Re: WebdavServlet protected resources cannot be opened in Word

Wed, 24 May 2023 04:18:00 -0700 

On 24/05/2023 08:03, Кирилл Бубович wrote:
We use webdav servlet <https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/servlets/WebdavServlet.java> to enable editing docx documents. We also use the |ms-word:ofe|u|https://www.example.com/document.docx <https://www.example.com/document.docx>| scheme in our application to be able to edit documents. The Office URI Scheme documentation <https://learn.microsoft.com/en-us/office/client-developer/office-uri-schemes> contains a "Security Considerations" section for all schemes. These sections describe the need to guard against opening documents from untrusted remote systems. 


We have tried enabling basic AUTH to secure documents, which is probably 
not the best approach since credentials will constantly be moving over 
the network, but this is just for testing to understand how it works. 
When we try to open a protected document in Word, we see a form asking 
for credentials.


image.png


However, the entered credentials do not affect the application request, 
and the request still does not contain an authorization header.



How to properly implement document protection and how to make it so that 
Word client can log in in the appropriate way? Thanks in advance for 
your help!



The Microsoft WebDAV implementations have a history of non-specification 
compliant behaviour. So much so that Tomcat has this:


https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filters/WebdavFixFilter.java


It has been a long time (many years) since I last looked at that code so 
my hope was that things had improved.



It is possible that you are seeing a Tomcat bug but, given past 
experience, we are only going to be able investigate this and produce 
useful answers for you if we can test with *exactly* the same versions 
that you are using.


With that in mind, please provide exact version numbers for the following:

- Tomcat version used
- OS Tomcat is running on
- Java version Tomcat is running on

- Word version client is using
- OS client is running on

- port client is using to connect to WebDAV
- is TLS being used?
- context path WebDAV is deployed to


Ideally, it would be helpful if you could provide a full URI for a 
resource you are trying to access via WebDAV.


Thanks,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to