IE使用NTLM身份验证时随机发送空POST主体(使用angular to Spring) [英] IE sends empty POST body randomly while using NTLM authentication (using angular to Spring)
问题描述
我们看到IE 11中缺少POST的看似随机调用的问题。进一步检查后,来自浏览器的请求包括NTLM协商令牌。我们也经常在GET上看到这个标记,但它们不受身体问题的影响,因为它们没有。 Chrome和FF没有这个问题。
进一步的调查显示,如果我们的会话超时并且浏览器被重新刷新,那么我们将在此之后始终看到此问题每隔约1-2分钟。我的理解是,如果IE期望401,那么它将不包括POST主体,因为期望再次发生NTLM握手。
我们有一个角度app(目前混合Angular 1和2,但在此之前发生在1)。角度应用程序使用对我们的Spring启动应用程序进行restful webservice调用。我们使用华夫饼为NTLM auth
// Shiro-Waffle / Security
'com.github.dblock.waffle :waffle-parent:1.7.3',
'com.github.dblock.waffle:waffle-shiro:1.7.3',
'org.apache.shiro:shiro-core:1.2.3 ',
'org.apache.shiro:shiro-web:1.2.3',
我有一个糟糕的解决方法,我将在下面作为答案发布,但我根本不喜欢它。
好的,我找到了一个注册表黑客。基本上,IE主动发送NTLM凭证,而不从服务器发送401。当发送pre auth时,IE将省略POST主体(如果请求是POST。)如果会话已经有效并且服务器已经授权你,它会让请求通过而没有正文并且会导致错误服务器(假设您的POST需要正文。)
因此正常的NTLM协商看起来像
- 来自客户的请求(使用POST正文) - >服务器返回401,
www-authenticate:negotiate,www-authenticate:NTLM - 客户端发送
使用NTLM令牌的附加请求(没有邮件正文) - >服务器返回401服务器
NTLM令牌 - 客户端发送第3个会话请求(带POST主体)和服务器返回
200
使用此优化
- 客户端需要401并发送NTLM令牌(没有正文) - >服务器返回401服务器令牌
- 客户端发送第2个会话请求(带正文) - >服务器返回200
- 客户期望401并发送NTLM令牌(无身体) - >服务器处理请求并收到内部错误(可能是500)
出现问题
要添加的注册表项阻止此优化
HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Internet Settings /
添加以下注册表值:
值名称: DisableNTLMPreAuth
数据类型:REG_DWORD
值:1
或者将这些条目保存到您计算机上的.reg文件并双击它
Windows注册表编辑器版本5.00
[ HKEY_CURRENT_USER \软件\ Microsoft \ Windows \ CurrentVersion \Internet设置\]
DisableNTLMPreauth= dword:00000001
我不确定为什么IE认为它必须重新验证,但是从广泛的测试看起来就像IE有会话超时或会话是我nvalidated,它从服务器返回401,它希望在那之后每1-2分钟重新验证一次。这可能与您在身份验证时所处的URL有关,因为您可能不在根本位置。我提供的第一个链接谈了很多关于IE的URL的挑剔以及它如何猜测应该授权什么以及什么不应该基于路径。
相关文章:
We are seeing issues with seemingly random calls that are missing the POST in IE 11. Upon further inspection the requests from the browser are including a NTLM negotiation token. We see this token on GETs too from time to time, but they are unaffected by the body problem as they don't have one. Chrome and FF do not have this problem.
Further investigation shows that if our session times out and the browser is re-authed, then we will consistently see this problem after that at around 1 - 2 minute intervals. It is my understanding that if IE "expects" a 401, then it will not include the POST body as is expects the NTLM handshake to take place again.
We have an angular app (currently mixed Angular 1 and 2, but occurred in 1 just before this). The angular app uses makes restful webservice calls to our Spring boot application. We are using waffle for NTLM auth
// Shiro-Waffle / Security
'com.github.dblock.waffle:waffle-parent:1.7.3',
'com.github.dblock.waffle:waffle-shiro:1.7.3',
'org.apache.shiro:shiro-core:1.2.3',
'org.apache.shiro:shiro-web:1.2.3',
I have one crappy workaround that I will post below as an answer, but I do not like it at all.
Ok, I found a registry hack for this. Basically IE proactively sends NTLM credentials without a 401 from the server. When sending "pre auth" IE will omit the POST body (if the request was a POST.) If the session was already valid and the server already has you authorized, it lets the request through without a body and will cause an error on the server (assuming the body is required for your POST.)
So a normal NTLM negotiation would look like
- request from client (with POST body) -> server returns 401 with www-authenticate:negotiate, www-authenticate:NTLM
- client sends additional request with NTLM token (w/o post body) -> server returns 401 with server NTLM token
- Client sends 3rd request with session (with POST body) and server returns 200
With this optimization
- client expects 401 and sends NTLM token (w/o body) -> server returns 401 with server token
- Client sends 2nd request with session (with body) -> server returns 200
Problem occurs
- Client expects 401 and sends NTLM token (w/o body) -> server processes request and received internal error (probably 500)
Registry entry to add that prevents this "optimization"
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/
Add the following registry value:
Value Name: DisableNTLMPreAuth
Data Type: REG_DWORD
Value: 1
Or Save these entries to a .reg file on your machine and double click on it
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
"DisableNTLMPreauth"=dword:00000001
I am not sure why IE thinks it has to re-auth, but from extensive testing it looks like once IE has a session timeout or the session is invalidated and it gets a 401 back from the server, it wants to re-auth every 1-2 minutes after that. This could have something to do with what URL you are at at time of authentication as you may not be at the root. The first link I provided talks a lot about IE's pickiness of URLs and how it guesses what should be authorized and what should not based on pathing.
Related articles:
这篇关于IE使用NTLM身份验证时随机发送空POST主体(使用angular to Spring)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
