WebDAV Access Control List in Cosmo

WebDAV ACL (RFC 3744) provides an interoperable mechanism for handling discretionary access control for content and metadata managed by WebDAV servers. For Cosmo this means providing a fine grained security for every WebDAV resource handled by Cosmo which includes and is not limited to Calendar, Address book or File collection and any kind of resource like an event, address book, file etc.

Principal support

A "principal" is a distinct human or computational actor that initiates access to network resources. In Cosmo as per RFC 3744 we will represent a principal as a WebDAV resource and it will be created when we create an user account. For Eg: A principal named vinu will be identified by the unique URL: http://osaf.us/home/vinu. This special WebDAV Resource called principal SHOULD have the following properties:

• DAV:alternate-URI-set
• DAV:principal-URL
• DAV:group-member-set
• DAV:group-membership

Group Support

A "group" is a principal that represents a set of other principals. WebDAV ACL does not define the group management, so in Cosmo groups are managed using Cosmo Management Protocol (CMP). Information about CMP can be found at CosmoManagementProtocol and group specific additions to CMP can be found at CmpGroups.

Basic Privileges Required by RFC 3744

• DAV:read
• DAV:write
• DAV:write-properties
• DAV:write-content
• DAV:unlock
• DAV:read-acl
• DAV:read-current-user-privilege
• DAV:write-acl
• DAV:bind
• DAV:unbind
• DAV:all

DAV:bind and DAV:unbind privileges applies to collections and defines the ability to put or remove a resource respectively. For resources other than collection this privileges are ignored.

Additional properties defined on a resource (all of them will be protected properties)

• DAV:owner
• DAV:group
• DAV:supported-privilege-set
• DAV:current-user-privilege-set
• DAV:acl
• DAV:acl-restrictions
• DAV:inherited-acl-set
• DAV:principal-collection-set

Implementation

Features so far:

• Complete Group Support including manipulation of group information using CMP
• A simple UI for creating groups in Cosmo repository browser.
• Models to store the ACL's and Access Control Entries associated with any item.
• Service layer and Dao layer implementation (hibernate based dao) for access control objects.

Source Download

Checkout the source code from my svn sandbox:

svn co http://svn.osafoundation.org/sandbox/vinu/cosmoacl/

If you want to make this cosmo run, you should follow CosmoBuildInstructions and use this Cosmo source instead of the default Cosmo. This version of Cosmo was constantly updated to have the latest in trunk using a distributed version tool called svk, but unfortunately svk failed to update after some point. More details about svk can be found at SvkUsage.

-- VinubalajiGopal - 24 Mar 2007

External Links

• WebDAV ACL (RFC3744)
  

-- VinubalajiGopal - 22 Aug 2006