[jcifs] Post problem/Removing the Authorization Header

Eric eglass1 at comcast.net
Thu Feb 19 00:48:51 GMT 2004

pdo at kattare.com wrote:
> I have a filter that looks for a user session object, if it's null it
> performs an NTLM auth to determine the username of the user and then
> creates a user object based on that username. So I only need to auth
> once per session.
> Now my problem is that after the initial auth the Authorization: NTLM
> Header remains in the request which for breaks POSTS. So my question is
> after I have performed that initial auth and retrieved the username how
> do I completely clear the Authorization header ?

If I understand correctly, you're referring to the fact that once NTLM 
auth has been negotiated to a site, the client will proactively attempt 
NTLM authentication on subsequent POSTs (even after a broken connection, 
and even if the server doesn't ask).

The only way (that I know of) to prevent this is to send a 401 or 403 
status to the client; this effectively "tricks" the client into thinking 
that the credentials are no longer valid.  The simplest way would be 
(once you have authenticated the user initially) to do:


in the subsequent "normal" .jsp page or servlet.  After the client 
receives such a page status, it will no longer attempt to 
reauthenticated with POST submissions.


More information about the jcifs mailing list