[jcifs] Filter wors but ask for password

Gianluca Sartori g.sartori at elis.org
Wed Mar 3 11:35:20 GMT 2004 

Hi there,	
I'm using jCIFS 0.8.1 Filter configured in web.xml as follows:

	<!-- *** Begin of jCIFS (NTLM) Configuration *** -->
	<filter>
		<filter-name>NTLMFilter</filter-name>
		<filter-class>jcifs.http.NtlmHttpFilter</filter-class>

		<init-param>
			<param-name>jcifs.http.domainController</param-name>
			<param-value>10.150.150.1</param-value>
		</init-param>

		<init-param>
			<param-name>jcifs.http.basicRealm</param-name>
			<param-value>login.elis.org</param-value>
		</init-param>

		<init-param>
			<param-name>jcifs.http.enableBasic</param-name>
			<param-value>true</param-value>
		</init-param>
		
		<init-param>
			<param-name>jcifs.http.insecureBasic</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>

	<!-- NTLM HTTP Authentication only works with MSIE and Mozilla >= 1.6
-->
	<filter-mapping>
		<filter-name>NTLMFilter</filter-name>
		<url-pattern>/intranetLogin</url-pattern>
	</filter-mapping>

When I request /intranetLogin the dialog asking for user credentials
appears. I had a look on what happens behind the scenes and I found that
there are some differences in how jCIFS Filter and an IIS6 installation
handle NTLM authentication headers. Here are the two negotiation i
recorded. The former is the jCIFS way, the latter is the IIS one:

********************** NTLM with Tomcat + jCIFS **********************

GET
http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-client/student/index.jsp HTTP/1.1
Host: 10.200.1.6:8080
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040122 Debian/1.6-1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://10.200.1.6:8080/waas-client/
Cache-Control: max-age=0

HTTP/1.x 401 Unauthorized
Via: 1.1 ISA
Connection: close
Proxy-Support: Session-Based-Authentication
Date: Fri, 27 Feb 2004 14:14:49 GMT
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="login.elis.org"
Server: Apache-Coyote/1.1
----------------------------------------------------------
http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-client/student/index.jsp

GET
http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-client/student/index.jsp HTTP/1.1
Host: 10.200.1.6:8080
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040122 Debian/1.6-1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://10.200.1.6:8080/waas-client/
Cache-Control: max-age=0, max-age=0
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

HTTP/1.x 401 Unauthorized
Via: 1.1 ISA
Proxy-Support: Session-Based-Authentication
Content-Length: 0
Date: Fri, 27 Feb 2004 14:14:49 GMT
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAAAAAAAABAgAAgppykLg+94k=
Server: Apache-Coyote/1.1
----------------------------------------------------------
http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-client/student/index.jsp

GET
http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-client/student/index.jsp HTTP/1.1
Host: 10.200.1.6:8080
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040122 Debian/1.6-1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://10.200.1.6:8080/waas-client/
Cache-Control: max-age=0, max-age=0, max-age=0
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAgACABAAAAAEgASAEgAAAAGAAYAWgAAAAAAAAAAAAAAAQIAAGUAbABpAHMAZwAuAHMAYQByAHQAbwByAGkAZQBnAG8ANBKY7fJfVyBUUQevj2SqYeOMRBgywM9z7KHZNHU1IqaUqwU0lPB1IpZ6ULJRVScA


********************** NTLM with IIS6 **********************

POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
Host: ntlogin.elis.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040122 Debian/1.6-1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&Query=&WebSite=dev%2Eelis%2Eorg
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
HTTP/1.x 401 Unauthorized
Via: 1.1 ISA
Proxy-Support: Session-Based-Authentication
Content-Length: 1878
Date: Fri, 27 Feb 2004 14:19:09 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="ntlogin.elis.org"
X-Powered-By: ASP.NET
----------------------------------------------------------
http://ntlogin.elis.org/NTLogin.asp

POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
Host: ntlogin.elis.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040122 Debian/1.6-1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&Query=&WebSite=dev%2Eelis%2Eorg
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
HTTP/1.x 401 Unauthorized
Via: 1.1 ISA
Proxy-Support: Session-Based-Authentication
Content-Length: 1751
Date: Fri, 27 Feb 2004 14:19:12 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADgAAAAFgokCCjYog/VZf9wAAAAAAAAAAHoAegBAAAAABQLODgAAAA9FAEwASQBTAAIACABFAEwASQBTAAEAFABMAE8ARwBJAE4ALQBFAEwASQBTAAQAEABFAEwASQBTAC4ATwBSAEcAAwAmAGwAbwBnAGkAbgAtAGUAbABpAHMALgBFAEwASQBTAC4ATwBSAEcABQAQAEUATABJAFMALgBPAFIARwAAAAAA
X-Powered-By: ASP.NET
----------------------------------------------------------
http://ntlogin.elis.org/NTLogin.asp

POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
Host: ntlogin.elis.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040122 Debian/1.6-1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&Query=&WebSite=dev%2Eelis%2Eorg
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAgACABAAAAAEgASAEgAAAAGAAYAWgAAAAAAAAAAAAAABYIIAGUAbABpAHMAZwAuAHMAYQByAHQAbwByAGkAZQBnAG8ACbqsTOMJ2GQAAAAAAAAAAAAAAAAAAAAA5qFCbL7FCf5UGg3I62gfCc5YND+KZXDA
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
HTTP/1.x 302 Object moved
Via: 1.1 ISA
Content-Length: 272
Date: Fri, 27 Feb 2004 14:19:12 GMT
Location:
http://login.elis.org/NTLogin_Exec.asp?Username=g%2Esartori&WebSite=dev%2Eelis%2Eorg&Query=&ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDSACDRDRR=EKMJNNEAFDPLMLOOGGFNAJIO; path=/
Cache-Control: private

******************************************************************************

The only difference I can see is the first request's header:

    WWW-Authenticate: Negotiate

which is absent in the jCIFS negotiation. I need the browser not to show
the login page.

Thanks in advance for any help,
Gianluca Sartori

More information about the jcifs mailing list