[jcifs] Post problem/Removing the Authorization Header
Damian Penney
jcifs at penney.org
Thu Feb 19 01:03:00 GMT 2004
Hmmm, I'd tried that, but still doesn't appear to work, here is the
output going over the wire
POST /test4.jsp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint,
plication/msword, */*
Referer: http://localhost:8001/test3.jsp
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: localhost:8001
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=3BA2DCFFBD78291679FC0407D5FBB119
Authorization: NTLM
TlROTVNFUAABAAAAB7IIoAcABwAsMAMADAAMACAAAABTRkRDRDRxMDM1MjBUV0VJU0VM------
localhost:8080->localhost:3809 ------
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Content-Length: 289
Date: Thu, 19 Feb 2004 00:59:57 GMT
Server: Apache-Coyote/1.1
<html>
<body>
test
null
Wed Feb 18 16:59:58 PST 2004
<form action="/test3.jsp" method="post" name="company_add" id="company_add">
<input type=hidden name="bob" value="hellos fgjkgjfkl">
<input type="submit" name="submit" value="Merge Companies">
</form>
</body>
</html>
Subsequent posts are identical i.e Still containing the NTLM bit...
Damian
Quoting Eric <eglass1 at comcast.net>:
> pdo at kattare.com wrote:
> > I have a filter that looks for a user session object, if it's null
> it
> > performs an NTLM auth to determine the username of the user and
> then
> > creates a user object based on that username. So I only need to
> auth
> > once per session.
> >
> > Now my problem is that after the initial auth the Authorization:
> NTLM
> > Header remains in the request which for breaks POSTS. So my
> question is
> > after I have performed that initial auth and retrieved the username
> how
> > do I completely clear the Authorization header ?
> >
>
> If I understand correctly, you're referring to the fact that once
> NTLM
> auth has been negotiated to a site, the client will proactively
> attempt
> NTLM authentication on subsequent POSTs (even after a broken
> connection,
> and even if the server doesn't ask).
>
> The only way (that I know of) to prevent this is to send a 401 or 403
>
> status to the client; this effectively "tricks" the client into
> thinking
> that the credentials are no longer valid. The simplest way would be
>
> (once you have authenticated the user initially) to do:
>
> response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
>
> in the subsequent "normal" .jsp page or servlet. After the client
> receives such a page status, it will no longer attempt to
> reauthenticated with POST submissions.
>
>
> Eric
>
More information about the jcifs
mailing list