On 24/05/2023 08:03, Кирилл Бубович wrote:
We use webdav servlet
<https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/servlets/WebdavServlet.java> to enable editing docx documents. We also use the |ms-word:ofe|u|https://www.example.com/document.docx <https://www.example.com/document.docx>| scheme in our application to be able to edit documents. The Office URI Scheme documentation <https://learn.microsoft.com/en-us/office/client-developer/office-uri-schemes> contains a "Security Considerations" section for all schemes. These sections describe the need to guard against opening documents from untrusted remote systems.
We have tried enabling basic AUTH to secure documents, which is probably
not the best approach since credentials will constantly be moving over
the network, but this is just for testing to understand how it works.
When we try to open a protected document in Word, we see a form asking
for credentials.
image.png
However, the entered credentials do not affect the application request,
and the request still does not contain an authorization header.
How to properly implement document protection and how to make it so that
Word client can log in in the appropriate way? Thanks in advance for
your help!
The Microsoft WebDAV implementations have a history of non-specification
compliant behaviour. So much so that Tomcat has this:
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filters/WebdavFixFilter.java
It has been a long time (many years) since I last looked at that code so
my hope was that things had improved.
It is possible that you are seeing a Tomcat bug but, given past
experience, we are only going to be able investigate this and produce
useful answers for you if we can test with *exactly* the same versions
that you are using.
With that in mind, please provide exact version numbers for the following:
- Tomcat version used
- OS Tomcat is running on
- Java version Tomcat is running on
- Word version client is using
- OS client is running on
- port client is using to connect to WebDAV
- is TLS being used?
- context path WebDAV is deployed to
Ideally, it would be helpful if you could provide a full URI for a
resource you are trying to access via WebDAV.
Thanks,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org