Silent NTLM Autentification from httpclient

P

Pavel

Hi gurus,
I am trying to access web page protected by NTLM authentification
mechanism by
httpclient. If I construct object
org.apache.commons.httpclient.NTCredentials (with my user name and
password) everything works fine.
But if I access this page from Microsoft Internet Explorer it does not
prompt me for my user name and password - so I think that this
information has to be stored somewhere in the system. It is possible
to get these NT credentials directly from the system and pass them to
httpclient to be used for authentification? Many thanks for reply.

Regards,
Pavel
 
C

Christian Bongiorno

Pavel,

I am willing to be bet that the web server you are accessing uses IIS.
IE and IIS have an incestuous relationship. Because of this, you have
the seamless authentication going on (IE grabs the local credentials
and supplies them for the user). However, it's this same incestuous
relationship that makes IE vulnerable to key logging viruses that get
installed without warning because IIS told IE it was ok.

The short answer: You can try to beef up the security settings for IE
and see if that forces and authentication (but I doubt it). Likely,
there is nothing you can do about it.

I know in one of the change logs for mozilla I saw that they added
"NTLM" support. Whatever "support" means is anyones guess. But, you
may be able to get mozilla to behave like IE -- the otherway around
will likely we hard.

Christian
 
G

Gerbrand van Dieijen

Pavel,

I am willing to be bet that the web server you are accessing uses IIS.
IE and IIS have an incestuous relationship. Because of this, you have
the seamless authentication going on (IE grabs the local credentials
and supplies them for the user). However, it's this same incestuous
relationship that makes IE vulnerable to key logging viruses that get
installed without warning because IIS told IE it was ok.
Click to expand...

Are you certain? I thought the ntml authentication only works if the user
is already logged (by typing username/password or using some keycard
mechanism) and authenticates against a webserver that uses the same
(domain)server.

I think it very good the prevent users from having to type a password many
times. This gives false security and the users will tend to use small or
simple password.
Password protection in general is something I rather see be unnecessary
today than tomorrow, there are much both user-friendlier and secure ways.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

[ANN] httpclient/2.1.6 0
Java through (NTLM) proxy 2
How to login a page with httpclient API? 0
Java - Integrated Windows Authentication - NTLM Authentication Forwarding 5
How to login to the webpage with httpclient API 8
NTLM Authorization issue 7
NTLM APS python version 0.98 1
Network timeout with HTTPClient and Tomcat 1

Members online

No members online now.
Total: 35 (members: 0, guests: 35)
Robots: 612

Forum statistics

Threads
473,769
Messages
2,569,579
Members
45,053
Latest member
BrodieSola

Latest Threads

Top