SEC-1003: NTLM Authentication is initiated even on non secured pages #1254

Closed
spring-issuemaster opened this Issue Oct 2, 2008 · 3 comments

1 participant

@spring-issuemaster

Martin Vlcek (Migrated from SEC-1003) said:

Currently NTLM authentication is initiated (by NtlmProcessingFilter) on the first application page the user views, even is is not secured. That means that a user with e.g. Firefox (not set to do NTLM) will get a login popup, even though the page is accessible without login.

Setting forceIdentification to false does not work either, as in this case NTLM is never initiated.

Solution: initiate NTLM from the NTLMProcessingFilterEntryPoint

Add the following method to NTLMProcessingFilter to allow setting the BEGIN-State from outside:

public static void setStarting(final HttpServletRequest request) { final HttpSession session = request.getSession(); session.setAttribute(STATE_ATTR, BEGIN); }

Change NtlmProcessingFilterEntryPoint to initiate NTLM, if the page requires authentication:

public void commence(final ServletRequest request, final ServletResponse response, final AuthenticationException authException) throws IOException, ServletException { final HttpServletResponse resp = (HttpServletResponse) response; // (MVL) start authentication, if necessary and forceIdentification in // NtlmProcessingFilter is false if (!(authException instanceof NtlmBaseException || authException instanceof BadCredentialsException)) { NtlmProcessingFilter.setStarting((HttpServletRequest) request); resp.setHeader(“WWW-Authenticate”, new NtlmBeginHandshakeException().getMessage()); resp.setHeader(“Connection”, “Keep-Alive”); resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED); resp.setContentLength(0); resp.flushBuffer(); } else { … (current code) } }

Set forceIdentification for the filter to false – using true will exhibit the current behavior.

@spring-issuemaster

Bancharel said:

As it is no more possible to have unsecured pages (even with forceIdentification=false), this issue should not be qualified as “Improvement” and “Minor”, but really qualified as a “Bug” and “Major”.

Could you requalify this issue ?

@spring-issuemaster

Danny Dion said:

I agree with you, this is a MAJOR BUG and it would be nice if it got fixed in the next release...

@spring-issuemaster

Luke Taylor said:

The original Acegi NTLM contribution treated NTLM purely as an SSO solution for use within a Windows LAN. It wasn't intended to support Firefox or on-demand authentication.

In any case, we have decided to drop NTLM from the 3.0 codebase. It is difficult to work with and maintain and Mike Wiesner has been putting together a Kerberos-based alternative which is part of the new Security Extensions project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment