[jcifs] HTTP POST and Protecting Sub-Content
Eric
eglass1 at comcast.net
Wed May 26 23:40:09 GMT 2004
Michael B Allen wrote:
> I'm working on the NTLM HTTP Authentication Filter documentation. One
> section reads:
>
> "Once IE has negotiated NTLM HTTP authentication it will proactively
> renegotiate NTLM for POST requests for all content associated with the
> server (based on IP?). Therefore when using HTTP POST requests it is not
> possible to restrict access to some content on the server as IE will
> attempt and fail to negotiate NTLM (it hangs?). This is a protocol
> limitation and there is no clean way to convince IE to stop negotiating
> NTLM (although it may be possible by sending an HTTP error reponse)."
>
> Would anyone happen to know the details regarding what IE is tracking that
> triggers it to preemptively negotiate NTLM for HTTP POST requests? Is it
> the IP or server name or ...? Also, what is the behavior of a client that
> attempts and fails due to this problem? Finally, was a definitive answer
> to getting IE to stop negotiating POST requests ever established?
>
> Thanks,
> Mike
>
Not exactly sure what it tracks. I know it's not just the open
connection, because doing a connection close doesn't stop it from
occuring (at the next POST it the client will send a Type 1 message). I
haven't done enough experimentation to determine exactly what it matches
on (i.e., IP vs. server name vs. FQDN, or if port number matters, etc.).
The client doesn't really fail per se; it basically makes a POST request
with the Type 1 in the Authorization header and empty content. So if
the server deems the empty request as acceptable and sends a 200, the
client just goes on its way. I'm not sure what you get if something
strange is sent back, but it would likely just be the standard IE error
page.
As far as negating the behavior, I've had success sending a 401 or 403
back with the final page; i.e.:
1) server asks for auth w/401
2) client sends type 1
3) server sends type 2 w/401
4) client sends type 3
5) server sends back the page content, but a 40x status.
That way, the client thinks that authentication never actually
succeeded. I don't know of any way to cancel it once a success status
is received in response to the Type 3 message; at that point the client
knows it can successfully perform NTLM with the server, so it sends
preemptively from then on.
Eric
More information about the jcifs
mailing list