[jcifs] Filter wors but ask for password

Gianluca Sartori g.sartori at elis.org
Fri Mar 5 09:04:54 GMT 2004 

Il mer, 2004-03-03 alle 15:11, eglass1 at comcast.net ha scritto:
> There are a couple of things happening here:
> 
> 1) I don't *think* Mozilla will do NTLM in an SSO fashion; that is, it is
> capable of performing NTLM authentication, but will prompt you for credentials.
> 
> 2) If you access a machine by IP address (rather than by name) Internet
> Explorer will often mistake this as being in the Internet zone (rather than
> Local Intranet) and will prompt for credentials.  Although you appear to be
> using Mozilla, so this may not apply.

That was the problem! I simply deployed the application on another
machine with a DNS name and all worked fine (with IE of course, Mozilla
keeps asking for user credentials but this is ok and, for now,
unavoidable).

Thanks a lot,
Gianluca


> 3) Negotiate is an authentication mechanism supported by Win2k which uses
> either NTLM raw tokens (same as NTLM) or SPNEGO (which can negotiate the
> use of either NTLM or Kerberos tokens).  IIS is offering both Negotiate
> and NTLM.  Mozilla doesn't currently perform Negotiate authentication, so
> it selects NTLM.  The presence of Negotiate in the list of offered
> authentication mechanisms doesn't make a difference.
> 
> If I understand correctly, you are getting prompted for credentials in the
> first example (a GET to 10.200.1.6:8080).  You aren't getting prompted in the
> second example (a POST to ntlogin.elis.org).  I would actually be surprised
> if you *aren't* getting prompted using Mozilla if this is an initial request
> (i.e., you haven't already authenticated).  There isn't a means via the
> protocol to control whether a browser presents a prompt for credentials; this
> is solely at the discretion of the client browser.
> 
> I would try opening a new Mozilla session (i.e., exit out of the browser
> completely, then open a new one).  Then access the IIS site and see if you
> are prompted.  Do the same against the jCIFS site and see if the behavior
> is any different.  If you've got an Internet Explorer client handy, try
> repeating the same experiment using that browser.
> 
> 
> Eric
> > Hi there,	
> > I'm using jCIFS 0.8.1 Filter configured in web.xml as follows:
> > 
> > 	<!-- *** Begin of jCIFS (NTLM) Configuration *** -->
> > 	<filter>
> > 		<filter-name>NTLMFilter</filter-name>
> > 		<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
> > 
> > 		<init-param>
> > 			<param-name>jcifs.http.domainController</param-name>
> > 			<param-value>10.150.150.1</param-value>
> > 		</init-param>
> > 
> > 		<init-param>
> > 			<param-name>jcifs.http.basicRealm</param-name>
> > 			<param-value>login.elis.org</param-value>
> > 		</init-param>
> > 
> > 		<init-param>
> > 			<param-name>jcifs.http.enableBasic</param-name>
> > 			<param-value>true</param-value>
> > 		</init-param>
> > 		
> > 		<init-param>
> > 			<param-name>jcifs.http.insecureBasic</param-name>
> > 			<param-value>true</param-value>
> > 		</init-param>
> > 	</filter>
> > 
> > 	<!-- NTLM HTTP Authentication only works with MSIE and Mozilla >= 1.6
> > -->
> > 	<filter-mapping>
> > 		<filter-name>NTLMFilter</filter-name>
> > 		<url-pattern>/intranetLogin</url-pattern>
> > 	</filter-mapping>
> > 
> > When I request /intranetLogin the dialog asking for user credentials
> > appears. I had a look on what happens behind the scenes and I found that
> > there are some differences in how jCIFS Filter and an IIS6 installation
> > handle NTLM authentication headers. Here are the two negotiation i
> > recorded. The former is the jCIFS way, the latter is the IIS one:
> > 
> > ********************** NTLM with Tomcat + jCIFS **********************
> > 
> > GET
> > http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> > lient/student/index.jsp HTTP/1.1
> > Host: 10.200.1.6:8080
> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> > Gecko/20040122 Debian/1.6-1
> > Accept:
> > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> > image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Proxy-Connection: keep-alive
> > Referer: http://10.200.1.6:8080/waas-client/
> > Cache-Control: max-age=0
> > 
> > HTTP/1.x 401 Unauthorized
> > Via: 1.1 ISA
> > Connection: close
> > Proxy-Support: Session-Based-Authentication
> > Date: Fri, 27 Feb 2004 14:14:49 GMT
> > WWW-Authenticate: NTLM
> > WWW-Authenticate: Basic realm="login.elis.org"
> > Server: Apache-Coyote/1.1
> > ----------------------------------------------------------
> > http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> > lient/student/index.jsp
> > 
> > GET
> > http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> > lient/student/index.jsp HTTP/1.1
> > Host: 10.200.1.6:8080
> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> > Gecko/20040122 Debian/1.6-1
> > Accept:
> > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> > image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Proxy-Connection: keep-alive
> > Referer: http://10.200.1.6:8080/waas-client/
> > Cache-Control: max-age=0, max-age=0
> > Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
> > 
> > HTTP/1.x 401 Unauthorized
> > Via: 1.1 ISA
> > Proxy-Support: Session-Based-Authentication
> > Content-Length: 0
> > Date: Fri, 27 Feb 2004 14:14:49 GMT
> > WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAAAAAAAABAgAAgppykLg+94k=
> > Server: Apache-Coyote/1.1
> > ----------------------------------------------------------
> > http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> > lient/student/index.jsp
> > 
> > GET
> > http://10.200.1.6:8080/waaz/intranetLogin?resource=http://10.200.1.6:8080/waas-c
> > lient/student/index.jsp HTTP/1.1
> > Host: 10.200.1.6:8080
> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> > Gecko/20040122 Debian/1.6-1
> > Accept:
> > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> > image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Proxy-Connection: keep-alive
> > Referer: http://10.200.1.6:8080/waas-client/
> > Cache-Control: max-age=0, max-age=0, max-age=0
> > Authorization: NTLM
> > TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAgACABAAAAAEgASAEgAAAAGAAYAWgAAAAAAAAAAAAAA
> > AQIAAGUAbABpAHMAZwAuAHMAYQByAHQAbwByAGkAZQBnAG8ANBKY7fJfVyBUUQevj2SqYeOMRBgywM9z
> > 7KHZNHU1IqaUqwU0lPB1IpZ6ULJRVScA
> > 
> > 
> > ********************** NTLM with IIS6 **********************
> > 
> > POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
> > Host: ntlogin.elis.org
> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> > Gecko/20040122 Debian/1.6-1
> > Accept:
> > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> > image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Proxy-Connection: keep-alive
> > Referer:
> > http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&
> > Query=&WebSite=dev%2Eelis%2Eorg
> > Content-Type: application/x-www-form-urlencoded
> > Content-Length: 71
> > WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
> > HTTP/1.x 401 Unauthorized
> > Via: 1.1 ISA
> > Proxy-Support: Session-Based-Authentication
> > Content-Length: 1878
> > Date: Fri, 27 Feb 2004 14:19:09 GMT
> > Content-Type: text/html
> > Server: Microsoft-IIS/6.0
> > WWW-Authenticate: Negotiate
> > WWW-Authenticate: NTLM
> > WWW-Authenticate: Basic realm="ntlogin.elis.org"
> > X-Powered-By: ASP.NET
> > ----------------------------------------------------------
> > http://ntlogin.elis.org/NTLogin.asp
> > 
> > POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
> > Host: ntlogin.elis.org
> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> > Gecko/20040122 Debian/1.6-1
> > Accept:
> > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> > image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Proxy-Connection: keep-alive
> > Referer:
> > http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&
> > Query=&WebSite=dev%2Eelis%2Eorg
> > Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
> > Content-Type: application/x-www-form-urlencoded
> > Content-Length: 71
> > WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
> > HTTP/1.x 401 Unauthorized
> > Via: 1.1 ISA
> > Proxy-Support: Session-Based-Authentication
> > Content-Length: 1751
> > Date: Fri, 27 Feb 2004 14:19:12 GMT
> > Content-Type: text/html
> > Server: Microsoft-IIS/6.0
> > WWW-Authenticate: NTLM
> > TlRMTVNTUAACAAAACAAIADgAAAAFgokCCjYog/VZf9wAAAAAAAAAAHoAegBAAAAABQLODgAAAA9FAEwA
> > SQBTAAIACABFAEwASQBTAAEAFABMAE8ARwBJAE4ALQBFAEwASQBTAAQAEABFAEwASQBTAC4ATwBSAEcA
> > AwAmAGwAbwBnAGkAbgAtAGUAbABpAHMALgBFAEwASQBTAC4ATwBSAEcABQAQAEUATABJAFMALgBPAFIA
> > RwAAAAAA
> > X-Powered-By: ASP.NET
> > ----------------------------------------------------------
> > http://ntlogin.elis.org/NTLogin.asp
> > 
> > POST http://ntlogin.elis.org/NTLogin.asp HTTP/1.1
> > Host: ntlogin.elis.org
> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
> > Gecko/20040122 Debian/1.6-1
> > Accept:
> > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
> > image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
> > Accept-Encoding: gzip,deflate
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Proxy-Connection: keep-alive
> > Referer:
> > http://login.elis.org/Login.asp?ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F&
> > Query=&WebSite=dev%2Eelis%2Eorg
> > Authorization: NTLM
> > TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAgACABAAAAAEgASAEgAAAAGAAYAWgAAAAAAAAAAAAAA
> > BYIIAGUAbABpAHMAZwAuAHMAYQByAHQAbwByAGkAZQBnAG8ACbqsTOMJ2GQAAAAAAAAAAAAAAAAAAAAA
> > 5qFCbL7FCf5UGg3I62gfCc5YND+KZXDA
> > Content-Type: application/x-www-form-urlencoded
> > Content-Length: 71
> > WebSite=dev.elis.org&ReturnTo=http%3A%2F%2Fdev.elis.org%2Fdev%2F&Query=
> > HTTP/1.x 302 Object moved
> > Via: 1.1 ISA
> > Content-Length: 272
> > Date: Fri, 27 Feb 2004 14:19:12 GMT
> > Location:
> > http://login.elis.org/NTLogin_Exec.asp?Username=g%2Esartori&WebSite=dev%2Eelis%2
> > Eorg&Query=&ReturnTo=http%3A%2F%2Fdev%2Eelis%2Eorg%2Fdev%2F
> > Content-Type: text/html
> > Server: Microsoft-IIS/6.0
> > X-Powered-By: ASP.NET
> > Set-Cookie: ASPSESSIONIDSACDRDRR=EKMJNNEAFDPLMLOOGGFNAJIO; path=/
> > Cache-Control: private
> > 
> > ******************************************************************************
> > 
> > The only difference I can see is the first request's header:
> > 
> >     WWW-Authenticate: Negotiate
> > 
> > which is absent in the jCIFS negotiation. I need the browser not to show
> > the login page.
> > 
> > Thanks in advance for any help,
> > Gianluca Sartori
> > 
> > 
-- 
Gianluca Sartori                     ELIS - SIE - Software Development

Via Sandro Sandri, 81                         (tel) +39 06.43.56.03.55
00159 Rome - Italy                            (fax) +39 06.43.56.03.99

More information about the jcifs mailing list