chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller <f...@apache.org>
Subject Re: Session re-use with NTLMAuthenticationProvider
Date Tue, 23 Sep 2014 21:22:19 GMT
Hi Michael,

The warning in the JavaDoc is there for a reason. ;-)
Simply don't use the NTLMAuthenticationProvider in a productive
environment. It's not working reliably!
It's ok in a test setup or in the Workbench but not if you want to do
something serious.

The NTLMAuthenticationProvider is based on the NTLM support in the JVM,
which has several deficiencies.
* It's NTMLv1 only. That works with SharePoint 2010 but not SharePoint
2013, which (by default) requires NTLMv2.
* The credentials can only be set per JVM, which makes it useless in a
multi-user environment.
* On the Windows machine the set credentials are ignored. It will try
the currently logged in Windows user first.
* If a new socket requires re-authentication and the current request is
a POST request, then this request fails. You have to retry the request
in your application (if you can).

Because the of the last item I would not recommend using NTLM, even if
OpenCMIS would have fully working NTML support.
Reconfigure SharePoint to accept basic authentication. That works.


- Florian


> The javadoc for Session says "Because a session is only a client side concept, the session
object needs not to be closed or released when it's not needed anymore."
> 
> That's been working well for me until we started connecting to a new Sharepoint server
which requires NTLM authentication. (We are using AtomPub.) The NTLMAuthenticationProvider
does work at first, but after some time, it no longer works and all requests to Sharepoint
CMIS return a 401 Unauthorized response with the "WWW-Authenticate: NTLM"  response header.
So the Sharepoint server is asking for NTLM authentication again, but unlike the first time
around, the OpenCMIS client does not do the NTLM dance anymore, it just returns a CmisUnauthorizedException.
> 
> I read up on NTLM authentication<http://www.innovation.ch/personal/ronald/ntlm.html>
a little bit, and apparently it is a connection based authentication which requires re-authentication
whenever the connection is closed. So it seems like the NTLMAuthenticationProvider is not
working properly after the HTTP connection gets closed.
> 
> Is this likely an example of the "USE WITH CARE!" caution mentioned in the NTMLAuthenticationProvider's
javadoc? This is on Websphere 8.5 and it certainly qualifies as a multi-user environment.
> 
> Thanks
> michael lucas  |  Senior Software Developer  |  Great-West Life
> 
> 

Mime
View raw message