You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Brett Hales <br...@baesystems.com> on 2002/11/08 00:44:17 UTC
Suspected Apache::AuthenNTLM Bug
I believe that there is a bug in the Apache::AuthenNTLM module.
Configuration:
I have an Apache server with ColdFusion MX 6 installed, there is a
requirement for NTLM authentication with the server.
I implemented the PerlAuthenHandler Apache::AuthenNTLM to solve this
problem.
Problem:
With ColdFusion you can call the same page eg the line_main2.cfm can be
called from the line_main2.cfm with different parameters. Unfortunately
the client PC does not seem to pass the NTLM/Basic Authorization Header
the second time the page is called.
An error appears in the error.log
[Fri Nov 8 09:03:58 2002] [error] access to
/cf_dev/objectives/line_main2.cfm failed for , reason: Bad/Missing
NTLM/Basic Authorization Header for /cf_dev/objectives/line_main2.cfm
Configuration:
Apache::AuthenNTLM (version 0.21)
Server version: Apache/1.3.27 (Unix)
httpd.conf
Alias /cf_dev/objectives/ "/baewwwroot/cf_dev/objectives/"
<Directory "/baewwwroot/cf_dev/objectives">
Options -Indexes FollowSymLinks MultiViews
PerlAuthenHandler Apache::AuthenNTLM
AuthType ntlm
AuthName "Windows Authentication Required"
require valid-user
PerlAddVar ntdomain "BAEA baeapdc sbntfp1"
PerlAddVar ntdomain "BAEADEV bantdev1"
PerlSetVar defaultdomain BAEA
</Directory>
--
Brett Hales
Re: Suspected Apache::AuthenNTLM Bug
Posted by Gerald Richter <ri...@ecos.de>.
>
> With ColdFusion you can call the same page eg the line_main2.cfm can be
> called from the line_main2.cfm with different parameters. Unfortunately
> the client PC does not seem to pass the NTLM/Basic Authorization Header
> the second time the page is called.
>
Maybe this is handled via a subrequest. To test this I send you the newest
version. Please install it and set
PerlSetVar ntlmdebug 2
run your request and send me the output from the httpd error log
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: richter@ecos.de Voice: +49 6133 925131
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------
Re: Suspected Apache::AuthenNTLM Bug
Posted by Ged Haywood <ge...@www2.jubileegroup.co.uk>.
Hi there,
On 8 Nov 2002, Brett Hales wrote:
> I believe that there is a bug in the Apache::AuthenNTLM module.
Did you see this?
73,
Ged.
----------------------------------------------------------------------
Date: Thu, 7 Nov 2002 17:46:15 -0600 (CST)
From: Gerald Combs <ge...@ethereal.com>
To: modperl@apache.org
Subject: NTLM Authentication patch
We recently installed AuthenNTLM where I work, and ran into the POST
problems described in the thread at
http://marc.theaimsgroup.com/?t=103177365400006&r=1&w=2
After looking through a couple of network traces I think I've found the
problem. It appears that after IE authenticates via NTLM, it sends type 1
messages for subsequent requests during a keepalive session. This is fine
and dandy unless you're sending a POST request - when it sends the type 1
message, it also sends a "Content-length: 0", and doesn't append the POST
data. Since the browser has successfully authenticated itself earlier in
the keepalive session, AuthenNTLM validates the request and a POST with no
accompanying POST data gets passed to the server.
Attached is a patch against the 0.21 release that fixes this behavior (in
our environment, at any rate). I know very little about NTLM
authentication and mod_perl coding, so the patch may not be entirely
correct.