On Fri, Aug 29, 2025 at 8:22 PM Justin Chen <ch...@msn.com> wrote: > Hi, > > We are trying Tomcat WebDAV for document sharing scenario. Months ago, an > update said, ```If the WebDAV servlet is enabled, the WebDAV functionality > should be appropriately secured.```. > > Before bring them to PRODUCTION, we want to know further declaration of > "appropriately secured" and what actions are expected to taken. > > Thank you for your time and help. > > Regards, > Chenjp > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Hi Chenjp,
Citing https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/catalina/servlets/WebdavServlet.html one could go with a security checklist as the following: 1) The WebdavServlet is mapped to a specific sub-path (e.g. /webdav/*) and not to /*. 2) The allowSpecialPaths parameter is false blocking access to the WEB-INF and META-INF directories. 3) The readonly parameter is false only if write access is required. 4) The listings parameter is false if directory browsing is not required. 5) The serveSubpathOnly parameter is true to narrow the scope exposed. 6) A <security-constraint> using the same URL pattern as the mapping (e.g. /webdav/*) is in place. (Detailed tutorial: https://jakarta.ee/learn/docs/jakartaee-tutorial/current/security/security-webtier/security-webtier.html ) 7) Users and their roles are defined in a Tomcat realm (e.g. tomcat-users.xml). (see: https://tomcat.apache.org/tomcat-11.0-doc/config/realm.html) 8) Follow the security considerations for Tomcat https://tomcat.apache.org/tomcat-11.0-doc/security-howto.html Kind regards, Dimitris Soumis
