[jcifs] Post problem/Removing the Authorization Header

eglass1 at comcast.net eglass1 at comcast.net
Thu Feb 19 09:55:25 GMT 2004 

That's interesting.  It may be a browser version thing; there may also be
additional subtleties involved.  Here's a simple test application:

-------- web.xml -------------------------------------------------

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE web-app
        PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
        "http://java.sun.com/dtd/web-app_2_3.dtd">
    <web-app>
        <filter>
            <filter-name>ntlm</filter-name>
            <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
            <init-param>
                <param-name>jcifs.http.domainController</param-name>
                <param-value>10.10.2.20</param-value>
            </init-param>
        </filter>
        <!-- ntlm only mapped to index.jsp -->
        <filter-mapping>
            <filter-name>ntlm</filter-name>
            <url-pattern>/index.jsp</url-pattern>
        </filter-mapping>
    </web-app>

-------- index.jsp -----------------------------------------------

    <%
        //uncomment the line below to test
        //response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    %>
    <html>
    <body>
    <%= request.getRemoteUser() %>
    <br>
    <form action="test.jsp" method="POST">
        <input name="test">
        <input type="submit">
    </form>
    </body>
    </html>

-------- test.jsp ------------------------------------------------

    <html>
    <body>
    <%= request.getRemoteUser() %>
    <br>
    <%= request.getParameter("test") %>
    </body>
    </html>


With the setStatus line commented out, submitting the form gives "null"
for the parameter value.  Uncommenting should print the submitted value.
Both should print "null" for the username on the destination page (as the
filter is only mapped to the form page).

Eric
> Hmmm, I'd tried that, but still doesn't appear to work, here is the
> output going over the wire
> 
> POST /test4.jsp HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-powerpoint,
> plication/msword, */*
> Referer: http://localhost:8001/test3.jsp
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Host: localhost:8001
> Content-Length: 0
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie: JSESSIONID=3BA2DCFFBD78291679FC0407D5FBB119
> Authorization: NTLM
> TlROTVNFUAABAAAAB7IIoAcABwAsMAMADAAMACAAAABTRkRDRDRxMDM1MjBUV0VJU0VM------
> localhost:8080->localhost:3809 ------
> HTTP/1.1 401 Unauthorized
> Content-Type: text/html
> Content-Length: 289
> Date: Thu, 19 Feb 2004 00:59:57 GMT
> Server: Apache-Coyote/1.1
> 
> 
> <html>
> <body>
> 
> test
> 
> null
> Wed Feb 18 16:59:58 PST 2004
> 
> <form action="/test3.jsp" method="post" name="company_add" id="company_add">
> <input type=hidden name="bob" value="hellos fgjkgjfkl">
> <input type="submit" name="submit" value="Merge Companies">
> </form>
> </body>
> </html>
> 
> 
> 
> 
> Subsequent posts are identical i.e Still containing the NTLM bit...
> 
> Damian
> 
> 
> 
> 
> Quoting Eric <eglass1 at comcast.net>:
> 
> > pdo at kattare.com wrote:
> > > I have a filter that looks for a user session object, if it's null
> > it
> > > performs an NTLM auth to determine the username of the user and
> > then
> > > creates a user object based on that username. So I only need to
> > auth
> > > once per session.
> > > 
> > > Now my problem is that after the initial auth the Authorization:
> > NTLM
> > > Header remains in the request which for breaks POSTS. So my
> > question is
> > > after I have performed that initial auth and retrieved the username
> > how
> > > do I completely clear the Authorization header ?
> > > 
> > 
> > If I understand correctly, you're referring to the fact that once
> > NTLM 
> > auth has been negotiated to a site, the client will proactively
> > attempt 
> > NTLM authentication on subsequent POSTs (even after a broken
> > connection, 
> > and even if the server doesn't ask).
> > 
> > The only way (that I know of) to prevent this is to send a 401 or 403
> > 
> > status to the client; this effectively "tricks" the client into
> > thinking 
> > that the credentials are no longer valid.  The simplest way would be
> > 
> > (once you have authenticated the user initially) to do:
> > 
> > response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> > 
> > in the subsequent "normal" .jsp page or servlet.  After the client 
> > receives such a page status, it will no longer attempt to 
> > reauthenticated with POST submissions.
> > 
> > 
> > Eric
> > 
>

More information about the jcifs mailing list