You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by André Warnier <aw...@ice-sa.com> on 2009/02/27 15:53:46 UTC

Java applet NTLM authentication

Hi.

This is not a Tomcat question.  But it involves Java, HTTP and HTTP NTLM 
authentication, so I figure that the rather unique combination of 
expertise(s) of the contributors to this list may at least result in 
some good clues for me as to which direction to follow to resolve the 
problem I'm facing.

I am by now fairly versed in Tomcat Java server-side NTLM authentication 
(à la jCIFS/Jespa), but this is another animal : it's on the browser side.

In our application, we have a html form allowing users to upload several 
files together, as a "collection", to a webserver.  The html form itself 
contains some descriptive text input fields; the multiple file-upload is 
provided by a Java applet embedded in the page, which allows users to 
select local workstation files which should be uploaded to the server as 
a set, together with the static form input fields values.  It is this 
applet (not the html form) which actually does the HTTP POST-ing to the 
server of the files, one file/one POST at a time, each POST containing 
one file plus a copy of the html input field values.

To make the POST, the applet picks up from the browser the proxy 
settings if any, and uses them when it creates its own HTTP connection 
to the server, via the org.apache.commons.httpclient.* packages 
(HttpClient, method.* etc..).

It all works fine using IE and Firefox, whether the browser/customer is 
behind a corporate proxy or not.
Only in one recent case it does not.

In that particular case, the browser is IE, and the users are behind a 
corporate outgoing proxy server which requires NTLM authentication on 
the part of the client.
The browser is of course NTLM-authenticated with this proxy, since 
otherwise it could never go through the proxy and fetch our html form in 
the first place.
However, when the applet later tries to do a POST to the same server 
whence the form came from, it receives a 401 response back from the 
proxy.  This 401 response tells the client (in this case the applet), 
that it must authenticate via the NTLM method.

So, obviously, the applet builds its own new HTTP connection to the 
webserver (through the proxy), and tries to send the POST request, but 
without an Authorization: header.  Unfortunately, it does not seem to 
magically pick up the containing browser's credentials and to 
automatically add them to the POST request it is doing to the same 
webserver, which I would have considered nifty. Sigh.

So now the question is : what do I have to do to my applet, that it 
would authenticate properly to that proxy, using the NTLM credentials of 
the browser it is living inside of, or using the credentials of the 
workstation in which the containing browser lives ?
Secondary question : is this even possible ?

If anyone is sufficiently interested, there is a web demo site where 
this can all be seen, and if you happen to be behind one such proxy 
requiring NTLM authentication, you can also see (in the browser's Java 
console) in detail what happens.

Thank you for your attention, and thankful in advance for any hints 
about where to start looking.

André









---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Java applet NTLM authentication

Posted by André Warnier <aw...@ice-sa.com>.

André Warnier wrote:
[...]
As complementary information to my own question, I have already read the 
document located here :
http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/NTLM_SUPPORT.txt

However, that does not seem to fit the bill, in the sense that the 
method outlined there (using the jCIFS library) requires finally a call 
like this :

    httpclient.getCredentialsProvider().setCredentials(
         new AuthScope("myserver", -1),
         new NTCredentials("username", "password", "MYSERVER", "MYDOMAIN"));

which implies seemingly that I would have to present an authentication 
dialog to the user and ask them to enter their user-id and password, 
then submit these to the NTCredentials constructor.

This is marketing-wise impossible, since the user (via his IE browser) 
is already authenticated in his own Windows/NTLM domain, and furthermore 
he is so transparently.  It would thus be impossible for me to "sell" 
the idea that they need to re-enter their credentials just to use this 
facet of the application.
(I am also not quite sure how I would get the "DOMAIN" information from 
within my applet.)
(It is also quite impossible to sell to the security people, that I 
would, in my applet, be able to get hold of the user's password for 
their domain account).

What I would like is some method by which the Java applet can pick up 
this information from the browser it is running inside of, since that 
browser /is/ already authenticated.

If that is impossible, I am afraid that instead of using the Java applet 
to do both the local file selection and the POST submission to the 
server, I'll have to merely do the file selection, pass the list back to 
some javascript function back in the html page, and do the POST 
submission via an XMLHttpRequest at that level (supposing of course that 
this object, at least under IE, allows for NTLM authentication).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org