[jcifs] NTLM HTTP authentication failure forward vs. Network
LogonDialog?
Dave Trapp
dtrapp at yahoo.com
Wed Aug 11 22:23:00 GMT 2004
> >
> > > Not sure if you want to include this, but I
> added
> > > support for forwards to a guest URL when unable
> to
> > > transparently authenticate using NtlmHttpFilter.
> >
> >
> Note that sending a redirect will screw up POSTs to
> any non-NTLM pages
> on the same server. Unless the Type 3 request
> receives a 401 HTTP
> status (Unauthorized) in the response, it will
> assume NTLM
> authentication was successful. The browser will
> preemptively initiate
> a NTLM handshake before subsequently POSTing to that
> server. So if
> the target of the POST doesn't complete the
> handshake, it will get an
> empty POST body.
>
Ahh, this explains why I could only get my proposed
solution to work when forwarding to a different
server. Thanks.
> You might be better off doing:
>
>
> resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> resp.setHeader("Refresh", "0;URL=" +
> guestRedirectURL);
> return;
>
Good suggestion, I'll give this a try.
> This will signal to the client that the NTLM
> handshake did not
> succeed; it will then refresh them to the "manual
> login" target. Or,
> better still, just change lines ~146 in the filter
> from:
>
>
> resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> resp.flushBuffer();
> return;
>
> to:
>
>
> resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
> return;
>
> Then, define an error page in web.xml:
>
> <error-page>
> <error-code>401</error-code>
> <location>/loginform.jsp</location>
> </error-page>
>
> If the initial authentication fails, they will be
> presented with
> /loginform.jsp rather than being rechallenged. If
> you remove the
> error-page definition, you should get the default
> behavior.
>
Currently, our application is load balanced on three
servers and one is targeted for Form-based auth,
which as mentioned, really needs SSL active. Our
plans are to forward all guests to this server. In
any case, I'll look into this too.
>
> Eric
>
Thanks so much
Dave
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
More information about the jcifs
mailing list