WebDAV, Digest Authentication and Windows Vista/7

For a while now, Liferay has offered Basic authentication for various servlets (e.g., WebDAV, JSON, etc.).  For the most part, this has suited most of our needs.  However, recently, there have been some client applications that now require the more stringent Digest authentication system.  To support these requirements, digest authentication has been added to Liferay.

In particular, two WebDAV clients have added this requirement: Windows Vista and Windows 7.  Since most WebDAV clients support both basic and digest auth, this has been enabled by default.  You can only have one enabled at a time.  But you can switch WebDAV back to basic auth (or any other servlet to digest auth) in your tunnel-web/web.xml:

<filter>

    <filter-name>Secure WebDAV Servlet Filter</filter-name>

    <filter-class>com.liferay.portal.kernel.servlet.PortalClassLoaderFilter</filter-class>

    <init-param>

        <param-name>filter-class</param-name>

        <param-value>com.liferay.portal.servlet.filters.secure.SecureFilter</param-value>

    </init-param>

    <init-param>

        <!-- <param-name>basic_auth</param-name> -->

        <param-value>digest_auth</param-value>

        <param-value>true</param-value>

    </init-param>

    <init-param>

        <param-name>portal_property_prefix</param-name>

        <param-value>webdav.servlet.</param-value>

    </init-param>

</filter>


How does this change how we use WebDAV (or anything else with digest authentication).  For the average user, it does not change much.

What you need to know, however, is that if you are using a new installation of Liferay or just upgraded or something like that, you won't be able to log into WebDAV initially.  Rather, you must first login through the portal.  Why?  Because, the algorithm dictated by the RFC requires the server to have a hash based on your login credentials.  Since Liferay never stores a raw password, it can only create the hash based on credentials passed in when a user logs into the portal.  This also means any changes to a user's email address or screenname would require the user to relogin before they can login via WebDAV again (since we allow WebDAV credentials of all three types).

For Windows Vista and Windows 7 users... you still may not be able to use WebDAV to its full potential (at least on 6.0 CE GA3 and below).  Reason being, literally the day after we released GA3, I fixed a bug that only shows up in Windows Vista and Windows 7.  Basically, Microsoft changed their WebDAV client implementation to check certain things that it did not do in the past.  Therefore, while you are able to mount and use Liferay's WebDAV, you cannot do certain basic file system operations that are traditionally supported on WebDAV... unless you have the patch (which will definitely be in the next releases of CE and EE).

The basics of this information can be found in our wiki.

ブログ
Any updates to this?

I'm not able to authenticate WebDAV using Windows 7.
Hi Andy,

Can you give more details? What version of Liferay are you using? What do you mean you are unable to authenticate? The current release (6.1 GA1) should work with Vista.

Alex
My production EE environment is not authenticating:
Liferay EE 6.0 SP2 on
Tomcat 6.0.35
Windows 2008 R2
SQL Server 2008 R2

I suspect that there are some firewall rules being broken, although my understanding is that WebDAV speaks http, so if the portal works, then it should work. I've implemented LDAP with Windows AD - maybe that affects the process?

I am able to authenticate now on a locally installed test environment:
Liferay CE 6.06
Tomcat 6.0.29
Windows 7
SQL Server Express

although, on the connected WebDAV library, it will only allow me to:
create a folder
create a file

It will not allow me to:
Drag files/folders into it
Edit files
Digest capabilities were not back ported for CE 6.06, unfortunately. This means Windows 7/Vista will limit what you can do because it is only basic authentication.

However, EE 6.0 SP2 should be supporting digest. There is an open issue with WebDAV + LDAP. See http://issues.liferay.com/browse/LPS-21988.

Alex
So one absolute fact is this: Windows 7 WILL NOT connect to a webdav user using Basic Authentication.

Okay. Questions:
1. Will WebDAV work in my config in Prod (Liferay EE 6.0 SP2) if I were to turn LDAP off? This isn't really an option, just curious.

2. Can you give me any alternatives to WebDAV for adding large numbers of files to the Document Library?

Thanks again for the help.
So, your "absolute fact" may not necessarily be absolute. On Vista, you should be able to set the registry to allow for Basic authentication. See http://support.microsoft.com/kb/928692. Some users have told me that this is also possible on Windows 7, though it doesn't seem consistent.

Re your questions:
#1 This should be the case.
#2 You can write your own plugin to ingest a large number of files. In the unreleased EE 6.1, you can use DLSync.

However, since you are an EE customer, you may want to just raise the issue in LESA that this is a bug that you need fixed and to see when something like this can be put in for you.
Hello.
I see this post is very old but very useful.

I have problem accessing the webdav folders for writing and reading operations when my documents and media are in a staged environments. Is there a way to access those folders ?

For example i use sardine (java webdav client) but i cannot see the staged folder.
The same with nautilus (i only see the live folder).

Thanks.