fall back to form login?

Sep 22, 2010 at 6:17 AM

i have

 <bean id="negotiateSecurityFilterEntryPoint" class="waffle.spring.NegotiateSecurityFilterEntryPoint">
   <property name="provider" ref="waffleSecurityFilterProviderCollection" />
 </bean>

 

is it possible to define if fail fallback to form login ?

 

<security:http entry-point-ref="negotiateSecurityFilterEntryPoint" auto-config="false">

<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=auth" />
 </security:http>

 <bean id="waffleNegotiateSecurityFilter" class="waffle.spring.NegotiateSecurityFilter">
        <security:custom-filter  before="AUTHENTICATION_PROCESSING_FILTER" />
        <property name="provider" ref="waffleSecurityFilterProviderCollection" />
    </bean>

Coordinator
Sep 22, 2010 at 12:30 PM

I don't think this is possible. From what I have observed, once the client has been challenged with a BASIC/NTLM/Negotiate header it won't accept a redirect to an unprotected page. You can do it the other way around, giving the users a choice to login with a challenge or a form. This is implemented in the waffle-mixed example (although not with spring).

In addition, the server doesn't always know that the client is going to fail authentication as the client keeps trying to send valid authorization headers and eventually gives up popping up a dialog.

Sep 23, 2010 at 3:37 AM

here is the workaround that i use on tomcat web.xml


 <error-page>
        <error-code>401</error-code>
        <location>/login.jsp</location>
    </error-page>

 

when user enter wrong password, it will go to login.jsp. but that also mean if user enter one time wrong password when ntlm, it will directly go to login.jsp without allowing user to retry rekey in password.  has drawback ofcourse.    share this with other people that want similar feature.

Oct 3, 2010 at 11:35 AM

If SSO fails and you want to redirect user to unprotected form login page, you need to send "Connection: close" header along with redirect. Client then closes existing connection and opens a new one, that won't use http authentication. I'm using this in my auth filter (which is combination of waffle/kerberos/jcifs) and it works fine.

Coordinator
Oct 3, 2010 at 12:32 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Coordinator
Oct 3, 2010 at 12:34 PM
jnx wrote:

If SSO fails and you want to redirect user to unprotected form login page, you need to send "Connection: close" header along with redirect. Client then closes existing connection and opens a new one, that won't use http authentication. I'm using this in my auth filter (which is combination of waffle/kerberos/jcifs) and it works fine.

 Thanks. I created a feature request for reviewing this in the mixed authenticator. The one problem is that authentication may not fail on the server, but on the client. So the server keeps getting valid tickets and asks the client to continue until the client gives up.