Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Apache::AuthenNTLM advice needed

by Jonathan (Curate)
on Jul 24, 2003 at 14:14 UTC ( #277545=perlquestion: print w/replies, xml ) Need Help??

Jonathan has asked for the wisdom of the Perl Monks concerning the following question:

I've been given an installation of Apache/mod_perl (Solaris) with Apache::AuthenNTLM and asked to write a mod_perl Authentication handler. The handler will take a http request from another web server (Oracle again on Solaris) validate the request using the AuthenNTLM module and then send back a response with a cookie string containing the original users NT login details.
As the client is not directly an Internet Explorer session, I guess I would need to create an AuthenNTLM instance change the inputs to point to the orginal browser and validate it that way. But there's no mention of doing anything like this in the docs.

Has any one managed to do anything like this? - if so a sample handler would be a great help

Can AuthenNTLM be made to work via a proxy?

I don't think this is possible but I'm certainly no HTTP/Apache-mod_perl expert. Am I on a fools errand?

Replies are listed 'Best First'.
Re: Apache::AuthenNTLM advice needed
by perrin (Chancellor) on Jul 24, 2003 at 19:00 UTC
    So, you want to do authentication via NTLM for another web server? There are two things you could do. One is to look at what Apache::AuthenNTLM does and port it to the other server. The other is to use apache as a proxy, with AuthenNTLM doing auth. You can use the Apache::Proxy module, or do something with LWP.
Re: Apache::AuthenNTLM advice needed
by dtr (Scribe) on Jul 24, 2003 at 21:06 UTC

    The problem with using AuthenNTLM in this way is that, in the HTTP headers sent back by the server, you have to advertise the authentication methods you support.

    If, for example, your server supports basic and NTLM authentication, the first time you connect to a location that requires authentication, you'll get back something like:-

    HTTP/1.1 401 Access Denied
    Server: **************
    Date: Thu, 24 Jul 2003 20:55:04 GMT
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
    WWW-Authenticate: Basic realm="*******"
    Content-Length: 24
    Content-Type: text/html

    Here, this server is advertising that it supports basic and NTLM authentication. A browser which also supports NTLM authentication will now automatically re-send the request, including the NTLM hash in the request headers to authenticate to the server. The server will verify this hash and, if it accepts it, will allow the client to access the resource.

    If, on the other hand, the browser didn't support NTLM authentication but supported basic authentication, it would prompt the user for a username and password (unless cached), and would concatenate them, base-64 encode the result, and sent that back to the server as the "authenticatior".

    Unless you can get your Oracle server to send out a "www-Authenticate: NTLM" header, the browsers accessing this system will never know that NTLM authentication is supported. Therefore, your scheme will not work.

    Your best bet would be to set Apache up as a proxy, only allow connections to the Oracle server from the Apache server (use the IP address to restrict it, for example), and have Apache manage the authentication for you.

      Thanks that's great. I'll suggest the proxy option.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://277545]
Approved by valdez
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (1)
As of 2021-06-19 08:38 GMT
Find Nodes?
    Voting Booth?
    What does the "s" stand for in "perls"? (Whence perls)

    Results (91 votes). Check out past polls.