I will also try to apply WebdavFixFilter чт, 25 мая 2023 г. в 10:27, Кирилл Бубович <kiryl.bubov...@gmail.com>:
> Hi Mark and Thomas, > > Thank you for your help! Our configuration is the following: > > - Tomcat 9.0.74 > - We run the application in a Docker container based on > adoptopenjdk/openjdk11:jdk-11.0.18_10-alpine > <https://hub.docker.com/layers/adoptopenjdk/openjdk11/jdk-11.0.18_10-alpine/images/sha256-ef17c3da214e8bf52d2c9f7ece7d0c37c882198d3cb3271f579a1525ef5da124?context=explore> > - AdoptOpenJDK 11.0.18+10 > > - Version 2108 (Build 14332.20503) > - Windows 11 Pro 22H2 > > - 80 > - used URL: ms-word:ofe|u|https://domain/exposed/attachment/test.docx > > I tried adding a header WWW-Authenticate: Kerberos and Word suddenly > started sending a filled Authorization header. For Basic and Digest > authorization, it sent an empty Authorization header, regardless of the > entered credentials. I will try to set up Kurberois authorization. Perhaps > Word has stopped supporting Basic and Digest since some time. > > Thanks again for your answers! > > > ср, 24 мая 2023 г. в 14:59, Thomas Hoffmann (Speed4Trade GmbH) > <thomas.hoffm...@speed4trade.com.invalid>: > >> Hello, >> >> > -----Ursprüngliche Nachricht----- >> > Von: Mark Thomas <ma...@apache.org> >> > Gesendet: Mittwoch, 24. Mai 2023 13:18 >> > An: users@tomcat.apache.org >> > Betreff: Re: WebdavServlet protected resources cannot be opened in Word >> > >> > On 24/05/2023 08:03, Кирилл Бубович wrote: >> > > We use webdav servlet >> > > >> > <https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/s >> > ervlets/WebdavServlet.java> to enable editing docx documents. We also >> use >> > the |ms-word:ofe|u|https://www.example.com/document.docx >> > <https://www.example.com/document.docx>| scheme in our application to >> > be able to edit documents. The Office URI Scheme documentation >> > <https://learn.microsoft.com/en-us/office/client-developer/office-uri- >> > schemes> contains a "Security Considerations" section for all schemes. >> These >> > sections describe the need to guard against opening documents from >> > untrusted remote systems. >> > > >> > > We have tried enabling basic AUTH to secure documents, which is >> > > probably not the best approach since credentials will constantly be >> > > moving over the network, but this is just for testing to understand >> how it >> > works. >> > > When we try to open a protected document in Word, we see a form asking >> > > for credentials. >> > > >> > > image.png >> > > >> > > However, the entered credentials do not affect the application >> > > request, and the request still does not contain an authorization >> header. >> > > >> > > How to properly implement document protection and how to make it so >> > > that Word client can log in in the appropriate way? Thanks in advance >> > > for your help! >> > >> > The Microsoft WebDAV implementations have a history of non-specification >> > compliant behaviour. So much so that Tomcat has this: >> > >> > >> https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filt >> > ers/WebdavFixFilter.java >> > >> > It has been a long time (many years) since I last looked at that code >> so my >> > hope was that things had improved. >> > >> > It is possible that you are seeing a Tomcat bug but, given past >> experience, we >> > are only going to be able investigate this and produce useful answers >> for you >> > if we can test with *exactly* the same versions that you are using. >> > >> > With that in mind, please provide exact version numbers for the >> following: >> > >> > - Tomcat version used >> > - OS Tomcat is running on >> > - Java version Tomcat is running on >> > >> > - Word version client is using >> > - OS client is running on >> > >> > - port client is using to connect to WebDAV >> > - is TLS being used? >> > - context path WebDAV is deployed to >> > >> > Ideally, it would be helpful if you could provide a full URI for a >> resource you >> > are trying to access via WebDAV. >> > >> > Thanks, >> > >> > Mark >> > >> >> We are using MS Office with Tomcat WebDav-Servlet without problems. >> >> Configuration: >> - Port 80 / 443 (80 redirects to 443) >> - Kerberos Auth / SSO >> - Tomcat 10.1 running on Ubuntu 22.04 LTS (Tomcat 9 and 10 also worked in >> the past) >> - Browser: Chrome + Firefox latest version >> - used URL: ms-word:ofe|u|https://domain/webdav/attachment/test.docx >> >> The readonly parameter doesn’t work as described by MS, therefore we >> prevented writing via web.xml >> <init-param> >> <param-name>readonly</param-name> >> <param-value>true</param-value> >> </init-param> >> >> Good luck! >> Thomas >> >