[feature] Migrate WebDAV module from Milton 1.x to 4.x CE

Package renames: com.bradmcevoy.http -> io.milton.http/resource
Test client: com.ettrema.httpclient -> io.milton.httpclient

MiltonWebDAVServlet: HttpServlet composition (Jetty 12 requires it)

Auth propagation for Milton 4.x resource lifecycle:
- ensureAuthenticated() helper pulls credentials from request context
  when Milton creates fresh resource objects without auth state
- Called in authorise(), createNew(), moveTo(), copyTo(), delete()
- Resets isInitialized to recalculate permissions with correct subject

Tests: preemptive Basic auth via AlwaysBasicPreAuth interceptor
(required for COPY/MOVE/DELETE where challenge-response fails)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: joewiz

extensions/webdav/src/main/java/org/exist/webdav/ExistResourceFactory.java

@@ -22,8 +22,10 @@
 package org.exist.webdav;
 
 
-import com.bradmcevoy.http.Resource;
-import com.bradmcevoy.http.ResourceFactory;
+import io.milton.http.ResourceFactory;
+import io.milton.http.exceptions.BadRequestException;
+import io.milton.http.exceptions.NotAuthorizedException;
+import io.milton.resource.Resource;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.exist.EXistException;
@@ -108,7 +110,7 @@ public ExistResourceFactory() {
      * could not be detected.
      */
     @Override
-    public Resource getResource(String host, String path) {
+    public Resource getResource(String host, String path) throws NotAuthorizedException, BadRequestException {
 
         // DWES: work around if no /db is available return nothing.
         if (!path.contains("/db")) {

extensions/webdav/src/main/java/org/exist/webdav/MiltonCollection.java

@@ -21,8 +21,14 @@
  */
 package org.exist.webdav;
 
-import com.bradmcevoy.http.*;
-import com.bradmcevoy.http.exceptions.*;
+import io.milton.http.Auth;
+import io.milton.http.LockInfo;
+import io.milton.http.LockResult;
+import io.milton.http.LockTimeout;
+import io.milton.http.LockToken;
+import io.milton.http.Range;
+import io.milton.http.exceptions.*;
+import io.milton.resource.*;
 import org.exist.EXistException;
 import org.exist.security.PermissionDeniedException;
 import org.exist.security.Subject;
@@ -104,7 +110,7 @@ public MiltonCollection(final Properties configuration, String host, XmldbURI ur
      * Collection Resource
      * =================== */
     @Override
-    public Resource child(String childName) {
+    public Resource child(String childName) throws NotAuthorizedException, BadRequestException {
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("get child={}", childName);
@@ -147,7 +153,7 @@ private List<MiltonDocument> getDocumentResources() {
     }
 
     @Override
-    public List<? extends Resource> getChildren() {
+    public List<? extends Resource> getChildren() throws NotAuthorizedException, BadRequestException {
         List<Resource> allResources = new ArrayList<>();
 
         allResources.addAll(getCollectionResources());
@@ -199,7 +205,7 @@ public void delete() throws NotAuthorizedException, ConflictException, BadReques
      * ========================== */
     @Override
     public CollectionResource createCollection(String name)
-            throws NotAuthorizedException, ConflictException {
+            throws NotAuthorizedException, ConflictException, BadRequestException {
 
         if (LOG.isTraceEnabled()) {
             LOG.trace("Create collection '{}' in '{}'.", name, resourceXmldbUri);
@@ -229,14 +235,15 @@ public CollectionResource createCollection(String name)
      * =============== */
     @Override
     public Resource createNew(String newName, InputStream is, Long length, String contentType)
-            throws IOException, ConflictException {
+            throws IOException, ConflictException, NotAuthorizedException, BadRequestException {
 
         if (LOG.isTraceEnabled()) {
             LOG.trace("Create '{}' in '{}'", newName, resourceXmldbUri);
         }
 
         Resource resource = null;
         try {
+            ensureAuthenticated();
             // submit
             XmldbURI resourceURI = existCollection.createFile(newName, is, length, contentType);
 
@@ -276,11 +283,11 @@ public LockResult lock(LockTimeout timeout, LockInfo lockInfo)
             LOG.debug("'{}' -- {}", resourceXmldbUri, lockInfo.toString());
         }
 
-        return refreshLock(UUIDGenerator.getUUIDversion4());
+        return refreshLock(UUIDGenerator.getUUIDversion4(), timeout);
     }
 
     @Override
-    public LockResult refreshLock(String token) throws NotAuthorizedException, PreConditionFailedException {
+    public LockResult refreshLock(String token, LockTimeout timeout) throws NotAuthorizedException, PreConditionFailedException {
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("'{}' token='{}'", resourceXmldbUri, token);
@@ -315,7 +322,8 @@ public LockToken getCurrentLock() {
      * MovableResource
      * =============== */
     @Override
-    public void moveTo(CollectionResource rDest, String newName) throws ConflictException {
+    public void moveTo(CollectionResource rDest, String newName) throws ConflictException, NotAuthorizedException, BadRequestException {
+        ensureAuthenticated();
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("Move '{}' to '{}' in '{}'", resourceXmldbUri, newName, rDest.getName());
@@ -335,7 +343,8 @@ public void moveTo(CollectionResource rDest, String newName) throws ConflictExce
      * ================ */
 
     @Override
-    public void copyTo(CollectionResource toCollection, String newName) {
+    public void copyTo(CollectionResource toCollection, String newName) throws NotAuthorizedException, BadRequestException, ConflictException {
+        ensureAuthenticated();
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("Move '{}' to '{}' in '{}'", resourceXmldbUri, newName, toCollection.getName());
@@ -357,7 +366,7 @@ public void copyTo(CollectionResource toCollection, String newName) {
 
     @Override
     public void sendContent(OutputStream out, Range range, Map<String, String> params,
-                            String contentType) throws IOException, NotAuthorizedException, BadRequestException {
+                            String contentType) throws IOException, NotAuthorizedException, BadRequestException, NotFoundException {
 
         try {
             XMLOutputFactory xf = XMLOutputFactory.newInstance();

extensions/webdav/src/main/java/org/exist/webdav/MiltonDocument.java

@@ -21,10 +21,23 @@
  */
 package org.exist.webdav;
 
-import com.bradmcevoy.http.*;
-import com.bradmcevoy.http.exceptions.*;
-import com.bradmcevoy.http.webdav.DefaultUserAgentHelper;
-import com.bradmcevoy.http.webdav.UserAgentHelper;
+import io.milton.http.Auth;
+import io.milton.http.LockInfo;
+import io.milton.http.LockResult;
+import io.milton.http.LockTimeout;
+import io.milton.http.LockToken;
+import io.milton.http.HttpManager;
+import io.milton.http.Range;
+import io.milton.http.exceptions.*;
+import io.milton.http.webdav.DefaultUserAgentHelper;
+import io.milton.http.webdav.UserAgentHelper;
+import io.milton.resource.CollectionResource;
+import io.milton.resource.CopyableResource;
+import io.milton.resource.DeletableResource;
+import io.milton.resource.GetableResource;
+import io.milton.resource.LockableResource;
+import io.milton.resource.MoveableResource;
+import io.milton.resource.PropFindableResource;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.output.CountingOutputStream;
 import org.apache.commons.io.output.NullOutputStream;
@@ -184,7 +197,7 @@ public void setIsPropFind(boolean isPropFind) {
 
     @Override
     public void sendContent(OutputStream out, Range range, Map<String, String> params, String contentType)
-            throws IOException, NotAuthorizedException {
+            throws IOException, NotAuthorizedException, BadRequestException, NotFoundException {
         try {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("Serializing from database");
@@ -263,7 +276,7 @@ public Long getContentLength() {
         Long size = null;
 
         // MacOsX has a bad reputation
-        boolean isMacFinder = userAgentHelper.isMacFinder(HttpManager.request().getUserAgentHeader());
+        boolean isMacFinder = userAgentHelper.isMacFinder(HttpManager.request());
 
         if (existDocument.isXmlDocument()) {
             // XML document, exact size is not (directly) known)
@@ -326,6 +339,7 @@ public Date getCreateDate() {
 
     @Override
     public void delete() throws NotAuthorizedException, ConflictException, BadRequestException {
+        ensureAuthenticated();
         existDocument.delete();
     }
 
@@ -374,7 +388,7 @@ public LockResult lock(LockTimeout timeout, LockInfo lockInfo)
      * ================ */
 
     @Override
-    public LockResult refreshLock(String token) throws NotAuthorizedException, PreConditionFailedException {
+    public LockResult refreshLock(String token, LockTimeout timeout) throws NotAuthorizedException, PreConditionFailedException {
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("Refresh: {} token={}", resourceXmldbUri, token);
@@ -447,7 +461,8 @@ public LockToken getCurrentLock() {
     }
 
     @Override
-    public void moveTo(CollectionResource rDest, String newName) throws ConflictException {
+    public void moveTo(CollectionResource rDest, String newName) throws ConflictException, NotAuthorizedException, BadRequestException {
+        ensureAuthenticated();
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("moveTo: {} newName={}", resourceXmldbUri, newName);
@@ -468,7 +483,8 @@ public void moveTo(CollectionResource rDest, String newName) throws ConflictExce
      * ================ */
 
     @Override
-    public void copyTo(CollectionResource rDest, String newName) {
+    public void copyTo(CollectionResource rDest, String newName) throws NotAuthorizedException, BadRequestException, ConflictException {
+        ensureAuthenticated();
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("copyTo: {} newName={}", resourceXmldbUri, newName);

extensions/webdav/src/main/java/org/exist/webdav/MiltonResource.java

@@ -21,8 +21,15 @@
  */
 package org.exist.webdav;
 
-import com.bradmcevoy.http.*;
-import com.bradmcevoy.http.Request.Method;
+import io.milton.http.Auth;
+import io.milton.http.LockInfo;
+import io.milton.http.LockTimeout;
+import io.milton.http.LockToken;
+import io.milton.http.Request;
+import io.milton.http.Request.Method;
+import io.milton.http.exceptions.BadRequestException;
+import io.milton.http.exceptions.NotAuthorizedException;
+import io.milton.resource.Resource;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.exist.security.Subject;
@@ -253,6 +260,30 @@ protected String decodePath(String uri) {
         return path;
     }
 
+    /**
+     * Ensure the authenticated subject is available for write operations.
+     * In Milton 4.x, handlers may call resource methods on newly-created
+     * resource objects that haven't gone through authenticate(). This method
+     * pulls credentials from the current request's auth context as a fallback.
+     */
+    protected void ensureAuthenticated() {
+        if (subject == null) {
+            final io.milton.http.Request req = io.milton.http.HttpManager.request();
+            if (req != null && req.getAuthorization() != null) {
+                final String authUser = req.getAuthorization().getUser();
+                final String authPwd = req.getAuthorization().getPassword();
+                if (authUser != null) {
+                    subject = existResource.authenticate(authUser, authPwd);
+                    if (subject != null) {
+                        existResource.setUser(subject);
+                        existResource.isInitialized = false;
+                        existResource.initMetadata();
+                    }
+                }
+            }
+        }
+    }
+
     /* ========
      * Resource
      * ======== */
@@ -295,6 +326,9 @@ public Object authenticate(String username, String password) {
             return null;
         }
 
+        // Propagate subject to the underlying eXist resource
+        existResource.setUser(subject);
+
         // Guest is not allowed to access.
         Subject guest = brokerPool.getSecurityManager().getGuestSubject();
         if (guest.equals(subject)) {
@@ -314,6 +348,7 @@ public Object authenticate(String username, String password) {
 
     @Override
     public boolean authorise(Request request, Method method, Auth auth) {
+        ensureAuthenticated();
 
         LOG.info("{} {} (write={})", method.toString(), resourceXmldbUri, method.isWrite);
 
@@ -405,7 +440,7 @@ public Date getModifiedDate() {
     }
 
     @Override
-    public String checkRedirect(Request request) {
+    public String checkRedirect(Request request) throws NotAuthorizedException, BadRequestException {
         return null;
     }
 }

extensions/webdav/src/main/java/org/exist/webdav/MiltonWebDAVServlet.java

@@ -21,30 +21,40 @@
  */
 package org.exist.webdav;
 
-import com.bradmcevoy.http.MiltonServlet;
-import com.bradmcevoy.http.http11.DefaultHttp11ResponseHandler;
+import io.milton.http.http11.DefaultHttp11ResponseHandler;
+import io.milton.servlet.MiltonServlet;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
 import jakarta.servlet.ServletConfig;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Properties;
 
 /**
- * Wrapper around the MiltonServlet for post-configuring the framework.
+ * HttpServlet wrapper around Milton's MiltonServlet.
+ *
+ * Jetty 12 EE10 requires HttpServlet for proper servlet lifecycle management.
+ * Milton 4.x's MiltonServlet implements Servlet directly (not HttpServlet),
+ * so we use composition to delegate to it.
  *
  * @author Dannes Wessels
  */
-public class MiltonWebDAVServlet extends MiltonServlet {
+public class MiltonWebDAVServlet extends HttpServlet {
 
     protected final static Logger LOG = LogManager.getLogger(MiltonWebDAVServlet.class);
 
-    public static String POM_PROP = "/META-INF/maven/com.ettrema/milton-api/pom.properties";
+    public static String POM_PROP = "/META-INF/maven/io.milton/milton-api/pom.properties";
+
+    private final MiltonServlet delegate = new MiltonServlet();
 
     @Override
     public void init(ServletConfig config) throws ServletException {
+        super.init(config);
 
         LOG.info("Initializing webdav servlet");
 
@@ -69,8 +79,8 @@ public void init(ServletConfig config) throws ServletException {
             LOG.info("Detected Milton WebDAV Server library version: {}", miltonVersion);
         }
 
-        // Initialize Milton
-        super.init(config);
+        // Initialize Milton delegate
+        delegate.init(config);
 
         // Retrieve parameters, set to FALSE if not existent
         String enableInitParameter = config.getInitParameter("enable.expect.continue");
@@ -81,9 +91,18 @@ public void init(ServletConfig config) throws ServletException {
         // Calculate effective value
         boolean enableExpectContinue = "TRUE".equalsIgnoreCase(enableInitParameter);
 
-        // Pass value to Milton
-        httpManager.setEnableExpectContinue(enableExpectContinue);
-
         LOG.debug("Set 'Enable Expect Continue' to {}", enableExpectContinue);
     }
+
+    @Override
+    protected void service(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        delegate.service(req, resp);
+    }
+
+    @Override
+    public void destroy() {
+        delegate.destroy();
+        super.destroy();
+    }
 }