Thanks Florian. Makes sense. I will do my best to convince our Sharepoint folks to configure Basic Auth.
Even if the java NTLM support did not have so many problems, I guess NTLM v1 is not very secure so we probably shouldn't be using it anyway! -----Original Message----- From: Florian Müller [mailto:f...@apache.org] Sent: September 23, 2014 4:22 PM To: dev@chemistry.apache.org Cc: Lucas, Mike Subject: Re: Session re-use with NTLMAuthenticationProvider Hi Michael, The warning in the JavaDoc is there for a reason. ;-) Simply don't use the NTLMAuthenticationProvider in a productive environment. It's not working reliably! It's ok in a test setup or in the Workbench but not if you want to do something serious. The NTLMAuthenticationProvider is based on the NTLM support in the JVM, which has several deficiencies. * It's NTMLv1 only. That works with SharePoint 2010 but not SharePoint 2013, which (by default) requires NTLMv2. * The credentials can only be set per JVM, which makes it useless in a multi-user environment. * On the Windows machine the set credentials are ignored. It will try the currently logged in Windows user first. * If a new socket requires re-authentication and the current request is a POST request, then this request fails. You have to retry the request in your application (if you can). Because the of the last item I would not recommend using NTLM, even if OpenCMIS would have fully working NTML support. Reconfigure SharePoint to accept basic authentication. That works. - Florian > The javadoc for Session says "Because a session is only a client side > concept, the session object needs not to be closed or released when it's not > needed anymore." > > That's been working well for me until we started connecting to a new > Sharepoint server which requires NTLM authentication. (We are using AtomPub.) > The NTLMAuthenticationProvider does work at first, but after some time, it no > longer works and all requests to Sharepoint CMIS return a 401 Unauthorized > response with the "WWW-Authenticate: NTLM" response header. So the > Sharepoint server is asking for NTLM authentication again, but unlike the > first time around, the OpenCMIS client does not do the NTLM dance anymore, it > just returns a CmisUnauthorizedException. > > I read up on NTLM > authentication<http://www.innovation.ch/personal/ronald/ntlm.html> a little > bit, and apparently it is a connection based authentication which requires > re-authentication whenever the connection is closed. So it seems like the > NTLMAuthenticationProvider is not working properly after the HTTP connection > gets closed. > > Is this likely an example of the "USE WITH CARE!" caution mentioned in the > NTMLAuthenticationProvider's javadoc? This is on Websphere 8.5 and it > certainly qualifies as a multi-user environment. > > Thanks > michael lucas | Senior Software Developer | Great-West Life > >
