[jcifs] Post problem/Removing the Authorization Header
jcifs at penney.org
Thu Feb 19 01:03:00 GMT 2004
Hmmm, I'd tried that, but still doesn't appear to work, here is the
output going over the wire
POST /test4.jsp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP/1.1 401 Unauthorized
Date: Thu, 19 Feb 2004 00:59:57 GMT
Wed Feb 18 16:59:58 PST 2004
<form action="/test3.jsp" method="post" name="company_add" id="company_add">
<input type=hidden name="bob" value="hellos fgjkgjfkl">
<input type="submit" name="submit" value="Merge Companies">
Subsequent posts are identical i.e Still containing the NTLM bit...
Quoting Eric <eglass1 at comcast.net>:
> pdo at kattare.com wrote:
> > I have a filter that looks for a user session object, if it's null
> > performs an NTLM auth to determine the username of the user and
> > creates a user object based on that username. So I only need to
> > once per session.
> > Now my problem is that after the initial auth the Authorization:
> > Header remains in the request which for breaks POSTS. So my
> question is
> > after I have performed that initial auth and retrieved the username
> > do I completely clear the Authorization header ?
> If I understand correctly, you're referring to the fact that once
> auth has been negotiated to a site, the client will proactively
> NTLM authentication on subsequent POSTs (even after a broken
> and even if the server doesn't ask).
> The only way (that I know of) to prevent this is to send a 401 or 403
> status to the client; this effectively "tricks" the client into
> that the credentials are no longer valid. The simplest way would be
> (once you have authenticated the user initially) to do:
> in the subsequent "normal" .jsp page or servlet. After the client
> receives such a page status, it will no longer attempt to
> reauthenticated with POST submissions.
More information about the jcifs