[jcifs] Re: windows login popup following session timeout on aform.submit

Asaf Mesika asaf.mesika at gmail.com
Fri Jan 23 16:47:16 GMT 2009 

I've changed the NtlmFilter to handle this issue. Take a look at the
following code I wrote:

            // Check the special POST request with Authorization header
containing type-1 message (see method javadoc)
            if (request.getMethod().equalsIgnoreCase("POST")) {
                String authorization = request.getHeader( "Authorization" );
                if ( (authorization != null) &&
(authorization.startsWith("NTLM ")) ) {
                    logger.debug("POST Request with NTLM Authorization
detected.");
                    // decode the NTLM response from the client
                    byte[] src = Base64.decode(authorization.substring(5));
                    // see if a type 1 message was sent by the client
                    if (src[8] == 1) {
                        logger.debug("NTLM Authorization header contains
type-1 message. Sending fake response just to pass this stage...");
                        Type1Message type1 = new Type1Message(src);
                        // respond with a type 2 message, where the
challenge is null since we don't
                        // care about the server response (type-3 message)
since we're already authenticated
                        // (This is just a by-pass - see method javadoc)
                        Type2Message type2 = new Type2Message(type1, new
byte[8], null);
                        String msg = Base64.encode(type2.toByteArray());
                        response.setHeader("WWW-Authenticate", "NTLM " +
msg);

response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                        response.setContentLength(0);
                        response.flushBuffer();
                        return false;
                    }
                }
            }


I placed this code *prior* to the normal ntlm filter code (checking if the
authorization starts with NTLM, etc).
Note that the type 2 I'm sending is based on an empty challenge.
Once IE gets this response, it sends the post request with the original body
message. It is doing so just to verify with the server that the session is
authenticated before sending a big POST.


On Fri, Jan 23, 2009 at 1:00 PM, Bill Comer <bill.comer at gmail.com> wrote:

> I have just tried the regedit change described in
> http://jcifs.samba.org/src/docs/ntlmhttpauth.html
>
> & that works - :-)
>
> Sadly, that is not an acceptable solution as it is a client side change :-(
>
>
> --
> Regards
>
> Bill Comer
> blog: http://billcomer.blogspot.com/
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list