Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-1003: NTLM Authentication is initiated even on non secured pages #1254
Currently NTLM authentication is initiated (by NtlmProcessingFilter) on the first application page the user views, even is is not secured. That means that a user with e.g. Firefox (not set to do NTLM) will get a login popup, even though the page is accessible without login.
Setting forceIdentification to false does not work either, as in this case NTLM is never initiated.
Solution: initiate NTLM from the NTLMProcessingFilterEntryPoint
Add the following method to NTLMProcessingFilter to allow setting the BEGIN-State from outside:
Change NtlmProcessingFilterEntryPoint to initiate NTLM, if the page requires authentication:
Set forceIdentification for the filter to false – using true will exhibit the current behavior.
Luke Taylor said:
The original Acegi NTLM contribution treated NTLM purely as an SSO solution for use within a Windows LAN. It wasn't intended to support Firefox or on-demand authentication.
In any case, we have decided to drop NTLM from the 3.0 codebase. It is difficult to work with and maintain and Mike Wiesner has been putting together a Kerberos-based alternative which is part of the new Security Extensions project.