IE7 form authentication after ntlm authentication failed

0
votes

I have a problem with authentication:

  • Users that have valid domain credentials are logined using NTLM authentication (i send "WWW-Authenticate: NTLM " header and 401 status in my jsp filter. Then IE authenticate user using NTLM and everything is fine.

  • I have other users (connected to lan with their own computers) and they can't logged using NTLM. I created a form where they can enter their credentials and log in.

    I want to create mixed-authentication. I add code then redirects user to form login page when his NTLM authentication fails. But when user enter credentials in form redirected after NTLM-auth check, the post data from form doesn't send to jsp page. Instead of post data i see header "Authorization NTLM bla-bla-bla".

    Any proposals how I can create mixed-authentication?

2
javainternet-explorerjspauthenticationntlm

2 Answers

1
votes

I have my own Authentication filter, so my config are not similar to config above. I already solve my problem: i create a special link, that don't create ntlm-like-garbage in headers and provide login after user enter credentials. So i have 2 entrance point in my application. Not perfect but it works.

0
votes

In case you haven't solved your problem, can you provide your web.xml?

The security constraints should look like this:

  <security-constraint>
    <display-name>Application Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Everyone</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <display-name>Login Page</display-name>
    <web-resource-collection>
      <web-resource-name>Unprotected Login Page</web-resource-name>
      <url-pattern>/login.jsp</url-pattern>
    </web-resource-collection>
  </security-constraint>

  <security-role>
    <role-name>Everyone</role-name>
  </security-role>