Apache Jackrabbit throws 403 in WebDAV anonymous access

Question

I configured Apache Jackrabbit 2.6.3 to use WebDAV in an anonymous mode (empty credentials are mapped to anonymous:anonymous).

If I click on a direct link to some file (e.g. JPG or DOC) HTTP 403 error is thrown by GlassFish server. If I press F5, 403 is still there.

BUT if I simply press Enter in address bar in my browser on the same URL, everything is OK, and resource is accessible.

I think that only difference is a referrer in the HTTP header.
I searched for any information about a similar problem, but I couldn't find anything.

Does anybody have some idea how to force WebDAV (or Jackrabbit) to serve files in the anonymous mode despite the referrer or any other reason?

Answer 1

I found a solution.
In web.xml file in section WebDAV the following part must be uncommented:

<init-param>
        <param-name>csrf-protection</param-name>
        <param-value>disabled</param-value>
</init-param>

With disabled as param-value.

As description says:

Defines the behaviour of the referrer based CSRF protection
1) If omitted or left empty the (default) behaviour is to allow only requests with
an empty referrer header or a referrer host equal to the server host
2) May also contain a comma separated list of additional allowed referrer hosts
3) If set to 'disabled' no referrer checking will be performed at all