[jcifs] Filter wors but ask for password

eglass1 at comcast.net eglass1 at comcast.net
Wed Mar 3 14:11:23 GMT 2004


There are a couple of things happening here:

1) I don't *think* Mozilla will do NTLM in an SSO fashion; that is, it is
capable of performing NTLM authentication, but will prompt you for credentials.

2) If you access a machine by IP address (rather than by name) Internet
Explorer will often mistake this as being in the Internet zone (rather than
Local Intranet) and will prompt for credentials.  Although you appear to be
using Mozilla, so this may not apply.

3) Negotiate is an authentication mechanism supported by Win2k which uses
either NTLM raw tokens (same as NTLM) or SPNEGO (which can negotiate the
use of either NTLM or Kerberos tokens).  IIS is offering both Negotiate
and NTLM.  Mozilla doesn't currently perform Negotiate authentication, so
it selects NTLM.  The presence of Negotiate in the list of offered
authentication mechanisms doesn't make a difference.

If I understand correctly, you are getting prompted for credentials in the
first example (a GET to 10.200.1.6:8080).  You aren't getting prompted in the
second example (a POST to ntlogin.elis.org).  I would actually be surprised
if you *aren't* getting prompted using Mozilla if this is an initial request
(i.e., you haven't already authenticated).  There isn't a means via the
protocol to control whether a browser presents a prompt for credentials; this
is solely at the discretion of the client browser.

I would try opening a new Mozilla session (i.e., exit out of the browser
completely, then open a new one).  Then access the IIS site and see if you
are prompted.  Do the same against the jCIFS site and see if the behavior
is any different.  If you've got an Internet Explorer client handy, try
repeating the same experiment using that browser.


Eric
> Hi there,	
> I'm using jCIFS 0.8.1 Filter configured in web.xml as follows:
> 
> 	<!-- *** Begin of jCIFS (NTLM) Configuration *** -->
> 	<filter>
> 		<filter-name>NTLMFilter</filter-name>
> 		<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> 
> 		<init-param>
> 			<param-name>jcifs.http.domainController</param-name>
> 			<param-value>10.150.150.1</param-value>
> 		</init-param>
> 
> 		<init-param>
> 			<param-name>jcifs.http.basicRealm</param-name>
> 			<param-value>login.elis.org</param-value>
> 		</init-param>
> 
> 		<init-param>
> 			<param-name>jcifs.http.enableBasic</param-name>
> 			<param-value>true</param-value>
> 		</init-param>
> 		
> 		<init-param>
> 			<param-name>jcifs.http.insecureBasic</param-name>
> 			<param-value>true</param-value>
> 		</init-param>
> 	</filter>
> 
> 	<!-- NTLM HTTP Authentication only works with MSIE and Mozilla >= 1.6
> -->
> 	<filter-mapping>
> 		<filter-name>NTLMFilter</filter-name>
> 		<url-pattern>/intranetLogin</url-pattern>
> 	</filter-mapping>
> 
> When I request /intranetLogin the dialog asking for user credentials
> appears. I had a look on what happens behind the scenes and I found that
> there are some differences in how jCIFS Filter and an IIS6 installation
> handle NTLM authentication headers. Here are the two negotiation i
> recorded. The former is the jCIFS way, the latter is the IIS one:
> 
> ********************** NTLM with Tomcat + jCIFS **********************
> 
> GET
> http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> lient/student/index.jsp HTTP/1.1
> Host: 10.200.1.6:8080
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> Gecko/20040122 Debian/1.6-1
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer: http://10.200.1.6:8080/waas-client/
> Cache-Control: max-age=0
> 
> HTTP/1.x 401 Unauthorized
> Via: 1.1 ISA
> Connection: close
> Proxy-Support: Session-Based-Authentication
> Date: Fri, 27 Feb 2004 14:14:49 GMT
> WWW-Authenticate: NTLM
> WWW-Authenticate: Basic realm="login.elis.org"
> Server: Apache-Coyote/1.1
> ----------------------------------------------------------
> http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> lient/student/index.jsp
> 
> GET
> http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> lient/student/index.jsp HTTP/1.1
> Host: 10.200.1.6:8080
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> Gecko/20040122 Debian/1.6-1
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer: http://10.200.1.6:8080/waas-client/
> Cache-Control: max-age=0, max-age=0
> Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
> 
> HTTP/1.x 401 Unauthorized
> Via: 1.1 ISA
> Proxy-Support: Session-Based-Authentication
> Content-Length: 0
> Date: Fri, 27 Feb 2004 14:14:49 GMT
> WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAAAAAAAABAgAAgppykLg+94k=
> Server: Apache-Coyote/1.1
> ----------------------------------------------------------
> http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> lient/student/index.jsp
> 
> GET
> http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> lient/student/index.jsp HTTP/1.1
> Host: 10.200.1.6:8080
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> Gecko/20040122 Debian/1.6-1
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer: http://10.200.1.6:8080/waas-client/
> Cache-Control: max-age=0, max-age=0, max-age=0
> Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAgACABAAAAAEgASAEgAAAAGAAYAWgAAAAAAAAAAAAAA
> AQIAAGUAbABpAHMAZwAuAHMAYQByAHQAbwByAGkAZQBnAG8ANBKY7fJfVyBUUQevj2SqYeOMRBgywM9z
> 7KHZNHU1IqaUqwU0lPB1IpZ6ULJRVScA
> 
> 
> ********************** NTLM with IIS6 **********************
> 
> POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
> Host: ntlogin.elis.org
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> Gecko/20040122 Debian/1.6-1
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer:
> http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&
> Query=&WebSite=dev%2Eelis%2Eorg
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 71
> WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
> HTTP/1.x 401 Unauthorized
> Via: 1.1 ISA
> Proxy-Support: Session-Based-Authentication
> Content-Length: 1878
> Date: Fri, 27 Feb 2004 14:19:09 GMT
> Content-Type: text/html
> Server: Microsoft-IIS/6.0
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
> WWW-Authenticate: Basic realm="ntlogin.elis.org"
> X-Powered-By: ASP.NET
> ----------------------------------------------------------
> http://ntlogin.elis.org/NTLogin.asp
> 
> POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
> Host: ntlogin.elis.org
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> Gecko/20040122 Debian/1.6-1
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer:
> http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&
> Query=&WebSite=dev%2Eelis%2Eorg
> Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 71
> WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
> HTTP/1.x 401 Unauthorized
> Via: 1.1 ISA
> Proxy-Support: Session-Based-Authentication
> Content-Length: 1751
> Date: Fri, 27 Feb 2004 14:19:12 GMT
> Content-Type: text/html
> Server: Microsoft-IIS/6.0
> WWW-Authenticate: NTLM
> TlRMTVNTUAACAAAACAAIADgAAAAFgokCCjYog/VZf9wAAAAAAAAAAHoAegBAAAAABQLODgAAAA9FAEwA
> SQBTAAIACABFAEwASQBTAAEAFABMAE8ARwBJAE4ALQBFAEwASQBTAAQAEABFAEwASQBTAC4ATwBSAEcA
> AwAmAGwAbwBnAGkAbgAtAGUAbABpAHMALgBFAEwASQBTAC4ATwBSAEcABQAQAEUATABJAFMALgBPAFIA
> RwAAAAAA
> X-Powered-By: ASP.NET
> ----------------------------------------------------------
> http://ntlogin.elis.org/NTLogin.asp
> 
> POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
> Host: ntlogin.elis.org
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> Gecko/20040122 Debian/1.6-1
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer:
> http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&
> Query=&WebSite=dev%2Eelis%2Eorg
> Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAgACABAAAAAEgASAEgAAAAGAAYAWgAAAAAAAAAAAAAA
> BYIIAGUAbABpAHMAZwAuAHMAYQByAHQAbwByAGkAZQBnAG8ACbqsTOMJ2GQAAAAAAAAAAAAAAAAAAAAA
> 5qFCbL7FCf5UGg3I62gfCc5YND+KZXDA
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 71
> WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
> HTTP/1.x 302 Object moved
> Via: 1.1 ISA
> Content-Length: 272
> Date: Fri, 27 Feb 2004 14:19:12 GMT
> Location:
> http://login.elis.org/NTLogin_Exec.asp?Username=g%2Esartori&WebSite=dev%2Eelis%2
> Eorg&Query=&ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F
> Content-Type: text/html
> Server: Microsoft-IIS/6.0
> X-Powered-By: ASP.NET
> Set-Cookie: ASPSESSIONIDSACDRDRR=EKMJNNEAFDPLMLOOGGFNAJIO; path=/
> Cache-Control: private
> 
> ******************************************************************************
> 
> The only difference I can see is the first request's header:
> 
>     WWW-Authenticate: Negotiate
> 
> which is absent in the jCIFS negotiation. I need the browser not to show
> the login page.
> 
> Thanks in advance for any help,
> Gianluca Sartori
> 
> 


More information about the jcifs mailing list