在未经授权的请求后禁止 NTLM 对话框 [英] Suppress NTLM dialog box after unauthorized request

问题描述

在最近的一个 sharepoint 项目中，我实现了一个身份验证 webpart，它应该替换 NTLM 身份验证对话框.只要用户提供有效凭据，它就可以正常工作.每当用户提供无效凭据时，Internet Explorer 中都会弹出 NTLM 对话框.

In a recent sharepoint project, I implemented an authentication webpart which should replace the NTLM authentication dialog box. It works fine as long as the user provides valid credentials. Whenever the user provides invalid credentials, the NTLM dialog box pops up in Internet Explorer.

我通过 XmlHttpRequest 进行身份验证的 Javascript 代码如下所示:

My Javascript code which does the authentication via XmlHttpRequest looks like this:

function Login() {
   var request = GetRequest(); // retrieves XmlHttpRequest
   request.onreadystatechange = function() {
      if (this.status == 401) {     // unauthorized request -> invalid credentials
         // do something to suppress NTLM dialog box...
         // already tried location.reload(); and window.location = <url to authentication form>;
      }
   }
   request.open("GET", "http://myServer", false, "domain\username", "password");
   request.send(null);
}

我不希望在用户提供无效凭据时显示 NTLM 对话框.相反，应该执行身份验证表单中登录按钮的回发.换句话说，浏览器不应该发现我未经授权的请求.

I don't want the NTLM dialog box to be displayed when the user provides invalid credentials. Instead the postback by the login button in the authentication form should be executed. In other words, the browser should not find out about my unauthorized request.

有没有办法通过 Javascript 做到这一点?

Is there any way to do this via Javascript?

推荐答案

Mark 的评论是正确的；NTLM 身份验证提示由 401 响应代码触发，并且 NTLM 作为 WWW-Authenticate 标头中提供的第一种机制(参考:NTLM 身份验证协议).

Mark's comment is correct; The NTLM auth prompt is triggered by a 401 response code and the presence of NTLM as the first mechanism offered in the WWW-Authenticate header (Ref: The NTLM Authentication Protocol).

我不确定我是否正确理解了问题描述，但我认为您正在尝试为 SharePoint 包装 NTLM 身份验证，这意味着您无法控制服务器端身份验证协议，对吗?如果您无法操作服务器端以避免在失败的凭据上发送 401 响应，那么您将无法避免此问题，因为它是(客户端)规范的一部分:

I'm not sure if I understand the question description correctly, but I think you are trying to wrap the NTLM authentication for SharePoint, which means you don't have control over the server-side authentication protocol, correct? If you're not able to manipulate the server side to avoid sending a 401 response on failed credentials, then you will not be able to avoid this problem, because it's part of the (client-side) spec:

如果 UA 支持 HTTP 身份验证 [RFC2617] 它应该考虑请求源自这个物体成为保护空间的一部分，包括访问 URI 并发送授权标头并处理 401 未经授权的请求适当地.如果身份验证失败，UA 应提示用户输入凭据.

If the UA supports HTTP Authentication [RFC2617] it SHOULD consider requests originating from this object to be part of the protection space that includes the accessed URIs and send Authorization headers and handle 401 Unauthorised requests appropriately. if authentication fails, UAs should prompt the users for credentials.

因此规范实际上要求浏览器在 XMLHttpRequest 中收到任何 401 响应时相应地提示用户，就像用户直接访问了 URL 一样.据我所知，真正避免这种情况的唯一方法是让您控制服务器端并避免 401 未经授权的响应，正如马克所说.

So the spec actually calls for the browser to prompt the user accordingly if any 401 response is received in an XMLHttpRequest, just as if the user had accessed the URL directly. As far as I can tell the only way to really avoid this would be for you to have control over the server side and cause 401 Unauthorized responses to be avoided, as Mark mentioned.

最后一个想法是您可以使用代理来解决这个问题，例如另一个网络服务器上的单独服务器端脚本.然后该脚本接受一个用户并传递参数并检查身份验证，因此用户的浏览器不是发出原始 HTTP 请求的原因，因此不会收到导致提示的 401 响应.如果你这样做，你可以从你的代理"中找到如果失败，则脚本，如果失败，则再次提示用户，直到成功.在成功的身份验证事件中，您可以像现在一样简单地获取 HTTP 请求，因为如果正确指定了凭据，则一切正常.

One last thought is that you may be able to get around this using a proxy, such a separate server side script on another webserver. That script then takes a user and pass parameter and checks the authentication, so that the user's browser isn't what's making the original HTTP request and therefore isn't receiving the 401 response that's causing the prompt. If you do it this way you can find out from your "proxy" script if it failed, and if so then prompt the user again until it succeeds. On a successful authentication event, you can simply fetch the HTTP request as you are now, since everything works if the credentials are correctly specified.

这篇关于在未经授权的请求后禁止 NTLM 对话框的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！