Support for non IE browser

Jun 3, 2010 at 8:52 PM

Waffle works very good with the IE. If I connect with a non IE brother then I receive a login box. This is ok. But after entering the data the login box show again or a white page occur.

Is this a bug? Or do I make some things wrong? Or is a fallback for other browser not implemented?

Coordinator
Jun 3, 2010 at 9:33 PM

Waffle supports all browsers, so if something doesn't work, it's a bug. Which browser(s) are you having problems with?

For Firefox you may need to tell the browser that it should do NTLM/Kerberos for the website, it doesn't automatically detect intranet servers like IE. (It's in the doc).

  • Type about:config in the address bar and hit enter.
  • Type network.negotiate-auth.trusted-uris in the Filter box.
  • Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
  • Close the tab.

 

Jun 4, 2010 at 12:44 PM
I have test Chrome and Firefox. Both in the default configuration. The changing of the Firefox configuration is a nice thing to work without login box. But it should work also without this settings. I am not an expert on HTML authentication. But I think an fallback to basic authentication can be a solution. This can be optional. We want replace the IIS function.
Coordinator
Jun 4, 2010 at 3:15 PM

Extending this filter or Implementing a mixed-mode filter that also supports BASIC auth is certainly not hard. I've created http://waffle.codeplex.com/workitem/8693, will take a look.

 

Jun 4, 2010 at 7:45 PM

Thanks. This will be great. I will wait for it.

 

Coordinator
Jun 5, 2010 at 12:28 AM

I committed BASIC auth in build 1.3.3685.0. I'll do Digest next. I also need to figure out a way to configure the filter so that one can enable/disable specific protocols and set things like the name of the basic realm.

Let me know if it works.

Jun 7, 2010 at 10:12 AM
Edited Jun 7, 2010 at 10:18 AM
With Chrome it work now. With Firefox (Default settings) and Opera it does not work. Here are some logging output. I hope this is helpful.
Chrome:
=======
07.06.2010 12:03:23 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /LoginServlet, contentlength: -1
07.06.2010 12:03:23 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: authorization required
07.06.2010 12:03:23 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /LoginServlet, contentlength: -1
07.06.2010 12:03:23 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:56733
07.06.2010 12:03:23 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 55 byte(s)
07.06.2010 12:03:23 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue token: TlRMTVNTUAACAAAAGAAYAD........==
07.06.2010 12:03:23 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: true
07.06.2010 12:03:23 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /LoginServlet, contentlength: -1
07.06.2010 12:03:23 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:56733
07.06.2010 12:03:23 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 88 byte(s)
07.06.2010 12:03:23 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: false
07.06.2010 12:03:23 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: logged in user: .....\..... (S-1-5-21-1104044211-......)
07.06.2010 12:03:23 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: roles: ........
07.06.2010 12:03:23 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: successfully logged in user: ....\.....


Firefox and Opera look equals:
=====================
07.06.2010 12:01:44 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /LoginServlet, contentlength: -1
07.06.2010 12:01:44 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: authorization required
07.06.2010 12:01:46 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /LoginServlet, contentlength: -1
07.06.2010 12:01:46 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: NTLM, connection id: 0:0:0:0:0:0:0:1:56686
07.06.2010 12:01:46 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 40 byte(s)
07.06.2010 12:01:46 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue token: TlRMTVN.......==
07.06.2010 12:01:46 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: true
Coordinator
Jun 7, 2010 at 11:13 AM
Edited Jun 7, 2010 at 11:49 AM

Both Firefox and Opera are trying to do Negotiate and don't conitnue on the client side. Can you get Firebug or something that can trace the entire HTTP conversation and post it here with all headers, please?

Update: I tested with default config with Firefox 3.6.3 and Opera 10.53 and it switched correctly to basic and worked.

Jun 7, 2010 at 12:27 PM
Here is the output from firebug. It look like that the firefox is sending NTLM. I have check the network.negotiate-auth.trusted-uris and this is empty. I will debug it now.
Antwort-HeaderQuelltext anzeigen
WWW-Authenticate	NTLM TlRMTV.......A==
Transfer-Encoding	chunked
Server	Jetty(6.1.22)

Anfrage-HeaderQuelltext anzeigen
Host	localhost:9000
User-Agent	Mozilla/5.0 (Windows; U; Windows NT 6.0; de-DE; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 ( .NET CLR 3.5.30729)
Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language	de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding	gzip,deflate
Accept-Charset	ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive	115
Connection	keep-alive
Cookie	JSESSIONID=1e7zyvqqss8ms
Cache-Control	max-age=0, max-age=0
Authorization	NTLM TlRMTV.....w==
Coordinator
Jun 7, 2010 at 1:35 PM

Let me take what I said back. I am seeing the same behavior as you, except that it works (Firefox).

  • The browser chooses NTLM, which is correct since Firefox can do NTLM, or so it seems.
  • It prompts for credentials. That is because it doesn't "trust" the site (network.negotiate-auth.trusted-uris is empty).
  • I enter my credentials (if I press escape instead, it prompts me for Basic auth, interesting).
  • Login succeeds.

What are you seeing on the client?

Jun 7, 2010 at 2:59 PM
After extending the test to other systems it work on all other systems. Also with a second server it work. The only combination that not work is local on my system. If it not work then the firefox make only 2 request instead 3. But this 2 request are completely identical to the case if it not work. I have deactivate Adblock+ and Flashblok now. Without any effect. I will continue search tomorrow. * On my firefox I see the login box. * If I enter the login information then a blank page occur * If I refresh the browser then the login data will be send but no login box occur a second time. It look all like a bug in the firefox. But with the IIS it work also local.
Coordinator
Jun 7, 2010 at 9:56 PM

What's the server response (use Firebug) on the blank page?

Localhost is always treated differently, but not too differently. I would take a fresh box (or virtual machine) and try localhost there. There's stuff stored in browser cache, Credential Manager (password vault), etc. Maybe something is dirty there?

Jun 8, 2010 at 7:23 AM
Ok, I have make a user mistake. I have enter domaine/user instead of domain\user. With backslash it work also local on my system. With a slash I have local the blank page and the guest account over the network. On my second system the guest account is deactivated. There are repeated login box.
Coordinator
Jun 8, 2010 at 11:50 AM

I don't have too much hope about getting Digest quickly. It has turned out to be much more complicated than I thought. While it's a better security model (the password is never sent in clear), it sounds like you have everything you need for now. Start a new thread if you think you need anything else. Bis spöter.

Jun 15, 2010 at 11:57 AM
Edited Jun 15, 2010 at 12:10 PM
I have integrate WAFFLE now in my application. If the next final version of WAFFLE will be available then I will ship it. On my testing I have find the problem above is a Firefox bug. I have the same result with IIS if I have a typos in the login on a localhost. The only difference is that the IIS does not show a blank page. Here is a patch that produce the same message with WAFFLE. Because I can not attached that I have include it.
Index: src/waffle/servlet/spi/NegotiateSecurityFilterProvider.java
===================================================================
--- src/waffle/servlet/spi/NegotiateSecurityFilterProvider.java	(revision 54119)
+++ src/waffle/servlet/spi/NegotiateSecurityFilterProvider.java	(working copy)
@@ -82,6 +82,8 @@
 		if (securityContext.getContinue() || ntlmPost) {
 			response.setHeader("Connection", "keep-alive");
 			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+			// To prevent a blank page in case of error, like the IIS message 
+			response.getOutputStream().write( "<h2>Not Authorized</h2><hr>HTTP Error 401. The requested resource requires user authentication.".getBytes() );
 			response.flushBuffer();
 			return null;
 		}
Coordinator
Jun 15, 2010 at 2:49 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Coordinator
Jun 15, 2010 at 2:50 PM

It's a little bigger than this. I copied the thread into a workitem, need to add the 401 content everywhere a 401 is returned. I am a bit concerned that we're dumping English text to the client though, so maybe something configurable is even preferrable.

Coordinator
Jun 16, 2010 at 2:49 PM

Please try build 1.3.4197.0. I've committed a change that will work with the servlet standard. Define a page for the 401 error code like this in your web.xml. Let me know if it works.

<error-page>
  <error-code>401</error-code> 
  <location>/401.html</location> 
</error-page>