[jcifs] Post problem/Removing the Authorization Header
Eric
eglass1 at comcast.net
Thu Feb 19 00:48:51 GMT 2004
pdo at kattare.com wrote:
> I have a filter that looks for a user session object, if it's null it
> performs an NTLM auth to determine the username of the user and then
> creates a user object based on that username. So I only need to auth
> once per session.
>
> Now my problem is that after the initial auth the Authorization: NTLM
> Header remains in the request which for breaks POSTS. So my question is
> after I have performed that initial auth and retrieved the username how
> do I completely clear the Authorization header ?
>
If I understand correctly, you're referring to the fact that once NTLM
auth has been negotiated to a site, the client will proactively attempt
NTLM authentication on subsequent POSTs (even after a broken connection,
and even if the server doesn't ask).
The only way (that I know of) to prevent this is to send a 401 or 403
status to the client; this effectively "tricks" the client into thinking
that the credentials are no longer valid. The simplest way would be
(once you have authenticated the user initially) to do:
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
in the subsequent "normal" .jsp page or servlet. After the client
receives such a page status, it will no longer attempt to
reauthenticated with POST submissions.
Eric
More information about the jcifs
mailing list