extend for WebCAL sharing example

Sharing-Collections.md

@@ -2,14 +2,16 @@
 
 "radicale" is a lightwide CalDAV/CardDAV server and supporting sharing of collections only on server side with static configuration.
 
-## Prepraration
+## Sharing Collections with other configured users
+
+### Preparations
 
 * create a directory aside `collection-root` (which is the base directory of "radicale" to lookup user folders) like e.g. `collection-shared`
 * create a sub-directory structure with collections or group->collections
 * softlink required collection directory into user's directory
 * in case of read-only permissions are required for shared calendar, extend `rights` file matching particular collection and user
 
-## Example for a storage layout incl. shared calendar/addressbook
+### Example for a storage layout incl. shared calendar/addressbook
 
 Note: `*/.Radicale*` files/directories are not shown here
 
@@ -72,3 +74,105 @@ user: USER2
 collection: {user}/sharedaddressbook2(/.+)?
 permissions: r
 ```
+
+## Sharing a collections read-only to public as WebCAL
+
+**ATTENTION: This is a simple and potentially insecure example**
+
+### Requirements
+
+* A reverse proxy in front of "radicale" is mandatory, because "radicale" itself is not supporting mix of authenticated and unauthenticated users.
+
+### Preparations
+
+* create/assign a directory structure (see below)
+* create users ADMIN1 and ANON1 with secret passwords
+* extend the `rights` file to limit the user ANON1 only to GET requests ("i")
+
+```
+[anon]
+user: ANON1
+collection: {user}(/.*)?
+permissions: i
+```
+
+* extend the reverse proxy configuration by a redirect and enriching the request with credentials of user ANON1 by conditionally adding the authorization header to the request.
+
+```
+        ## Shortcut RUL
+        RewriteRule "/publicevents1.ics" /radicale/ANON1/publicevents1/ [R,L]
+
+        ## Conditional enrich request with credentials
+        # "Basic <base64 encodede USER:PASS>" example generated with 'echo -n "ANON1:ANON1" | base64'
+        SetEnvIf Request_URI "^/radicale/ANON1/publicevents1/"  ANON
+        RequestHeader setifempty Authorization "Basic QU5PTjE6QU5PTjE=" env=ANON
+```
+
+### Example for a storage layout
+
+```
+[d] /var
+└─[d] /lib
+  └─[d] /radicale
+    └─[d] /collections
+      ├─[d] /collection-shared
+      │ └─[d] /public
+      │   └─[d] /publicevents1 (Collection)
+      │     ├─[f] sharedschedule1.ics
+      │     ├─[f] ...
+      │     └─[f] sharedscheduleX.ics
+      │
+      └─[d] /collection-root
+        ├─[d] /ADMIN1
+        │ └─[l] publicevents1 -> ../../collection-shared/public/publicevents1 (rw, default)
+        │
+        └─[d] /ANON1
+          └─[l] publicevents1 -> ../../collection-shared/public/publicevents1 (ro, only GET allowed)
+```
+
+### Testing
+
+#### GET request to user-friendly URL shortcut
+
+```
+curl -v -s  http://localhost/publicevents1.ics
+...
+< Location: http://localhost/radicale/ANON1/publicevents1/
+...
+```
+
+#### GET request to redirected URL
+
+```
+curl -s  http://localhost/radicale/ANON1/publicevents1/ | grep -E '(VEVENT|VCALENDAR)'
+BEGIN:VCALENDAR
+BEGIN:VEVENT
+END:VEVENT
+BEGIN:VEVENT
+END:VEVENT
+END:VCALENDAR
+```
+
+#### PROPFIND request to URL
+
+(expected forbidden)
+
+```
+curl --request PROPFIND  http://localhost/radicale/ANON1/publicevents1/ 
+Access to the requested resource forbidden.
+```
+#### PUT request to URL
+
+(expected forbidden)
+
+```
+curl --data-binary @test.ics --request PUT http://localhost/radicale/ANON1/publicevents1/test.ics
+Access to the requested resource forbidden.
+```
+
+### Publishing
+
+URL for publishing e.g. via WebCAL in case client is supporting redirect response:
+
+* yes: `https://FQDN/publicevents1.ics`
+* no: `https://FQDN/radicale/ANON1/publicevents1.ics`