Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-2678

make kerberos / ntlm / basic authentication negotiable by web clients

    Details

      Description

      This is between a bug and a enhancement request.

      If a server supports multiple authentication methods, it is possible for it to include multiple WWW-Authenticate headers in its authentication challenge response.

      This would allow clients that didn't support kerberos for example to still negotiate basic auth. And no 'chaining' would be required on the Alfresco side.

      See

      http://lists.samba.org/archive/jcifs/2004-December/004365.html
      http://msdn.microsoft.com/en-us/library/aa383144(v=vs.85).aspx

      From Alex:

      When a kerberos login fails either in explorer or in Share we fall back to a HTML login form.

      This is interesting but limits client to web browser.

      In SPP for instance, an office program (words, etc...) cannot deal with HTML forms.

      could it be possible to make a failed kerberos or failed NtLM fall back to a HTTP Basic Auth?

      Note: other kerberos middleware seem to provide this kind of fallback mechanism, see mod_auth_kerberos e.g.:

      http://comments.gmane.org/gmane.comp.apache.mod-auth-kerb.general/2252

      To summarize, what we want is to have mutiple headers in the 401 response from the client:

      C: GET
      S: 401 Unauthorized
         WWW-Authenticate: Basic
         WWW-Authenticate: NTLM
         WWW-Authenticate: Negotiate
      

      currently or in the past if you had 'kerberos' in your chain the server was returning either

      401 Unauthorized
      WWW-Authenticate: Basic
      

      or

      401 Unauthorized
      WWW-Authenticate: Negotiate
      

      as you can understand returning always the 2nd form will confuse clients that cannot do kerberos and they may never send basic as in your soap case but returning always WWW-Authenticate: Basic
      is not good either as you will never get SSO so the solution is really in implementing ACE-2678 and send both

      401 Unauthorized
      WWW-Authenticate: Basic
      WWW-Authenticate: Negotiate
      

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedissues Closed Issues
                  Reporter:
                  alfsupport Alfresco Support
                • Votes:
                  6 Vote for this issue
                  Watchers:
                  15 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel