我有一个SSO站点,它使用的是NTLM身份验证,它在XP和Win 7(32位)上运行良好,但最近我的公司决定使用win 7(64位)电脑也是如此。在这些PC上,握手在类型2消息之后结束,并且tomcat返回401.我不知道如何调查,也许这里有人可以给我一些提示。NTLM身份验证在类型2响应后失败
这是servlet的doPost方法:
try {
// NTLM Handshake
// 1: Client --> Server | GET ...
// 2: Client <-- Server | 401 Unauthorized/WWW-Authenticate: NTLM
String auth = request.getHeader("Authorization");
if (auth == null) {
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
response.flushBuffer();
return;
}
if (auth.startsWith("NTLM ")) {
byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth
.substring(5));
int off = 0, length, offset;
// 3: Client --> Server | GET .../Authorization: NTLM
// <base64-encoded type-1-message>
if (msg[8] == 1) {
// 4: Client <-- Server | 401 Unauthorized/WWW-Authenticate:
// NTLM <base64-encoded type-2-message>
byte z = 0;
byte[] msg1 = { (byte) 'N', (byte) 'T', (byte) 'L',
(byte) 'M', (byte) 'S', (byte) 'S', (byte) 'P', z,
(byte) 2, z, z, z, z, z, z, z, (byte) 40, z, z, z,
(byte) 1, (byte) 130, z, z, z, (byte) 2, (byte) 2,
(byte) 2, z, z, z, z, z, z, z, z, z, z, z, z };
response.setHeader("WWW-Authenticate", "NTLM "
+ new sun.misc.BASE64Encoder().encodeBuffer(msg1));
//response.sendError(response.SC_UNAUTHORIZED);
response.setStatus(response.SC_UNAUTHORIZED);
response.flushBuffer();
return;
}
// 5: Client --> Server | GET .../Authorization: NTLM
// <base64-encoded type-3-message>
else if (msg[8] == 3) {
off = 30;
length = msg[off + 17] * 256 + msg[off + 16];
offset = msg[off + 19] * 256 + msg[off + 18];
String remoteHost = new String(msg, offset, length);
length = msg[off + 1] * 256 + msg[off];
offset = msg[off + 3] * 256 + msg[off + 2];
String domain = new String(msg, offset, length);
for (int i = 0; i < domain.length(); i += 2)
loginDomain += domain.charAt(i);
length = msg[off + 9] * 256 + msg[off + 8];
offset = msg[off + 11] * 256 + msg[off + 10];
String username = new String(msg, offset, length);
for (int i = 0; i < username.length(); i += 2)
loginUser += username.charAt(i);
}
}
} catch (Exception se) {
log.error(loginUser + ", NTLM handshake exception:", se);
}
你说的验证启用NTLM扩展安全,但你不是真的在这里检查密码...!?!看起来你真的只想从NTLM消息中获取用户名? – 2013-05-03 14:12:42
@EdwardThomson您不需要密码进行NTLM身份验证。 NTLM是一项挑战/响应协议。 – 2013-05-03 14:22:09
@MatthiasHerlitzius是的,但客户端使用密码来形成挑战。所以服务器应该*实际上查看响应*来进行身份验证,而不是假设因为你有*某些*响应,它必须是有效的。这里没有认证。 – 2013-05-03 14:24:51