[Zope] webdav / IE

John Hunter jdhunter at ace.bsd.uchicago.edu
Sat Sep 25 12:46:51 EDT 2004 

I have a problem that I have struggled with off and on for weeks
without success.

Goal: Serve files (mainly msword and excel) with authentication, to
      Microsoft/IE users supporting the ability to logout, without
      forcing the user to reauthenticate multiple times.

Approach: To support the ability to log out, most reading I've found
     pointed me to CookieCrumbler, which I'm using.  

Problem: IE on windows appears to want to use WebDAV, which doesn't
     understand cookies AFAIK and thus tries to reauthenticate using
     basic http authentication

Proposed Solution: Use the webdav source port, eg 1980.

Gripe: I have no trouble with any tested browser / OS combination
   other than Microsoft Windows with IE.  99% of my users will be on
   this combination, however.

Before I launch into a bunch of techo mumbo jumbo below, I am open to
alternative solutions.  If there is a better way to do this let me
know.  It seems to me that it shouldn't be impossible to gracefully
serve protected files to Microsoft users while supporting logouts, but
maybe it is.  In particular, I have no interest in supporting webdav,
but as far as I understand, I cannot disable this on server side (if I
can, please tell me!!).  So a lot of stuff below is targeted at
getting webdav to work with cookie crumbler.  If I can't figure this
out, I'll have to jettison cookie crumbler and logouts.

I have created a sandbox at http://crcdocs.bsd.uchicago.edu/test.
This area has default permissions, except for the following, which
require authenticated|manager|owner privs

    View
    Access Contents information
    Manage WebDAV locks
    WebDAV Lock items
    WebDAV Unlock items
    WebDAV access

There are two acl_users 'test' and 'testman'.  Both have password
'123'.  The latter has manager permissions.  The 'test' directory has
a single msword file 'facepage.doc', and an index_html method that
serves this file either over 80 or 1980.  I am using a default
instantiation of CookieCrumbler 1.2 in that dir. I have the following
in my zope.conf to enable webdav

  <webdav-source-server>
    # valid keys are "address" and "force-connection-close"
    address 1980
    force-connection-close off
  </webdav-source-server>

When the user clicks on either the port 80 link or the port 1980 link
in index_html, even though they've already cookie authenticated when
initially loading index_html, they get a basic http authentication
dialog.  Is there some special trick to serve files over the webdav
source port?  Perhaps I'm naive in thinking all I need to do is add
the above lines to zope.conf, restart zope, and then serve the file
over 1980.

I installed VerboseSecurity-0.6.  When the user clicks on the 1980
link, they are presented with the authentication challenge box 2 times
and then can read the file.  Subsequent attempts to access the file
are successful without additional authentication challenges.

4 error log entries are created during the initial attempt to access
the document, summarized in order here.

1st error
    Time    2004/09/25 12:21:51.553 GMT-5
    User Name (User Id)             Anonymous User (None)
    Request URL
    http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc/manage_DAVget
    Exception Type  Unauthorized
    Exception Value         <strong>You are not authorized to access this
    resource.</strong><p> No Authorization header found.

2nd error
    Time    2004/09/25 12:21:55.570 GMT-5
    User Name (User Id)             Anonymous User (None)
    Request URL
    http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc/LOCK
    Exception Type  Unauthorized
    Exception Value         <strong>You are not authorized to access this
    resource.</strong><p> No Authorization header found.

3rd error
    Time    2004/09/25 12:21:57.156 GMT-5
    User Name (User Id)             Anonymous User (None)
    Request URL
    http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc/LOCK
    Exception Type  Unauthorized
    Exception Value         <strong>You are not authorized to access this
    resource.</strong><p> No Authorization header found.

4th error
    Time    2004/09/25 12:21:57.177 GMT-5
    User Name (User Id)             test (test)
    Request URL
    http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc/LOCK
    Exception Type  RuntimeError
    Exception Value         Syntax error at line 9: illegal character in content

Included below is the full traceback and REQUEST header from the first
error.

Please feel free to log to http://crcdocs.bsd.uchicago.edu/test as
user 'test' or 'testman' if you are kind enough to help me solve this
vexing problem.

JDH - 
Zope 2.7

Exception traceback

Time      2004/09/25 12:21:51.553 GMT-5
User Name (User Id)  Anonymous User (None)
Request URL
http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc/manage_DAVget
Exception Type  Unauthorized
Exception Value         <strong>You are not authorized to access this
resource.</strong><p> No Authorization header found.

Traceback (innermost last):

    * Module ZPublisher.Publish, line 92, in publish
    * Module ZPublisher.BaseRequest, line 439, in traverse
    * Module ZPublisher.HTTPResponse, line 671, in unauthorized

Unauthorized: <strong>You are not authorized to access this
resource.</strong><p> No Authorization header found.

Display traceback as text

REQUEST
form
cookies
SITESERVER      'ID=38c1d83c249f02a07f0d04cbbf5f1ee5'
__ac            'dGVzdDoxMjM%3D'
__ac_name       'test'
lazy items
SESSION <bound method SessionDataManager.getSessionData of
<SessionDataManager instance at 2a9bd27350>>
other
TraversalRequestNameStack       []
URL
'http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc/manage_DAVget'
SERVER_URL      'http://crcdocs.bsd.uchicago.edu:1980'
PUBLISHED       <bound method File.manage_DAVget of <File instance at
2a9bd7ecb0>>
URL0
http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc/manage_DAVget
URL1    http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc
URL2    http://crcdocs.bsd.uchicago.edu:1980/test
URL3    http://crcdocs.bsd.uchicago.edu:1980
BASE0   http://crcdocs.bsd.uchicago.edu:1980
BASE1   http://crcdocs.bsd.uchicago.edu:1980
BASE2   http://crcdocs.bsd.uchicago.edu:1980/test
BASE3   http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc
BASE4
http://crcdocs.bsd.uchicago.edu:1980/test/facepage.doc/manage_DAVget
environ
HTTP_ACCEPT     'application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*'
CONNECTION_TYPE                'Keep-Alive'
HTTP_USER_AGENT                'Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98)'
HTTP_REFERER    'http://crcdocs.bsd.uchicago.edu/test/index_html'
SERVER_NAME     'localhost.localdomain'
GATEWAY_INTERFACE       'CGI/1.1'
SERVER_SOFTWARE         'Zope/(unreleased version, python 2.3.4,
linux2) ZServer/1.1'
REMOTE_ADDR     '24.14.147.78'
HTTP_ACCEPT_LANGUAGE    'en-us'
SCRIPT_NAME             ''
REQUEST_METHOD          'GET'

More information about the Zope mailing list