MS Webfolder WebDAV Client: Authentication issue with handling of replies to PUT requests from Jim Whitehead on 2007-01-29 (w3c-dist-auth@w3.org from January to March 2007)

From: Jim Whitehead <ejw@soe.ucsc.edu>
Date: Mon, 29 Jan 2007 09:03:22 -0800
To: <w3c-dist-auth@w3.org>
Cc: Andy Staudacher <andress@ee.ethz.ch>
Message-Id: <D7FD4E33-EC24-4FAB-8CC2-165E8A7076EC@cs.ucsc.edu>

Sending on behalf of Andy Staudacher <andress@ee.ethz.ch> (cc'ed). If  
you have any insight into these issues, please let Andy know.

- Jim


Hi

Problem:
Windows Webfolders does not show an authentication popup Window when the
server responds with a HTTP 401 to a PUT request although the response
includes a WWW-Authenticate header.

Questions:
1. Is this type of handling of PUT request replies a known issue for  
the MS
Webfolders WebDAV client?
2. Are there any workarounds?

Detailed problem description:
We have developed a PHP based WebDAV server (for gallery.sf.net) and  
we are
experiencing a problem with Microsoft's built-in WebDAV client  
(Microsoft
Webfolders, "Microsoft Data Access Internet Publishing Provider DAV").

Depending on how the server is configured, the client needs to  
authenticate
for specific requests.
By default any WebDAV client can connect to our WebDAV server and get a
listing of all folders / files without authentication. MKCOL and PUT
requests require authentication by default though.

Our WebDAV server implementation replies with a HTTP 401 'Authorization
Required' status with a WWW-Authenticate header to both requests  
(MKCOL and
PUT). While Windows Webfolders shows an authentication Window to the  
user
when receiving our response to a MKCOL request, it does not so for our
response to PUT a request.

All what the user sees when a PUT request fails with a HTTP 401 is a  
small
Window with a short, generic error message.

This is a major usability problem. Our end-users are usually not very
tech-savvy and thus rely on what is installed by default (MS Windows /
Windows Webfolders) and without being able to upload files, the WebDAV
components of our server doesn't make much sense.

Notes:
- Other clients (e.g. cadaver) work flawlessly with our WebDAV server.
- Client: Tested with Windows XP. Mounting / discovery is done via IE7
("Microsoft-WebDAV-MiniRedir/5.1.2600") and MKCOL/PUT requests are  
done via
Webfolders ("Microsoft Data Access Internet Publishing Provider DAV")
- Server: Apache2 / IIS + mod_php + Gallery 2.2 + Gallery WebDAV module

Some rather silly workarounds:
- Listing a virtual "login" folder which when requested always  
returns HTTP
401 with a WWW-Authenticate header.
- Requiring authentication for all operations, thus the client would  
have to
authenticate before it could even send a PUT request. (Unlikely to  
happen)
- (only for devs) Instructing the user to force authentication by always
creating a folder first. (Once authenticated, the authentication  
headers are
included in PUT requests as well.)

Of course we would prefer a solution that would simply trigger the
authentication popup of Windows Webfolders.

Thanks,
  - Andy Staudacher, Gallery.sourceforge.net developer

Received on Monday, 29 January 2007 18:58:10 UTC