[jcifs] NTLM Ajax POST

Richard Caper rcaper at gmail.com
Wed May 17 16:37:56 GMT 2006

POSTs have strange behavior with NTLM anyways; the client will force
reauthentication (not sure about the XmlHTTPRequest AJAX stuff, but IE
will anyways; I expect it does the same).  It will first make a POST
request with *no* content and a Type 1 NTLM message, then expects to
get a type 2 challenge back.  It then sends the type 3 response along
with the POST body.

This behavior will be seen on any POST to a given server after an NTLM
handshake has successfully completed.  The reason is the client
expects the server to require authentication, and wants to avoid
having to resend a large upload since the server won't reply back
until the initial request has completed (i.e. consider the scenario
where you are uploading a 500 MB file, and you send half a gig only
for the server to challenge you for authentication).

On 5/17/06, Jonathan Trumbull <jonathan.trumbull at gmail.com> wrote:
> Mike,
> >>Due to the NTLM HTTP authentication protocol being a three message...<<
> But, if you are performing the AJAX calls against the server for which you
> have already established a session there shouldn't be any messing about with
> NTLM messages.  It should just check to see if the NTLM object is present in
> the session and let the request through (restating the obvious here--of
> course!).  I think most of my problems were caused by the app server session
> timing out before making multiple asynchronous AJAX requests.  Then both IE
> and the servlet filter get terribly confused with the barrage of messages
> and requests just like you mentioned.
> >>Yet again, the solution is to use Kerberos which doesn't normally require
> multiple messages.<<
> Among other benefits!
> BTW, thanks for all the work on jCIFs and the NtlmHttpFilter in particular!
> We use them on quite a few projects.
> --Jonathan
> On 5/16/06, Michael B Allen < mba2000 at ioplex.com> wrote:
> > On Tue, 16 May 2006 15:58:31 -0500
> > "Jonathan Trumbull" <jonathan.trumbull at gmail.com> wrote:
> >
> > > Mike,
> > >
> > > What errors are you seeing in the log files and is it consistently doing
> > > this?  I have observed this problem before intermittently with AJAX-type
> > > posts.  It seemed to be much more of a problem if there were several
> rapid
> > > asynchronous calls.
> >
> > Due to the NTLM HTTP authentication protocol being a three message
> > handshake and coupled with the fact that there is no form of multiplex
> > id, if the client tries to pipeline requests the server will likely get
> > confused. I suspect the has nothing to do with JCIFS and you would see
> > it with IIS too if NTLM was negotiated.
> >
> > Yet again, the solution is to use Kerberos which doesn't normally require
> > multiple messages. NTLM is really showing it's age :-<
> >
> > Mike
> >
> >

More information about the jcifs mailing list