Anyway to force basic authentication?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Anyway to force basic authentication?

Jason Bainbridge
We have a client that wants to authenticate against Active Driectory
but wants the users to always be prompted for their credentials, so I
thought enabling Basic authentication would accomplish that but it
appears that is just a fallback in case NTLM fails so it doesn't quite
do what we need.

My next thought was well if you turn off Integrated Windows
Authentication in Internet Explorer then that should disable NTLM but
for some reason that doesn't seem to work (yes I closed IE and
reopened it) as it still authenticates.

So does anyone know how to always force basic authentication to be
used? SSL is being forced so security isn't really an issue with using
the basic authentication.

Regards,
--
Jason Bainbridge
An Aussie geek stuck in Texas - http://jasonbainbridge.com
Reply | Threaded
Open this post in threaded view
|

Re: Anyway to force basic authentication?

Michael B Allen-4
On Thu, 8 Jun 2006 13:33:33 -0500
"Jason Bainbridge" <[hidden email]> wrote:

> My next thought was well if you turn off Integrated Windows
> Authentication in Internet Explorer then that should disable NTLM but
> for some reason that doesn't seem to work (yes I closed IE and
> reopened it) as it still authenticates.

There's an option in IE called "Always prompt for credentials" or
something like that.

Mike

--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
Reply | Threaded
Open this post in threaded view
|

Re: Anyway to force basic authentication?

Jason Bainbridge
On 6/14/06, Jason Bainbridge <[hidden email]> wrote:
>
> There is a previous message on the list mentioning that it would be
> possible to do this by modifying the filter code so has anyone
> implemented that at all? I'm more of a support/admin/implementation
> guy and only hack at a bit of code here and there so that is a bit
> over my head. It would be nicer though if there was just a way to
> configure the fallback of BASIC to be used regardless of NTLM working
> or not.

Oops, didn't realize the above was sent direct to Mike and not the
list, no wonder nobody else replied. ;)

Anyway I was having a bit of a look into what modifications would be
required to always prompt for a user's windows credentials using BASIC
authentication instead of the automatic NTLM handshaking. Obviously
the class that needs changes for the filter is NtlmHttpFilter.java and
it is around the IF block:

        if( msg != null && (msg.startsWith( "NTLM " ) ||
                    (offerBasic && msg.startsWith("Basic ")))) {

Am I reading that correctly in that it will return True and need to
enter the IF block if a user has already authenticated through BASIC?
Meaning that if I want it to return false the first time around all I
need to do is remove the check for msg.startsWith( "NTLM " )?

Would I also need to remove the if block for:

if (msg.startsWith("NTLM ")) {

Or does using the BASIC authentication end up with a message type of
NTLM and still need that?

Apologies for the newbie like questions but these days I don't get to
do much coding so I am more than a little rusty, but if I can work out
what needs to be done to be able to force basic authentication in
addition to simply enabling it I will look into making that a
configuration option and make my patch available if anyone was
interested.

Cheers,
--
Jason Bainbridge
An Aussie geek stuck in Texas - http://jasonbainbridge.com
Reply | Threaded
Open this post in threaded view
|

Re: Anyway to force basic authentication?

S Wagle
In reply to this post by Jason Bainbridge
JCIFS will let you do SSO.  But it seems you don't want to do SSO.

If you want to prompt the user for id/password, I would think you
shouldn't use JCIFS at all.  Use J2EE basic/forms based authentication
and validate user credentials against Active Directory.  All app servers
can be configured to authenticate against LDAP directory.


Jason Bainbridge wrote:

> We have a client that wants to authenticate against Active Driectory
> but wants the users to always be prompted for their credentials, so I
> thought enabling Basic authentication would accomplish that but it
> appears that is just a fallback in case NTLM fails so it doesn't quite
> do what we need.
>
> My next thought was well if you turn off Integrated Windows
> Authentication in Internet Explorer then that should disable NTLM but
> for some reason that doesn't seem to work (yes I closed IE and
> reopened it) as it still authenticates.
>
> So does anyone know how to always force basic authentication to be
> used? SSL is being forced so security isn't really an issue with using
> the basic authentication.
>
> Regards,