[jcifs] Post problem/Removing the Authorization Header

Damian Penney jcifs at penney.org
Thu Feb 19 01:03:00 GMT 2004

Hmmm, I'd tried that, but still doesn't appear to work, here is the
output going over the wire

POST /test4.jsp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
plication/msword, */*
Referer: http://localhost:8001/test3.jsp
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8001
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=3BA2DCFFBD78291679FC0407D5FBB119
Authorization: NTLM
localhost:8080->localhost:3809 ------
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Content-Length: 289
Date: Thu, 19 Feb 2004 00:59:57 GMT
Server: Apache-Coyote/1.1



Wed Feb 18 16:59:58 PST 2004

<form action="/test3.jsp" method="post" name="company_add" id="company_add">
<input type=hidden name="bob" value="hellos fgjkgjfkl">
<input type="submit" name="submit" value="Merge Companies">

Subsequent posts are identical i.e Still containing the NTLM bit...


Quoting Eric <eglass1 at comcast.net>:

> pdo at kattare.com wrote:
> > I have a filter that looks for a user session object, if it's null
> it
> > performs an NTLM auth to determine the username of the user and
> then
> > creates a user object based on that username. So I only need to
> auth
> > once per session.
> > 
> > Now my problem is that after the initial auth the Authorization:
> > Header remains in the request which for breaks POSTS. So my
> question is
> > after I have performed that initial auth and retrieved the username
> how
> > do I completely clear the Authorization header ?
> > 
> If I understand correctly, you're referring to the fact that once
> auth has been negotiated to a site, the client will proactively
> attempt 
> NTLM authentication on subsequent POSTs (even after a broken
> connection, 
> and even if the server doesn't ask).
> The only way (that I know of) to prevent this is to send a 401 or 403
> status to the client; this effectively "tricks" the client into
> thinking 
> that the credentials are no longer valid.  The simplest way would be
> (once you have authenticated the user initially) to do:
> response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> in the subsequent "normal" .jsp page or servlet.  After the client 
> receives such a page status, it will no longer attempt to 
> reauthenticated with POST submissions.
> Eric

More information about the jcifs mailing list