Spring Security
  1. Spring Security
  2. SEC-1003

NTLM Authentication is initiated even on non secured pages

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Currently NTLM authentication is initiated (by NtlmProcessingFilter) on the first application page the user views, even is is not secured. That means that a user with e.g. Firefox (not set to do NTLM) will get a login popup, even though the page is accessible without login.

      Setting forceIdentification to false does not work either, as in this case NTLM is never initiated.

      Solution: initiate NTLM from the NTLMProcessingFilterEntryPoint

      Add the following method to NTLMProcessingFilter to allow setting the BEGIN-State from outside:

      public static void setStarting(final HttpServletRequest request)

      { final HttpSession session = request.getSession(); session.setAttribute(STATE_ATTR, BEGIN); }

      Change NtlmProcessingFilterEntryPoint to initiate NTLM, if the page requires authentication:

      public void commence(final ServletRequest request, final ServletResponse response, final AuthenticationException authException) throws IOException, ServletException {
      final HttpServletResponse resp = (HttpServletResponse) response;

      // (MVL) start authentication, if necessary and forceIdentification in
      // NtlmProcessingFilter is false
      if (!(authException instanceof NtlmBaseException || authException instanceof BadCredentialsException))

      { NtlmProcessingFilter.setStarting((HttpServletRequest) request); resp.setHeader("WWW-Authenticate", new NtlmBeginHandshakeException().getMessage()); resp.setHeader("Connection", "Keep-Alive"); resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED); resp.setContentLength(0); resp.flushBuffer(); }

      else

      { ... (current code) }

      }

      Set forceIdentification for the filter to false - using true will exhibit the current behavior.

        Issue Links

          Activity

          Hide
          Bancharel added a comment -

          As it is no more possible to have unsecured pages (even with forceIdentification=false), this issue should not be qualified as "Improvement" and "Minor", but really qualified as a "Bug" and "Major".

          Could you requalify this issue ?

          Show
          Bancharel added a comment - As it is no more possible to have unsecured pages (even with forceIdentification=false), this issue should not be qualified as "Improvement" and "Minor", but really qualified as a "Bug" and "Major". Could you requalify this issue ?
          Hide
          Danny Dion added a comment -

          I agree with you, this is a MAJOR BUG and it would be nice if it got fixed in the next release...

          Show
          Danny Dion added a comment - I agree with you, this is a MAJOR BUG and it would be nice if it got fixed in the next release...
          Hide
          Luke Taylor added a comment -

          The original Acegi NTLM contribution treated NTLM purely as an SSO solution for use within a Windows LAN. It wasn't intended to support Firefox or on-demand authentication.

          In any case, we have decided to drop NTLM from the 3.0 codebase. It is difficult to work with and maintain and Mike Wiesner has been putting together a Kerberos-based alternative which is part of the new Security Extensions project.

          Show
          Luke Taylor added a comment - The original Acegi NTLM contribution treated NTLM purely as an SSO solution for use within a Windows LAN. It wasn't intended to support Firefox or on-demand authentication. In any case, we have decided to drop NTLM from the 3.0 codebase. It is difficult to work with and maintain and Mike Wiesner has been putting together a Kerberos-based alternative which is part of the new Security Extensions project.

            People

            • Assignee:
              Unassigned
              Reporter:
              Martin Vlcek
            • Votes:
              2 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: