how to bypass authentication in ntlmhttpfilter?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

how to bypass authentication in ntlmhttpfilter?

Smyth, Jim
Hi,

I have got automatic logon to a web application using NT credentials.  I allow users to logoff the webapp by setting a session attribute when a particular request header is sent, so that the NTLM filter is not executed (and thus the user can browse the site anonymously).

I would also like to implement the following:

If a user cannot automatically authenticate against the domain, do NOT show the network dialog.  (i.e. allow users to transparently fail NTLM and then browse the site anonymously).  

Has anyone done this?  Any hints appreciated!


thanks
jim
Reply | Threaded
Open this post in threaded view
|

Re: how to bypass authentication in ntlmhttpfilter?

Thomas Bley
Hi Jim,

the webdisk uses this:

(from Presentation.java)
...
        String userAgent = request.getHeader("User-Agent").toLowerCase();
        if (userAgent.indexOf("opera")!=-1 ||
userAgent.indexOf("konqueror")!=-1 || userAgent.indexOf("safari")!=-1) {
            showLogin("<br><center><b>NTLM is disabled for Opera /
Konqueror / Safari.</b></center>");
            return;
        }
        response.setHeader("WWW-Authenticate", "NTLM");
        response.setHeader("Connection", "close");
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

        // dirty hack if ntlm is disabled or user cancels the form
        showLogin("<br><center><b>NTLM seems to be disabled</b></center>");
...

showLogin shows a normal html-form for logging in and the user stays
anonymous.

The webdisk uses jCIFS, but not ntlmhttpfilter (only some parts of it).

http://sourceforge.net/projects/webdisk/

bye
Tom


Smyth, Jim wrote:

> Hi,
>
> I have got automatic logon to a web application using NT credentials.  I allow users to logoff the webapp by setting a session attribute when a particular request header is sent, so that the NTLM filter is not executed (and thus the user can browse the site anonymously).
>
> I would also like to implement the following:
>
> If a user cannot automatically authenticate against the domain, do NOT show the network dialog.  (i.e. allow users to transparently fail NTLM and then browse the site anonymously).  
>
> Has anyone done this?  Any hints appreciated!
>
>
> thanks
> jim
>
>
>  

Reply | Threaded
Open this post in threaded view
|

RE: how to bypass authentication in ntlmhttpfilter?

Smyth, Jim
In reply to this post by Smyth, Jim
Thomas,

thanks for the reply.  I didnt comment yesterday as I didnt have enough time to implement it & to be honest I was a little unsure about your solution (blush!).

I now see that the body portion is ignored if NTLM negociation (transparent or otherwise is taking place).  It is only when the pop-up auth dialog is cancelled that the body is used.  Clever.

thanks again

jim

-----Original Message-----
From: Thomas Bley
To: [hidden email]
Cc: Smyth, Jim
Sent: 15-11-2005 10:39
Subject: Re: [jcifs] how to bypass authentication in ntlmhttpfilter?

Hi Jim,

the webdisk uses this:

(from Presentation.java)
...
        String userAgent =
request.getHeader("User-Agent").toLowerCase();
        if (userAgent.indexOf("opera")!=-1 ||
userAgent.indexOf("konqueror")!=-1 || userAgent.indexOf("safari")!=-1) {
            showLogin("<br><center><b>NTLM is disabled for Opera /
Konqueror / Safari.</b></center>");
            return;
        }
        response.setHeader("WWW-Authenticate", "NTLM");
        response.setHeader("Connection", "close");
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

        // dirty hack if ntlm is disabled or user cancels the form
        showLogin("<br><center><b>NTLM seems to be
disabled</b></center>");
...

showLogin shows a normal html-form for logging in and the user stays
anonymous.

The webdisk uses jCIFS, but not ntlmhttpfilter (only some parts of it).

http://sourceforge.net/projects/webdisk/

bye
Tom


Smyth, Jim wrote:
> Hi,
>
> I have got automatic logon to a web application using NT credentials.
I allow users to logoff the webapp by setting a session attribute when a
particular request header is sent, so that the NTLM filter is not
executed (and thus the user can browse the site anonymously).
>
> I would also like to implement the following:
>
> If a user cannot automatically authenticate against the domain, do NOT
show the network dialog.  (i.e. allow users to transparently fail NTLM
and then browse the site anonymously).  
>
> Has anyone done this?  Any hints appreciated!
>
>
> thanks
> jim
>
>
>