NTLM Auth 1

[mingus]

If I add the following two lines to do NTLM Authorization:

response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("

http://WWW-Authenticate",

"NTLM"

Then form data past in form using POST is gone!
GETs still work, but the POSTs fail.

So how do undo the response from above? I only need to do it when they first get the site. Can I turn it off?

Using Java 4.0.3 and 4.1.2 (tested with both)
Tomcat 4.1.12 and 4.1.24 (testing with more)_

Stuck! Help!

tim

 

[palbano]

Well i can't speak definitively but my understanding is that NTLM Handshake only uses GET.

-pete

 

[mingus]

Okay, but then how to turn off the NTLM handshake?

Once I set it the browser wans to keep doing for every page that follows.

Once I am done with the handshake, how do I get my hand back?

 

[palbano]

You mean your sending back a 200 reply code and then what? I don't get it, even if the browser keeps sending an [/b]Authorization[/b] header why do you care? Did you try to send back a 200 and the requested page?

-pete

 

[mingus]

Let me re-phrase.

If when I browsing around I click on something that executes the code:

response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("

http://WWW-Authenticate",

"NTLM"

Then I have a form with a post:
<form method=&quot;POST&quot;>... </form>

Then the request object has nothing.

The same form works before the setHeader call got ran. And the form will work if it is GET. Since NTLM only does GETS it would appear once I set the response all responses after that using NTLM busting all forms using the method of POST.

So the question is how to I tell it to stop using NTLM since I need forms with POST!?!

here are the two simple JSP files which test this:

Before the response sets the header to use NTLM &quot;B.JSP&quot; prints out the form values. After I set the response it no longer does. The request's parameter map size is 0.

A.JSP
-------
<form action=&quot;b.jsp&quot; method=&quot;POST&quot;>
<input name=&quot;test_name&quot; value=&quot;test_value&quot;>
<input type=submit>
</form>

B.JSP
------
<%@ page import=&quot;java.util.*&quot; %>
<%
Map requestMap = request.getParameterMap();
Iterator itx = requestMap.keySet().iterator();
while (itx.hasNext()) {
String o = (String)itx.next();
System.out.print(&quot;N: &quot; + o);
System.out.println(&quot;;V: &quot; + request.getParameter(o));
}

%>

 

[eglass1]

NTLM can authenticate both GETs and POSTs. The problem you are seeing is that once a client has authenticated to a particular server, it will force renegotiation before POSTing data. For a detailed explanation, see:

http://davenport.sourceforge.net/ntlm.html

Basically, NTLM works as follows:

1) The client requests a protected resource.
2) The server sends a 401 with &quot;

http://WWW-Authenticate:

NTLM&quot;.
3) The client resubmits the request, sending an NTLM Type-1 message in the Authorization header. From this point forward, the connection is kept alive.
4) The server replies with a Type-2 challenge in the

http://WWW-Authenticate

header.
5) The client creates a Type-3 response and sends it in the Authorization header.
6) The server validates the response and sends the resource.

Once this process has completed, no further handshaking or authentication is performed over the connection. However, the client will FORCE a renegotiation before sending the POST data; basically:

1) Client sends an empty POST request with the Type-1 message.
2) Server replies with the Type-2 challenge.
3) Client responds with the Type-3 response, sending the POST data.

So on the server side, you must always send a 401 with a Type-2 challenge if the client sends a Type-1 message in the Authorization header.

I would recommend using the jCIFS servlet filter:

http://jcifs.samba.org

It transparently performs the NTLM authentication and handshaking.

Eric

 

[palbano]

Eric, now that is just great

Thanks

-pete