Hello, > -----Ursprüngliche Nachricht----- > Von: Mark Thomas <ma...@apache.org> > Gesendet: Mittwoch, 24. Mai 2023 13:18 > An: users@tomcat.apache.org > Betreff: Re: WebdavServlet protected resources cannot be opened in Word > > On 24/05/2023 08:03, Кирилл Бубович wrote: > > We use webdav servlet > > > <https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/s > ervlets/WebdavServlet.java> to enable editing docx documents. We also use > the |ms-word:ofe|u|https://www.example.com/document.docx > <https://www.example.com/document.docx>| scheme in our application to > be able to edit documents. The Office URI Scheme documentation > <https://learn.microsoft.com/en-us/office/client-developer/office-uri- > schemes> contains a "Security Considerations" section for all schemes. These > sections describe the need to guard against opening documents from > untrusted remote systems. > > > > We have tried enabling basic AUTH to secure documents, which is > > probably not the best approach since credentials will constantly be > > moving over the network, but this is just for testing to understand how it > works. > > When we try to open a protected document in Word, we see a form asking > > for credentials. > > > > image.png > > > > However, the entered credentials do not affect the application > > request, and the request still does not contain an authorization header. > > > > How to properly implement document protection and how to make it so > > that Word client can log in in the appropriate way? Thanks in advance > > for your help! > > The Microsoft WebDAV implementations have a history of non-specification > compliant behaviour. So much so that Tomcat has this: > > https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filt > ers/WebdavFixFilter.java > > It has been a long time (many years) since I last looked at that code so my > hope was that things had improved. > > It is possible that you are seeing a Tomcat bug but, given past experience, we > are only going to be able investigate this and produce useful answers for you > if we can test with *exactly* the same versions that you are using. > > With that in mind, please provide exact version numbers for the following: > > - Tomcat version used > - OS Tomcat is running on > - Java version Tomcat is running on > > - Word version client is using > - OS client is running on > > - port client is using to connect to WebDAV > - is TLS being used? > - context path WebDAV is deployed to > > Ideally, it would be helpful if you could provide a full URI for a resource > you > are trying to access via WebDAV. > > Thanks, > > Mark >
We are using MS Office with Tomcat WebDav-Servlet without problems. Configuration: - Port 80 / 443 (80 redirects to 443) - Kerberos Auth / SSO - Tomcat 10.1 running on Ubuntu 22.04 LTS (Tomcat 9 and 10 also worked in the past) - Browser: Chrome + Firefox latest version - used URL: ms-word:ofe|u|https://domain/webdav/attachment/test.docx The readonly parameter doesn’t work as described by MS, therefore we prevented writing via web.xml <init-param> <param-name>readonly</param-name> <param-value>true</param-value> </init-param> Good luck! Thomas
