Hi Mark and Thomas, Thank you for your help! Our configuration is the following:
- Tomcat 9.0.74 - We run the application in a Docker container based on adoptopenjdk/openjdk11:jdk-11.0.18_10-alpine <https://hub.docker.com/layers/adoptopenjdk/openjdk11/jdk-11.0.18_10-alpine/images/sha256-ef17c3da214e8bf52d2c9f7ece7d0c37c882198d3cb3271f579a1525ef5da124?context=explore> - AdoptOpenJDK 11.0.18+10 - Version 2108 (Build 14332.20503) - Windows 11 Pro 22H2 - 80 - used URL: ms-word:ofe|u|https://domain/exposed/attachment/test.docx I tried adding a header WWW-Authenticate: Kerberos and Word suddenly started sending a filled Authorization header. For Basic and Digest authorization, it sent an empty Authorization header, regardless of the entered credentials. I will try to set up Kurberois authorization. Perhaps Word has stopped supporting Basic and Digest since some time. Thanks again for your answers! ср, 24 мая 2023 г. в 14:59, Thomas Hoffmann (Speed4Trade GmbH) <thomas.hoffm...@speed4trade.com.invalid>: > Hello, > > > -----Ursprüngliche Nachricht----- > > Von: Mark Thomas <ma...@apache.org> > > Gesendet: Mittwoch, 24. Mai 2023 13:18 > > An: users@tomcat.apache.org > > Betreff: Re: WebdavServlet protected resources cannot be opened in Word > > > > On 24/05/2023 08:03, Кирилл Бубович wrote: > > > We use webdav servlet > > > > > <https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/s > > ervlets/WebdavServlet.java> to enable editing docx documents. We also use > > the |ms-word:ofe|u|https://www.example.com/document.docx > > <https://www.example.com/document.docx>| scheme in our application to > > be able to edit documents. The Office URI Scheme documentation > > <https://learn.microsoft.com/en-us/office/client-developer/office-uri- > > schemes> contains a "Security Considerations" section for all schemes. > These > > sections describe the need to guard against opening documents from > > untrusted remote systems. > > > > > > We have tried enabling basic AUTH to secure documents, which is > > > probably not the best approach since credentials will constantly be > > > moving over the network, but this is just for testing to understand > how it > > works. > > > When we try to open a protected document in Word, we see a form asking > > > for credentials. > > > > > > image.png > > > > > > However, the entered credentials do not affect the application > > > request, and the request still does not contain an authorization > header. > > > > > > How to properly implement document protection and how to make it so > > > that Word client can log in in the appropriate way? Thanks in advance > > > for your help! > > > > The Microsoft WebDAV implementations have a history of non-specification > > compliant behaviour. So much so that Tomcat has this: > > > > https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filt > > ers/WebdavFixFilter.java > > > > It has been a long time (many years) since I last looked at that code so > my > > hope was that things had improved. > > > > It is possible that you are seeing a Tomcat bug but, given past > experience, we > > are only going to be able investigate this and produce useful answers > for you > > if we can test with *exactly* the same versions that you are using. > > > > With that in mind, please provide exact version numbers for the > following: > > > > - Tomcat version used > > - OS Tomcat is running on > > - Java version Tomcat is running on > > > > - Word version client is using > > - OS client is running on > > > > - port client is using to connect to WebDAV > > - is TLS being used? > > - context path WebDAV is deployed to > > > > Ideally, it would be helpful if you could provide a full URI for a > resource you > > are trying to access via WebDAV. > > > > Thanks, > > > > Mark > > > > We are using MS Office with Tomcat WebDav-Servlet without problems. > > Configuration: > - Port 80 / 443 (80 redirects to 443) > - Kerberos Auth / SSO > - Tomcat 10.1 running on Ubuntu 22.04 LTS (Tomcat 9 and 10 also worked in > the past) > - Browser: Chrome + Firefox latest version > - used URL: ms-word:ofe|u|https://domain/webdav/attachment/test.docx > > The readonly parameter doesn’t work as described by MS, therefore we > prevented writing via web.xml > <init-param> > <param-name>readonly</param-name> > <param-value>true</param-value> > </init-param> > > Good luck! > Thomas >