Hello,
I've been working on an Intranet site in JSP, and one of the requirements was an
NTLM-login based authorisation. NTLM is a closed Microsoft protocol that sends the
username and domain from Internet Explorer tot a Microsoft webserver. We've been able
to implement this in JSP using information about the protocol found on the Internet.
The NTLM-authentication works fine, however, there is a very strange side-effect:
after the NTLM-login sequence has completed, Tomcat seems to be unable to work with
request-parameters anymore. All request-parameters, for example sent using forms or
encoded in the URL using '?' end up being 'null' when I try to get them using
request.getParameter. Even when I forward to another page and then again another (or
redirect), still, those pages cannot read any request-parameters anymore. Very
strange...
The NTLM-code we use is included below. Maybe any of you can spot an error in it that
causes this effect, or knows more about his mistake/bug?
Tomcat version: latest stable release of Tomcat 4
Operating system: Redhat Linux 6.2
Thanx in advance for any imput you can provide!
--Friso Geerlings
--
*** Login_ntlm.jsp ***
--
jsp:useBean id=credentials scope=session
class=primeline_intranet.IntranetCredentialsBean /
%
boolean ok = false; //user not logged in jet
String auth = request.getHeader(Authorization);
if (auth == null)
{
response.setContentLength(0);
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader(WWW-Authenticate, NTLM);
response.flushBuffer();
return;
}
if (auth.startsWith(NTLM ))
{
byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
int off = 0, length, offset;
if (msg[8] == 1)
{
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S',
(byte)'P',
z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z,
(byte)1, (byte)130, z, z,z, (byte)2, (byte)2,
(byte)2, z, z, z, z, z, z, z, z, z, z, z, z};
response.setContentLength(0);
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader(WWW-Authenticate, NTLM + new
sun.misc.BASE64Encoder().encodeBuffer(msg1).trim());
response.flushBuffer();
return;
}
else if (msg[8] == 3)
{
off = 30;
length = msg[off+17]*256 + msg[off+16];
offset = msg[off+19]*256 + msg[off+18];
String remoteHost = new String(msg, offset, length);
length = msg[off+1]*256 + msg[off];
offset = msg[off+3]*256 + msg[off+2];
String domain = new String(msg, offset, length);
length = msg[off+9]*256 + msg[off+8];
offset = msg[off+11]*256 + msg[off+10];
String username = new String(msg, offset, length);
ok = credentials.login(username);
//this returns true if the username can be found in a database
}
}
if (!ok) {
String paginaParameter = login.jsp?message=autologin unsuccesfull;
String rootPath = request.getScheme()+:// +
request.getServerName() + : + request.getServerPort() +
request.getContextPath() + /;
response.sendRedirect(rootPath + paginaParameter);
} else {
//login is ok, so we're forwarding to the main page
%
jsp:forward page=index.jsp
/jsp:forward
% } %