NTLM Authentication without username/password failback?

Oct 7, 2011 at 7:32 PM

Please excuse my ignorance on the topic of NTLM authentication in a web application. First the question, and then the background context.

Question: Is it possible to use Waffle (perhaps as a servlet filter) to passively authenticate a user using NTLM if an NTLM security token is available from the client browser, and to *SILENTLY* skip authentication if it isn't? I.e., I don't ever want the Username/Password popup to appear on the client.

Background: We have a "single-page" Web Application written using the GWT framework. Currently, the application handles all authentication/authorization within the application itself using a variety of legacy authentication strategies (note: there isn't presently a separate login "page" [i.e. URL] within the application; rather, the login "View/Presenter" is just component within the same single-page application [i.e. the "single-page" application contains the logic for all the views within the application including login when necessary]). Now we are being asked to support NTLM as one of the possible authentication strategies. The thought is to use Waffle (perhaps as a servlet filter), then to look for whether or not request.getUserPrincipal() is assigned as part of one authentication strategies and to act accordingly with application-level authentication/authorization (possibly failing back to other authentication strategies as necessary). Not all users accessing the application will be part of the Windows Domain, and for those users, we don't want Waffle to trigger a Username/Password dialog on the client; rather, we'd prefer that Waffle NTLM authentication just simply fail silently and allow the application to address authentication concerns itself. We could obvious provide a different URL point-of-entry for users that can authentication via NTLM vs those that can't; however, that seems to be a hit of a hack and a maintenance nightmare.

Any thoughts or suggestions are welcome. Thank you in advance,

-Jeff Woodward

Oct 7, 2011 at 9:42 PM

It's not. The problem is that half the time authentication fails on the client, which pops up a dialog. The other problem is that in order to even try to receive an Negotiate challenge you have to issue a 401. The best thing you can do is let users choose to authenticate explicitly by clicking a button or going to a given url - this is implemented in the "mixed" waffle filters.

Oct 8, 2011 at 10:21 PM
Edited Oct 8, 2011 at 10:27 PM


Thank you for your prompt and informative response. I am going to have a look at the "mixed" waffle filters (I am hoping that they are in the samples directory with the other samples). In the meantime, I can think of a few different ways that I may approach this challenge [no pun intended]. At least one of which may involve AJAX requests to a servlet that is frontended by a waffle NTLM filter; however, before I go down that road, I am curious what behavior to expect from the browsers (IE 6 and up as well as FireFox 3.6 and up) making requests using the XMLHttpRequest object through waffle filters to a servlet on the server side. Does it work at all? Will the browser still popup the username/password dialog [if there isn't a valid security token/security context]?

Thank you once again in advance for any insights that you may have,

-Jeff Woodward


PS: I have just read your post: http://code.dblock.org/ntlm-please-show-id-with-every-post, so it appears that AJAX requests fundamentally work with waffle. But I am still curious about the username/password popup behavior if you have any insights. Note, my plan wouldn't be to put all the AJAX server-side calls behind waffle, just the one(s) explicitly used for this authentication strategy.

Oct 10, 2011 at 11:34 PM

You're going around the one very important point, which is that the browser will popup a box if it sees a 401 and can't continue a Negotiate. That's valid for XMLHttpRequests as well. It's ugly, but such is life. So my suggestion is to try to implement what you have in mind and if it works, write about it :)