Hi, David!
I had the similar problem some time ago and the only solution I could come
up with was just giving the non-inheritable read permission to the "/"
resource granted for everybody (every user belongs to the /roles/user group
here):
<permission action="/actions/read" subject="/roles/user"
inheritable="false"/>
It doesn't look as a serious breach of security but I still wonder if there
is an better solution...
Yours sincerely,
Andrey.
> -----Original Message-----
> From: Slide Users Mailing List [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 19, 2005 10:37 AM
> To: [email protected]
> Subject: webdav PUT method fails with cumbersome security reason
> Importance: Low
>
> Hello.
> I have a cron script which has to send datas to slide.
> For security reasons, the areas this script has access to is
> restricted to a specific collection in slide. This collection
> is /webcontent/d2/s5/hepdo/ and the script has full rights
> access to that ressource.
> The script use the username 'cron'
> When i do a PUT in this collection to upload a new file, here
> is the message the script gets as result:
>
> message
> Forbidden: Access denied on / by user /users/cron for action
> /actions/read
> description: Access to the specified resource (Forbidden:
> Access denied on / by user /users/cron for action
> /actions/read) has been forbidden.
>
> The tomcat console shows this output:
> http-8081-Processor4, 19-Apr-2005 14:18:51, cron, PUT, 403
> "Forbidden", 13 ms, /webcontent/d2/s5/hepdo/megawinternights.gif
>
> Why should PUT need read access to /? If i want a user to
> have write access to /webcontent/d2/s5/hepdo/, does that mean
> i need to give him read access to /, /webcontent,
> /webcontent/d2, /webcontent/d2/s5 and /webcontent/d2/s5/hepdo ????
> That look to me a bit cumbersome to manage ACLs in such a
> situation. Here, by default all is in acces forbidden (user:
> all, priviledge: all, grant: denied,
> inheritable: true at the root level) and subdirectories, when
> needed, get the allowance to be read/managed by one or more
> user groups). If i need to go to all collection an explicitly
> remove read access to this collection because i can not do it
> at parent level, where is the interest of acl inheritance?
>
> Can some body tell me how to have this script be allowed to
> do a PUT on that collection whitout having to change all my
> acl in the application? (an btw be forced to manage a huge
> more amount of ACLs)
>
> --
> David Delbecq
> Royal Meteorological Institute of Belgium
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [EMAIL PROTECTED] <mailto:> For
> additional commands, e-mail:
> [EMAIL PROTECTED] <mailto:>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
