[jcifs] NTLM HTTP authentication failure forward vs. Network
LogonDialog?
Eric Glass
eric.glass at gmail.com
Wed Aug 11 20:01:36 GMT 2004
>
> > Not sure if you want to include this, but I added
> > support for forwards to a guest URL when unable to
> > transparently authenticate using NtlmHttpFilter.
>
> I suppose. But what I'd rather see is a way to present the user with a
> custom logon page (possibly with a guest option) when the credentials
> fail. I guess it would have to do Basic authentication though in which
> case the page would need to be protected by SSL.
>
Note that sending a redirect will screw up POSTs to any non-NTLM pages
on the same server. Unless the Type 3 request receives a 401 HTTP
status (Unauthorized) in the response, it will assume NTLM
authentication was successful. The browser will preemptively initiate
a NTLM handshake before subsequently POSTing to that server. So if
the target of the POST doesn't complete the handshake, it will get an
empty POST body.
You might be better off doing:
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
resp.setHeader("Refresh", "0;URL=" + guestRedirectURL);
return;
This will signal to the client that the NTLM handshake did not
succeed; it will then refresh them to the "manual login" target. Or,
better still, just change lines ~146 in the filter from:
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
resp.flushBuffer();
return;
to:
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
Then, define an error page in web.xml:
<error-page>
<error-code>401</error-code>
<location>/loginform.jsp</location>
</error-page>
If the initial authentication fails, they will be presented with
/loginform.jsp rather than being rechallenged. If you remove the
error-page definition, you should get the default behavior.
Eric
More information about the jcifs
mailing list