Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / July 2007

Tip: Looking for answers? Try searching our database.

NTLM Authorization issue

Thread view: 
Enable EMail AlertsStart New Thread
Marcia - 03 Jul 2007 20:10 GMT
We have a little in house application that uses NTLM Authorization.  I
didn't write it, but it looks as though the code was taken from
directly from this discussion:

http://www.jguru.com/faq/viewquestion.jsp?EID=393110

This code works for most users of Internet Explorer (IE 6).  But it
doesn't work on some newer machines that are operating off a different
installation image than older machines.  I have two machines and
verified they have the exact same version of internet explorer
(6.0.2900.2180.xpsp_sp2_gdr.070227-2254).  On the older one, the
application using the above mentioned code comes up just fine.  On the
newer one, the user gets a "Page cannot be found" error.

I've traced the issue down to this section of the above mentioned
code:

if (auth.startsWith("NTLM "))
{
 byte[] msg = new
sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
 int off = 0, length, offset;
 if (msg[8] == 1)
 {
   byte z = 0;
   byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M',
(byte)'S', (byte)'S', (byte)'P', z,(byte)2, z, z, z, z, z, z, z,
(byte)40, z, z, z, (byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
(byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
   response.setHeader("WWW-Authenticate", "NTLM " + new
sun.misc.BASE64Encoder().encodeBuffer(msg1));
   response.sendError(response.SC_UNAUTHORIZED);
   return;
 }

Specifically, it is when the
response.sendError(response.SC_UNAUTHORIZED); is sent back.

I searched Microsoft's web site and found this:

http://support.microsoft.com/?kbid=821814

But it looks like that issue was fixed in 2003 and we show a dll much
more recent than the one shown to have fixed the bug.  And again, two
machines with the same version and patches for IE, one works, one
doesn't.

Does anybody have any thoughts or suggestions as to what we could do
to get this to work on all workstations with IE 6?  Or if there is
something else on the machine or IE configuration that could affect
this behavior?  I also painfully verified all the IE settings were the
same.

BTW, it works in Firefox on the affected machines, although the user
is prompted for a login, but this is not considered an acceptable
workaround as this newer image starts to become more prevalent.

Thanks!
Reply to this Message
Roedy Green - 03 Jul 2007 21:56 GMT
On Tue, 03 Jul 2007 12:10:31 -0700, Marcia
<marcia.l.thomasson@wellsfargoefs.com> wrote, quoted or indirectly
quoted someone who said :

>We have a little in house application that uses NTLM Authorization.  I
>didn't write it, but it looks as though the code was taken from
>directly from this discussion:

Authenticators are SO much easier now.

see  http://mindprod.com/jgloss/authentication.html
http://mindprod.com/jgloss/ntlm.html

--
Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com
Reply to this Message
Marcia - 05 Jul 2007 14:31 GMT
On Jul 3, 3:56 pm, Roedy Green <see_webs...@mindprod.com.invalid>
wrote:
> Authenticators are SO much easier now.
>
> see  http://mindprod.com/jgloss/authentication.htmlhttp://mindprod.com/jgloss/ntlm.html

Thanks for the info, could you by chance point me to a code snippet
that uses this class for NTLM auth that will work in java 1.4.2?
Also, somewhere I saw mentioned that NTLM will only work with this
class on windows machines due to licensing issues.  Our code runs on
Solaris, will this even be an option for us?
Reply to this Message
Marcia - 05 Jul 2007 14:54 GMT
Also, I should clarify that our code is running on the server side as
a servlet.  It seems most examples/discussions I am finding focus on
using the Authenticator class on a client machine.
Reply to this Message
Roedy Green - 05 Jul 2007 19:50 GMT
On Thu, 05 Jul 2007 06:54:08 -0700, Marcia
<marcia.l.thomasson@wellsfargoefs.com> wrote, quoted or indirectly
quoted someone who said :

>Also, I should clarify that our code is running on the server side as
>a servlet.  It seems most examples/discussions I am finding focus on
>using the Authenticator class on a client machine.

You trying to fool a Windows browser that you are a  Windows server.
This is a completely different problem.

I would dig around in the various open source servlet wombs to see if
any of them can do this.  Then either use that womb, or cannibalise
its code

see http://mindprod.com/jgloss/servletwomb.html

--
Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com
Reply to this Message
Marcia - 05 Jul 2007 22:21 GMT
On Jul 5, 1:50 pm, Roedy Green <see_webs...@mindprod.com.invalid>
wrote:

> You trying to fool a Windows browser that you are a  Windows server.
> This is a completely different problem.

The app in question is one that doesn't access sensitive data, hence
the methodology.  It was basically designed to save the user the step
of entering login information by capturing their workstation login and
passing that to the application so we know who they are.  It looks
like we are going to have to rewrite this front end portion of the app
anyway, so we'll probably just update it to work like our other apps
that already require the user to enter a login and password.  Anyhow,
thanks everyone for your help!
Reply to this Message
Real Gagnon - 05 Jul 2007 15:27 GMT
> Thanks for the info, could you by chance point me to a code snippet
> that uses this class for NTLM auth that will work in java 1.4.2?

http://java.sun.com/j2se/1.4.2/changes.html#networking

Note that the code you are using now is not secure at all.

See the note at
http://www.rgagnon.com/javadetails/java-0441.html

If you are using an application server, it's possible to use NTLM. For
exemple, you can setup BEA WLS to authenticate through NTLM.

Bye.
Signature

Real Gagnon  from  Quebec, Canada
* Java, Javascript, VBScript and PowerBuilder code snippets
* http://www.rgagnon.com/howto.html
* http://www.rgagnon.com/bigindex.html

Reply to this Message
Roedy Green - 05 Jul 2007 19:06 GMT
On Thu, 05 Jul 2007 06:31:16 -0700, Marcia
<marcia.l.thomasson@wellsfargoefs.com> wrote, quoted or indirectly
quoted someone who said :

>Thanks for the info, could you by chance point me to a code snippet
>that uses this class for NTLM auth that will work in java 1.4.2?
>Also, somewhere I saw mentioned that NTLM will only work with this
>class on windows machines due to licensing issues.  Our code runs on
>Solaris, will this even be an option for us?

I discus two different methods -- the old 1.4.2 way and the new
Authenticator way.  The authenticator code is so simple, I suggest you
just try it.
--
Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.