chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lucas, Mike" <>
Subject RE: Session re-use with NTLMAuthenticationProvider
Date Wed, 24 Sep 2014 03:00:46 GMT
Thanks Florian. Makes sense. I will do my best to convince our Sharepoint folks to configure
Basic Auth.

Even if the java NTLM support did not have so many problems, I guess NTLM v1 is not very secure
so we probably shouldn't be using it anyway!

-----Original Message-----
From: Florian Müller [] 
Sent: September 23, 2014 4:22 PM
Cc: Lucas, Mike
Subject: Re: Session re-use with NTLMAuthenticationProvider

Hi Michael,

The warning in the JavaDoc is there for a reason. ;-) Simply don't use the NTLMAuthenticationProvider
in a productive environment. It's not working reliably!
It's ok in a test setup or in the Workbench but not if you want to do something serious.

The NTLMAuthenticationProvider is based on the NTLM support in the JVM, which has several
* It's NTMLv1 only. That works with SharePoint 2010 but not SharePoint 2013, which (by default)
requires NTLMv2.
* The credentials can only be set per JVM, which makes it useless in a multi-user environment.
* On the Windows machine the set credentials are ignored. It will try the currently logged
in Windows user first.
* If a new socket requires re-authentication and the current request is a POST request, then
this request fails. You have to retry the request in your application (if you can).

Because the of the last item I would not recommend using NTLM, even if OpenCMIS would have
fully working NTML support.
Reconfigure SharePoint to accept basic authentication. That works.

- Florian

> The javadoc for Session says "Because a session is only a client side concept, the session
object needs not to be closed or released when it's not needed anymore."
> That's been working well for me until we started connecting to a new Sharepoint server
which requires NTLM authentication. (We are using AtomPub.) The NTLMAuthenticationProvider
does work at first, but after some time, it no longer works and all requests to Sharepoint
CMIS return a 401 Unauthorized response with the "WWW-Authenticate: NTLM"  response header.
So the Sharepoint server is asking for NTLM authentication again, but unlike the first time
around, the OpenCMIS client does not do the NTLM dance anymore, it just returns a CmisUnauthorizedException.
> I read up on NTLM authentication<>
a little bit, and apparently it is a connection based authentication which requires re-authentication
whenever the connection is closed. So it seems like the NTLMAuthenticationProvider is not
working properly after the HTTP connection gets closed.
> Is this likely an example of the "USE WITH CARE!" caution mentioned in the NTMLAuthenticationProvider's
javadoc? This is on Websphere 8.5 and it certainly qualifies as a multi-user environment.
> Thanks
> michael lucas  |  Senior Software Developer  |  Great-West Life

View raw message