacks ◦ Cases have been reported where WebDAV clients have provided a user with access to a document they would not have access to using the file system directly.

13.  Advantages ◦ The current versions of the major web server applications support WebDAV.  Apache  Microsoft’s Internet Information Services (IIS). ◦ Modern operating systems have built-in WebDAV clients.  Drawbacks ◦ WebDAV is not considered a priority feature  True support for WebDAV is available in Apache2 but PHP is not fully compatible with Apache2. This results in WebDAV not being supported by many hosting services that depend on Apache and support PHP.

14.  Advantage ◦ If a connection is lost, WebDAV ensures locks remain intact until the user reconnects and releases them to or it times out. ◦ A revision addressing major issues has already been released. ◦ Is accessible through port 80, which is not block by ISPs like other ports usually are such as the FTP port. ◦ Is not its own file system, it runs on top of existing file systems that have already been thoroughly tested  Drawbacks ◦ Inherits the vulnerabilities of HTTP.  Denial of Service Attacks

15.  Advantages ◦ Base-level functionality has been in used for over 10 years. ◦ Only one revision needed to address problems. ◦ Is a set of extensions to HTTP which has been in use since 1990 and is nowadays used by every device with Internet support.  Drawbacks ◦ Some of the advanced features have been released recently and are not thoroughly tested.

16.  Advantages ◦ Is a set of extensions to HTTP so it can be accessed by any device with Internet support. ◦ It adheres to XML specifications for data transfers. ◦ The above technologies are currently universal and supported by all major vendors. As a result implementing a WebDav component does not require adding support for new technologies.  Drawbacks ◦ No major drawbacks.

17.  Advantages ◦ Active Community  IIS 7 - http://forums.iis.net - March 2010http://forums.iis.net  Apache2 - http://www.howtoforge.com/how-to-set-up- webdav-with-apache2-on-ubuntu-9.10 - February 2010http://www.howtoforge.com/how-to-set-up- webdav-with-apache2-on-ubuntu-9.10 ◦ Additional Released Extensions  Ordered Collections Protocol: RFC3648 – December 2003RFC3648 ◦ Proposed Extensions (Drafts)  Redirect Reference Resources: RFC4437 – March 2006RFC4437  Many other enhancements to collections and properties. ◦ Spinoffs  CalDAV – Remote access to scheduling information  CardDAV – Remote access to an address book  Drawbacks ◦ No major Drawbacks.

18.  Advantages ◦ Is not a separate file system, just a remote entry point for accessing part of an already existing file system.  Drawbacks ◦ Another entry point into the file system hackers can attempt to breach.

19.  Advantages ◦ One of the design requirement was to minimize complexity to allow for easy or unambiguous implementation. ◦ Works like and has all the same functionality as a regular file system. ◦ Clients are design to mimic familiar file system manipulation tools.  Drawbacks ◦ No major drawbacks.

20. WebDAV Support in 2001 Document Authoring Microsoft Word 2000 Microsoft Excel 2000 Microsoft PowerPoint 2000 Microsoft Publisher 2000 Adobe Photoshop 6 Adobe Acrobat 5 Excosoft Documentor (XML Editor) Web Site Authoring Adobe Go Live 5 Macromedia Dreamweaver 4 File Managers Apple MacOS X webdavfs RiverFront WebDrive GNOME Nautilus Goliath cadaver sitecopy Servers Apache mod_dav Microsoft IIS 5 Microsoft Exchange 2000 Microsoft Sharepoint Adobe InScope Oracle Internet File System Xythos Storage Server Novell Netware 5.1 Novell Net Publisher Endeavors MagiExpress W3C Jigsaw IBM DAV4J CyberTeams WebSite Director HyperWave Information Server 5.5 Openlink Virtuoso Intraspect Intraspect4 DataChannel DataChannelServer (DCS 4.1)

21.  WebDAV Support in 2010 ◦ Apache2 ◦ Microsoft Internet Information Services 7.0 ◦ Microsoft Exchange Server 2007 ◦ Microsoft Windows 7 ◦ Mac OS X ◦ Subversion (Version control system) ◦ Third party APIs  Websites Providing WebDAV file storage ◦ DreamHost.com ◦ Venuecom.com (CalDAV)

22.  WebDAV in Infancy (Advance Components) ◦ Final part completed in November 2008 ◦ No revision for Versioning which has problems  Good ◦ The base-level functionality has been widely adopted by industry leaders (MS, Mac, Apache) ◦ People are interested in improving it and using as evident by the many draft RFC’s available ◦ Many spinoffs the use its model as a base (CalDAV, CardDAV)  Competition ◦ No general support for competitive products  Amazon Simple Storage Service uses a proprietary protocol  Users asked on its forum “Why not use WebDAV?”

23.  RFC2291 RFC2291  RFC2518 RFC2518  RFC4918 RFC4918  RFC3253 RFC3253  RFC3744 RFC3744  RFC5323 RFC5323  RFC3648 RFC3648  RFC4437 RFC4437  http://www.ics.uci.edu/~ejw/authoring/ http://www.ics.uci.edu/~ejw/authoring/  http://www.webdav.org/ http://www.webdav.org/  http://www.microsoft.com/technet/security/advisory/971 492.mspx http://www.microsoft.com/technet/security/advisory/971 492.mspx  http://httpd.apache.org/docs/2.0/developer/thread_safet y.html http://httpd.apache.org/docs/2.0/developer/thread_safet y.html