Anonymous PUT in WebDAVRSS

6 replies

Last post Feb 09, 2012 12:31 PM by artisticcheese

  • Anonymous PUT in WebDAV

    Feb 16, 2008 02:34 PM|lcx|LINK

    How do I enable anonymous PUT?

    I have enabled anonymous PROPFIND but PUT requires authentication:

    2008-02-16 19:16:11 W3SVC2 SERVER 59.112.38.230 PROPFIND /testfolder - 80 - 59.112.38.230 HTTP/1.1 Microsoft-WebDAV-MiniRedir/6.0.6001 - - www.example.com 207 0 0 805 172 1
    2008-02-16 19:16:11 W3SVC2 SERVER 59.112.38.230 PUT /testfolder/Test.mp4 - 80 - 59.112.38.230 HTTP/1.1 Microsoft-WebDAV-MiniRedir/6.0.6001 - - www.example.com 401 0 5 5347 191 3 

    My settings:

        <location path="MySite">
            <system.webServer>
                <webdav>
                    <authoring enabled="true">
                        <properties allowAnonymousPropfind="true" />
                    </authoring>
                </webdav>
            </system.webServer>
        </location>
        <location path="MySite/testfolder">
            <system.webServer>
                <webdav>
                    <authoringRules>
                        <add users="?" path="*" access="Read, Write" />
                    </authoringRules>
                </webdav>
            </system.webServer>
        </location>

  • Re: Anonymous PUT in WebDAV

    Feb 18, 2008 02:28 PM|robmcm|LINK

    Anonymous PROPFINDs are allowed for file listings, but file uploads require an authenticated user.

    More specifically, the PUT, MKCOL, PROPPATCH, COPY, MOVE, and DELETE verbs all require authentication.

    Robert McMurray [MSFT]
  • Re: Anonymous PUT in WebDAV

    Feb 18, 2008 04:06 PM|lcx|LINK

    Is it possible to use a cookie-based authentication scheme by means of a custom authentication module?

  • Re: Anonymous PUT in WebDAV

    Feb 18, 2008 05:10 PM|robmcm|LINK

    Yes - that would be possible. Essentially as long as the request has some means of entering credentials that will be authenticated before the request gets to the WebDAV module in ExecuteRequestHandler, then the WebDAV module will not be aware that you have implemented some other form of authentication. (Of course, this logic does not apply to Forms Authentication since that is not actually passing credentials via the HTTP headers, only through the HTTP request entity.) So in theory, if you wrote a custom authentication module that used cookies and a server-side mapping of cookies to user accounts that executed in BeginRequest then you authenticate a user on behalf of a cookie-based client.

    I have to state, however, that anonymous uploads via WebDAV are not generally a good idea and I always recommend forcing users to log in. ;-)

    Robert McMurray [MSFT]
  • Re: Anonymous PUT in WebDAV

    Mar 05, 2008 07:52 PM|WebSynchronizer|LINK

    Jet 4 Replication Manager uses an anonymous put to upload files.  Any thoughts on how we can force this to login?

    If not, Internet synchronization of a Microsoft Access database can't happen on IIS 7

    permissions IIS7 Authorization Rules Folder Permissions WebDAV

  • Re: Anonymous PUT in WebDAV

    Mar 06, 2008 09:53 PM|robmcm|LINK

    There are two considerations for Internet Synchronization that apply here:

    • Internet Synchronization over HTTP/FTP for Microsoft Access databases is provided through the Microsoft Replication Manager, which is no longer supported. This utility shipped with the developer versions of Office 2000 and Office XP, and reached its end of life in July, 2006.
    • Internet Synchronization over HTTP/FTP required what I would consider unsafe security practices. When you examine the settings that you were required to open for anonymous access, you'll notice that very little security is in use. So I would recommend against using Internet Synchronization even if you accept the fact that Replication Manager is no longer a supported utility.
    Robert McMurray [MSFT]
  • Re: Anonymous PUT in WebDAV

    Feb 09, 2012 12:31 PM|artisticcheese|LINK

    Here is the solution http://artisticcheese.blogspot.com/2012/02/using-urlrewrite-in-curcumvential.html