Hi.
This is not a Tomcat question. But it involves Java, HTTP and HTTP NTLM
authentication, so I figure that the rather unique combination of
expertise(s) of the contributors to this list may at least result in
some good clues for me as to which direction to follow to resolve the
problem I'm facing.
I am by now fairly versed in Tomcat Java server-side NTLM authentication
(à la jCIFS/Jespa), but this is another animal : it's on the browser side.
In our application, we have a html form allowing users to upload several
files together, as a "collection", to a webserver. The html form itself
contains some descriptive text input fields; the multiple file-upload is
provided by a Java applet embedded in the page, which allows users to
select local workstation files which should be uploaded to the server as
a set, together with the static form input fields values. It is this
applet (not the html form) which actually does the HTTP POST-ing to the
server of the files, one file/one POST at a time, each POST containing
one file plus a copy of the html input field values.
To make the POST, the applet picks up from the browser the proxy
settings if any, and uses them when it creates its own HTTP connection
to the server, via the org.apache.commons.httpclient.* packages
(HttpClient, method.* etc..).
It all works fine using IE and Firefox, whether the browser/customer is
behind a corporate proxy or not.
Only in one recent case it does not.
In that particular case, the browser is IE, and the users are behind a
corporate outgoing proxy server which requires NTLM authentication on
the part of the client.
The browser is of course NTLM-authenticated with this proxy, since
otherwise it could never go through the proxy and fetch our html form in
the first place.
However, when the applet later tries to do a POST to the same server
whence the form came from, it receives a 401 response back from the
proxy. This 401 response tells the client (in this case the applet),
that it must authenticate via the NTLM method.
So, obviously, the applet builds its own new HTTP connection to the
webserver (through the proxy), and tries to send the POST request, but
without an Authorization: header. Unfortunately, it does not seem to
magically pick up the containing browser's credentials and to
automatically add them to the POST request it is doing to the same
webserver, which I would have considered nifty. Sigh.
So now the question is : what do I have to do to my applet, that it
would authenticate properly to that proxy, using the NTLM credentials of
the browser it is living inside of, or using the credentials of the
workstation in which the containing browser lives ?
Secondary question : is this even possible ?
If anyone is sufficiently interested, there is a web demo site where
this can all be seen, and if you happen to be behind one such proxy
requiring NTLM authentication, you can also see (in the browser's Java
console) in detail what happens.
Thank you for your attention, and thankful in advance for any hints
about where to start looking.
André
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
