[jira] [Commented] (CXF-4858) Maintain Session (Cookie) is not honoured when using NTLM

[Michael Watson (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-4858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13587904#comment-13587904
 ] 

Michael Watson commented on CXF-4858:
-------------------------------------

Wireshark output:


POST /worksite/services/IWOVServices.asmx HTTP/1.1
Accept: */*
User-Agent: Apache CXF 2.7.3
SOAPAction: "http://worksite.imanage.com/GetDocuments";
Transfer-Encoding: chunked
Content-Type: text/xml; charset=UTF-8
Host: myserver.mydomain.com
Connection: Keep-Alive

1cf
<soap:Envelope 
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><GetDocuments 
xmlns="http://worksite.imanage.com";><ObjectIDs><string>10616126</string></ObjectIDs><OutputProfile><imProfileAttributeID>imProfileAuthor</imProfileAttributeID><imProfileAttributeID>imProfileName</imProfileAttributeID><imProfileAttributeID>imProfileDocNum</imProfileAttributeID></OutputProfile><OutputMask>Profile</OutputMask></GetDocuments></soap:Body></soap:Envelope>
0

HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-WorkSite-Version: 8.5.1002.10
Set-Cookie: ASP.NET_SessionId=vpmsvt45idwhhdufcu0iwgbk; path=/; HttpOnly
Set-Cookie: virtualPath=/WorkSite; path=/
Set-Cookie: virtualRoot=http://myserver.mydomain.com/WorkSite; path=/
Set-Cookie: keyCode=; path=/
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 27 Feb 2013 01:15:06 GMT

3a
You do not have permission to view this directory or page.
0

POST /worksite/services/IWOVServices.asmx HTTP/1.1
Accept: */*
User-Agent: Apache CXF 2.7.3
SOAPAction: "http://worksite.imanage.com/GetDocuments";
Transfer-Encoding: chunked
Content-Type: text/xml; charset=UTF-8
Host: myserver.mydomain.com
Connection: Keep-Alive
Authorization: NTLM 
TlRMTVNTUAABAAAANQIIIAgACAAyAAAAEgASACAAAABBAEsATABFAFMARQBYAFAAMQBOAFoAVABFAA==

1cf
<soap:Envelope 
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><GetDocuments 
xmlns="http://worksite.imanage.com";><ObjectIDs><string>10616126</string></ObjectIDs><OutputProfile><imProfileAttributeID>imProfileAuthor</imProfileAttributeID><imProfileAttributeID>imProfileName</imProfileAttributeID><imProfileAttributeID>imProfileDocNum</imProfileAttributeID></OutputProfile><OutputMask>Profile</OutputMask></GetDocuments></soap:Body></soap:Envelope>
0

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: NTLM 
TlRMTVNTUAACAAAACAAIADgAAAA1AokiuxDWllxlRwsAAAAAAAAAALwAvABAAAAABgGxHQAAAA9OAFoAVABFAAIACABOAFoAVABFAAEAFABBAEsATABXAFMAVwBFAEIAVAAyAAQAIgBjAG8AcgBwAC4AbgB6AHQAZQAuAGcAbwB2AHQALgBuAHoAAwA4AEEASwBMAFcAUwBXAEUAQgB0ADIALgBjAG8AcgBwAC4AbgB6AHQAZQAuAGcAbwB2AHQALgBuAHoABQAiAGMAbwByAHAALgBuAHoAdABlAC4AZwBvAHYAdAAuAG4AegAHAAgAqAfe4IcUzgEAAAAA
Date: Wed, 27 Feb 2013 01:15:06 GMT
Content-Length: 341

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 
4.01//EN""http://www.w3.org/TR/html4/strict.dtd";>
<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>
POST /worksite/services/IWOVServices.asmx HTTP/1.1
Accept: */*
User-Agent: Apache CXF 2.7.3
SOAPAction: "http://worksite.imanage.com/GetDocuments";
Transfer-Encoding: chunked
Content-Type: text/xml; charset=UTF-8
Host: myserver.mydomain.com
Connection: Keep-Alive
Authorization: NTLM 
TlRMTVNTUAADAAAAGAAYAEAAAADoAOgAWAAAAAgACABAAQAAFAAUAEgBAAASABIAXAEAAAAAAABuAQAANQIIIBbsDfykN317xp82pJmgmfemwZLWBvrWX929BW+6DyH0kU1PTL6Ghp4BAQAAAAAAADDWu+CHFM4BpsGS1gb61l8AAAAAAgAIAE4AWgBUAEUAAQAUAEEASwBMAFcAUwBXAEUAQgBUADIABAAiAGMAbwByAHAALgBuAHoAdABlAC4AZwBvAHYAdAAuAG4AegADADgAQQBLAEwAVwBTAFcARQBCAHQAMgAuAGMAbwByAHAALgBuAHoAdABlAC4AZwBvAHYAdAAuAG4AegAFACIAYwBvAHIAcAAuAG4AegB0AGUALgBnAG8AdgB0AC4AbgB6AAcACACoB97ghxTOAQAAAABOAFoAVABFAHMAZQBhAHIAYwBoAGkAbQBhAG4AQQBLAEwARQBTAEUAWABQADEA

1cf
<soap:Envelope 
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><GetDocuments 
xmlns="http://worksite.imanage.com";><ObjectIDs><string>10616126</string></ObjectIDs><OutputProfile><imProfileAttributeID>imProfileAuthor</imProfileAttributeID><imProfileAttributeID>imProfileName</imProfileAttributeID><imProfileAttributeID>imProfileDocNum</imProfileAttributeID></OutputProfile><OutputMask>Profile</OutputMask></GetDocuments></soap:Body></soap:Envelope>
0

HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-WorkSite-Version: 8.5.1002.10
Set-Cookie: ASP.NET_SessionId=qs1rxfu12v24djzhw4u4jj45; path=/; HttpOnly
Set-Cookie: virtualPath=/WorkSite; path=/
Set-Cookie: virtualRoot=http://myserver.mydomain.com/WorkSite; path=/
Set-Cookie: keyCode=; path=/
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 27 Feb 2013 01:15:06 GMT

3a
You do not have permission to view this directory or page.
0

                
> Maintain Session (Cookie) is not honoured when using NTLM
> ---------------------------------------------------------
>
>                 Key: CXF-4858
>                 URL: https://issues.apache.org/jira/browse/CXF-4858
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.7.3
>         Environment: Windows Server 2008 R2 Standard SP1 (Client & Server). 
> JDK6 + 7 both tried (Client).
> IIS 7 (Server)
>            Reporter: Michael Watson
>
> When using the AsyncHTTPConduit in an attempt to authenticate against an IIS 
> based webservice that requires NTLM & an authentication cookie 
> (ASP.NET_SessionId) I see that the NTLM authentication succeeds but because 
> the session cookie is missing the endpoint returns another 401.
> I'll attach wireshark output that demonstrates this behaviour.
> I've narrowed it down to:   
>   HTTPConduit$WrappedOutputStream#authorizationRetransmit()
> where authorizationToken below is always null when using NTLM so it returns 
> false and doesn't continue down to the block of code about 6 lines down that 
> sets the cookies!
> String authorizationToken =   
>   authSupplier.getAuthorization(effectiveAthPolicy, currentURI, outMessage,   
>                                 authHeader.getFullHeader());
> if (authorizationToken == null) {
>   // authentication not possible => we give up
>   return false;
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira