Re: RFR 7150092: NTLM authentication fail if user specified a different realm

Tue, 08 Jul 2014 07:59:52 -0700 

Max,

These changes look fine. Just a couple of minor comments:

L130 in Client.java appears to be superfluous now.

The comment at L186 in Server.java might probably should
be removed or else expanded upon.

Thanks
Michael


On 23/06/14 09:09, Wang Weijun wrote:

Ping again.

On Jun 12, 2014, at 14:07, Wang Weijun <weijun.w...@oracle.com> wrote:


Hi All

Please review the code change at

  http://cr.openjdk.java.net/~weijun/7150092/webrev.00/

The problem is that in NTLM, the server might prompt for a domain name (in Type 
2 message), and the client can also provide one. Before this fix, if the two 
are different, the client chooses the one from the server. After this fix, the 
client will always uses its own even if it's empty. This is confirmed by 
looking at the behavior of IE/Firefox/Chrome. The server sent domain name was 
designed to be used to create the NTLMv2 response but it's now obsoleted by 
alist. Chrome/Firefox simply ignore it, so will Java. (IE does use it if there 
is no alist)

There are some other small changes:

Client.java
-----------

96-108: No one sends hostname and domain in the Type 1 message, so they are 
removed. Everyone adds a 0x4 flag which means Request Target.

Removed old 137-139: That's the major change.

159: I used to detect whether there is an alist by looking at the length. This 
is not accurate if the domain is very long. The correct way is to look at the 
flag (0x800000 means alist is there)

Server.java
-----------

98: Adds a flag 0x10000 which means the target name (line 99) written into the 
message is a domain

135: Always uses the client provided domain to search for password. This is 
also a part of the major change.

NTLMClient.java
---------------

If user has not responded to NameCallback and/or RealmCallback, it means they 
accept the default value.

NTLMServer.java
---------------

ntdomain could be empty or null, the 2-arg constructor of RealmCallback could 
fail in this case. Use 1-arg constructor.

NTLMAuthentication.java
-----------------------

According to my observation of IE/Firefox/Chrome, when user does not type in a 
domain name in the password prompting dialog, the domain sent to server is an 
empty string, and the host name is always full name. Update Java to be the same.

NTLMTest.java
-------------

Update the test to reflect code changes.

Thanks
Max

Reply via email to