NTLM Ajax POST

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

NTLM Ajax POST

Mike Streeton

We are using the NTLM filter to handle our authentication. This works fine, but we have an issue with Ajax calls. When using the POST method e.g. request.open(“POST”, “myurl”,true); causes the password box to be displayed in IE (XP Pro SP 2), changing the “true” to false works, as I understand “true” is send asynchronous and “false” is send synchronous. Unfortunately “false” stop the application working in Firefox. Changing the “POST” to get and encoding the parameters works okay? This is using v1.2.7 of JCIFS

 

Any Ideas, Many Thanks

 

Mike

 

www.ardentia.com the home of NetSearch

 

Reply | Threaded
Open this post in threaded view
|

Re: NTLM Ajax POST

Jonathan Trumbull
Mike,

What errors are you seeing in the log files and is it consistently doing this?  I have observed this problem before intermittently with AJAX-type posts.  It seemed to be much more of a problem if there were several rapid asynchronous calls.  I believe the error was a java.net.SocketTimeoutException.  What's interesting is that is also seemed to cause the loading of normal embedded graphics to hiccup every so often.  In this case I was only using these calls to log mouse clicks on the page, so I just moved this part of the application to a URL not protected by the servlet filter. When I did this, even the previously mentioned hiccups with the embedded graphics went away entirely.  I realize that not protecting your AJAX resources might not be an option!  I have also seen the problem (consistently) when the session timed out on the server, but this probably isn't what's happening with you.

--Jonathan

On 5/16/06, Mike Streeton <[hidden email]> wrote:

We are using the NTLM filter to handle our authentication. This works fine, but we have an issue with Ajax calls. When using the POST method e.g. request.open("POST", "myurl",true); causes the password box to be displayed in IE (XP Pro SP 2), changing the "true" to false works, as I understand "true" is send asynchronous and "false" is send synchronous. Unfortunately "false" stop the application working in Firefox. Changing the "POST" to get and encoding the parameters works okay? This is using v1.2.7 of JCIFS

 

Any Ideas, Many Thanks

 

Mike

 

<a href="http://www.ardentia.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.ardentia.com the home of NetSearch

 


Reply | Threaded
Open this post in threaded view
|

Re: NTLM Ajax POST

Michael B Allen-4
On Tue, 16 May 2006 15:58:31 -0500
"Jonathan Trumbull" <[hidden email]> wrote:

> Mike,
>
> What errors are you seeing in the log files and is it consistently doing
> this?  I have observed this problem before intermittently with AJAX-type
> posts.  It seemed to be much more of a problem if there were several rapid
> asynchronous calls.

Due to the NTLM HTTP authentication protocol being a three message
handshake and coupled with the fact that there is no form of multiplex
id, if the client tries to pipeline requests the server will likely get
confused. I suspect the has nothing to do with JCIFS and you would see
it with IIS too if NTLM was negotiated.

Yet again, the solution is to use Kerberos which doesn't normally require
multiple messages. NTLM is really showing it's age :-<

Mike

Reply | Threaded
Open this post in threaded view
|

Re: NTLM Ajax POST

Jonathan Trumbull
Mike,

>>Due to the NTLM HTTP authentication protocol being a three message...<<

But, if you are performing the AJAX calls against the server for which you have already established a session there shouldn't be any messing about with NTLM messages.  It should just check to see if the NTLM object is present in the session and let the request through (restating the obvious here--of course!).  I think most of my problems were caused by the app server session timing out before making multiple asynchronous AJAX requests.  Then both IE and the servlet filter get terribly confused with the barrage of messages and requests just like you mentioned.

>>Yet again, the solution is to use Kerberos which doesn't normally require
multiple messages.<<

Among other benefits!

BTW, thanks for all the work on jCIFs and the NtlmHttpFilter in particular!  We use them on quite a few projects.

--Jonathan

On 5/16/06, Michael B Allen <[hidden email]> wrote:
On Tue, 16 May 2006 15:58:31 -0500
"Jonathan Trumbull" <[hidden email]> wrote:

> Mike,
>
> What errors are you seeing in the log files and is it consistently doing
> this?  I have observed this problem before intermittently with AJAX-type
> posts.  It seemed to be much more of a problem if there were several rapid
> asynchronous calls.

Due to the NTLM HTTP authentication protocol being a three message
handshake and coupled with the fact that there is no form of multiplex
id, if the client tries to pipeline requests the server will likely get
confused. I suspect the has nothing to do with JCIFS and you would see
it with IIS too if NTLM was negotiated.

Yet again, the solution is to use Kerberos which doesn't normally require
multiple messages. NTLM is really showing it's age :-<

Mike


Reply | Threaded
Open this post in threaded view
|

Re: NTLM Ajax POST

Richard Caper
POSTs have strange behavior with NTLM anyways; the client will force
reauthentication (not sure about the XmlHTTPRequest AJAX stuff, but IE
will anyways; I expect it does the same).  It will first make a POST
request with *no* content and a Type 1 NTLM message, then expects to
get a type 2 challenge back.  It then sends the type 3 response along
with the POST body.

This behavior will be seen on any POST to a given server after an NTLM
handshake has successfully completed.  The reason is the client
expects the server to require authentication, and wants to avoid
having to resend a large upload since the server won't reply back
until the initial request has completed (i.e. consider the scenario
where you are uploading a 500 MB file, and you send half a gig only
for the server to challenge you for authentication).


On 5/17/06, Jonathan Trumbull <[hidden email]> wrote:

> Mike,
>
> >>Due to the NTLM HTTP authentication protocol being a three message...<<
>
> But, if you are performing the AJAX calls against the server for which you
> have already established a session there shouldn't be any messing about with
> NTLM messages.  It should just check to see if the NTLM object is present in
> the session and let the request through (restating the obvious here--of
> course!).  I think most of my problems were caused by the app server session
> timing out before making multiple asynchronous AJAX requests.  Then both IE
> and the servlet filter get terribly confused with the barrage of messages
> and requests just like you mentioned.
>
>
> >>Yet again, the solution is to use Kerberos which doesn't normally require
> multiple messages.<<
>
> Among other benefits!
>
> BTW, thanks for all the work on jCIFs and the NtlmHttpFilter in particular!
> We use them on quite a few projects.
>
> --Jonathan
>
>
> On 5/16/06, Michael B Allen < [hidden email]> wrote:
> > On Tue, 16 May 2006 15:58:31 -0500
> > "Jonathan Trumbull" <[hidden email]> wrote:
> >
> > > Mike,
> > >
> > > What errors are you seeing in the log files and is it consistently doing
> > > this?  I have observed this problem before intermittently with AJAX-type
> > > posts.  It seemed to be much more of a problem if there were several
> rapid
> > > asynchronous calls.
> >
> > Due to the NTLM HTTP authentication protocol being a three message
> > handshake and coupled with the fact that there is no form of multiplex
> > id, if the client tries to pipeline requests the server will likely get
> > confused. I suspect the has nothing to do with JCIFS and you would see
> > it with IIS too if NTLM was negotiated.
> >
> > Yet again, the solution is to use Kerberos which doesn't normally require
> > multiple messages. NTLM is really showing it's age :-<
> >
> > Mike
> >
> >
>
>